ZooKeeper ACLs Best Practices: HBase
You must follow the best practices for tightening the ZooKeeper ACLs or permissions for HBase when provisioning a secure cluster.
- ZooKeeper Usage:
-
/hbase
- Default ZNode for unsecured and secured clusters
-
- Default ACLs:
- In unsecured setup
/hbase
-world:anyone:cdrwa
-
All children ZNodes are also world cdrwa
-
- Open for global read, write protected:
world:anyone:r
,sasl:hbase:cdrwa
-
/hbase
-
/hbase/master
-
/hbase/meta-region-server
-
/hbase/hbaseid
-
/hbase/table
-
/hbase/rs
-
- No global read, r/w protected:
sasl:hbase:cdrwa
:-
/hbase/acl
-
/hbase/namespace
-
/hbase/backup-masters
-
/hbase/online-snapshot
-
/hbase/draining
-
/hbase/replication
-
/hbase/region-in-transition
-
/hbase/splitWAL
-
/hbase/table-lock
-
/hbase/recovering-regions
-
/hbase/running
-
/hbase/tokenauth
-
- Security Best Practice ACLs/Permissions and Required Steps:
-
HBase code determines which ACL to enforce based on the configured security mode of the cluster/hbase. Users are not expected to perform any modification of ZooKeeper ACLs on ZNodes and users should not alter any ACLs by hand.
-
- In unsecured setup