Configure a resource-based policy: HBase

How to add a new policy to an existing HBase service.

  1. On Service Manager, select an existing HBase service.

    List of Policies displays a list of the policies defined for Hbase service.

  2. Click Add New Policy.
    Create Policy displays controls for creating details for a new policy.

    Ranger > Create HBase Policy page.
  3. Edit fields on Create Policy, as follows:
    Table 1. Policy Details

    Label

    Description

    Policy Name Enter an appropriate policy name. This name cannot be duplicated across the system. This field is mandatory.
    normal/override Enables you to specify an override policy. When override is selected, the access permissions in the policy override the access permissions in existing policies. This feature can be used with Add Validity Period to create temporary access policies that override existing policies.
    HBase Table Select the appropriate database. Multiple databases can be selected for a particular policy. This field is mandatory.
    HBase Column-family For the selected table, specify the column families to which the policy applies.
    HBase Column For the selected table and column families, specify the columns to which the policy applies.
    Description (Optional) Describe the purpose of the policy.
    Audit Logging Specify whether this policy is audited. (De-select to disable auditing).
    Policy Label Specify a label for this policy. You can search reports and filter policies based on these labels.
    Add Validity Period Specify a start and end time for the policy.
    Table 2. Allow Conditions

    Label

    Description

    Select Role

    Specify the roles to which this policy applies.

    To designate a role as an Administrator, select Delegate Admin. Administrators can edit or delete the policy, and can also create child policies based on the original policy.

    Select Group

    Specify the groups to which this policy applies.

    To designate a group as an Administrator, select Delegate Admin. Administrators can edit or delete the policy, and can also create child policies based on the original policy.

    The public group contains all users, so granting access to the public group grants access to all users.

    Select User

    Specify the users to which this policy applies.

    To designate a user as an Administrator, select Delegate Admin. Administrators can edit or delete the policy, and can also create child policies based on the original policy.

    Permissions Add or edit permissions: Read, Write, Create, Admin, Select/Deselect All.
    Delegate Admin You can use Delegate Admin to assign administrator privileges to the roles, groups, or users specified in the policy. Administrators can edit or delete the policy, and can also create child policies based on the original policy.
  4. You can use + to add additional conditions. Conditions are evaluated in the order listed in the policy. The condition at the top of the list is applied first, then the second, then the third, and so on.
  5. You can use Deny All Other Accesses to deny access to all other users, groups, and roles other than those specified in the allow conditions for the policy.
  6. Click Add.

Provide User Access to HBase Database Tables from the Command Line:

HBase provides the means to manage user access to HBase database tables directly from the command line. The most commonly-used commands are:

  • GRANT

    Syntax:

    grant '<user-or-group>','<permissions>','<table>

    For example, to create a policy that grants user1 read/write permission on the table usertable, the command would be:

    grant 'user1','RW','usertable'

    The syntax is the same for granting CREATE and ADMIN rights.

  • REVOKE

    Syntax:

    revoke '<user-or-group>','<usertable>'

    For example, to revoke the read/write access of user1 to the table usertable, the command would be:

    revoke 'user1','usertable'