Enable multitenancy with namespaces
A namespace is a logical grouping of tables analogous to a database or a schema in a relational database system. With namespaces, a group of users can share access to a set of tables but the users can be assigned different privileges. Similarly, one application can run using the tables in a namespace simultaneously with other applications. Each group of users and each application with access to the instance of the tables defined as a namespace is a tenant.
A namespace can support varying ACL-based security modules that can exist among different tenants. Read/write permissions based on groups and users with access to one instance of the namespace function independently from the permissions in another instance.
Unlike relational databases, HBase table names can contain a dot (.) Therefore, HBase
uses different syntax, a colon (:), as the separator between the namespace name and
table name. For example, a table with the name store1
in a namespace that is called orders
has store1:orders
as a fully qualified table name. If you do not assign a table to a
namespace, then the table belongs to the special default
namespace.
The namespace file, which contains the objects and data for the tables assigned to a namespace, is stored in a subdirectory of the
HBase root directory ($hbase.rootdir
) on the HDFS layer of your cluster.
If $hbase.rootdir
is at the default location, the path to the namespace file and table is
/apps/hbase/data/data/namespace/table_name.
Example of Namespace Usage
A software company develops applications with HBase. Developers and quality-assurance (QA) engineers who are testing the code must have access to the same HBase tables that contain sample data for testing. The HBase tables with sample data are a subset of all HBase tables on the system. Developers and QA engineers have different goals in their interaction with the tables and need to separate their data read/write privileges accordingly.
By assigning the sample-data tables to a namespace, access privileges can be provisioned appropriately so that QA engineers do not overwrite developers' work and vice versa. As tenants of the sample-data table namespace, when developers and QA engineers are logged in as users of this namespace domain they do not access other HBase tables in different domains. This helps ensure that not every user can view all tables on the HBase cluster for the sake of security and ease-of-use.