ZooKeeper ACLs Best Practices: HBase

You must follow the best practices for tightening the ZooKeeper ACLs or permissions for HBase when provisioning a secure cluster.

ZooKeeper Usage:
- /hbase - Default ZNode for unsecured and secured clusters
note
The ZNodes do not contain any sensitive information, only metadata.
Default ACLs:
- In unsecured setup /hbase - world:anyone:cdrwa
  - All children ZNodes are also world cdrwa
- Open for global read, write protected: world:anyone:r, sasl:hbase:cdrwa
  - /hbase
  - /hbase/master
  - /hbase/meta-region-server
  - /hbase/hbaseid
  - /hbase/table
  - /hbase/rs
- No global read, r/w protected: sasl:hbase:cdrwa:
  - /hbase/acl
  - /hbase/namespace
  - /hbase/backup-masters
  - /hbase/online-snapshot
  - /hbase/draining
  - /hbase/replication
  - /hbase/region-in-transition
  - /hbase/splitWAL
  - /hbase/table-lock
  - /hbase/recovering-regions
  - /hbase/running
  - /hbase/tokenauth
- Security Best Practice ACLs/Permissions and Required Steps:
  - HBase code determines which ACL to enforce based on the configured security mode of the cluster/hbase. Users are not expected to perform any modification of ZooKeeper ACLs on ZNodes and users should not alter any ACLs by hand.