ZooKeeper ACLs Best Practices: HBase

You must follow the best practices for tightening the ZooKeeper ACLs or permissions for HBase when provisioning a secure cluster.

  • ZooKeeper Usage:
    • /hbase - Default znode for unsecured and secured clusters

  • Default ACLs:
    • In unsecured setup /hbase - world:anyone:cdrwa
      • All children ZNodes are also world cdrwa

    • Open for global read, write protected: world:anyone:r, sasl:hbase:cdrwa
      • /hbase

      • /hbase/master

      • /hbase/meta-region-server

      • /hbase/hbaseid

      • /hbase/table

      • /hbase/rs

    • No global read, r/w protected: sasl:hbase:cdrwa:
      • /hbase/acl

      • /hbase/namespace

      • /hbase/backup-masters

      • /hbase/online-snapshot

      • /hbase/draining

      • /hbase/replication

      • /hbase/region-in-transition

      • /hbase/splitWAL

      • /hbase/table-lock

      • /hbase/recovering-regions

      • /hbase/running

      • /hbase/tokenauth

    • Security Best Practice ACLs/Permissions and Required Steps:
      • HBase code determines which ACL to enforce based on the configured security mode of the cluster/hbase. Users are not expected to perform any modification of ZooKeeper ACLs on ZNodes and users should not alter any ACLs by hand.