ZooKeeper ACLs Best Practices: HBase
You must follow the best practices for tightening the ZooKeeper ACLs or permissions for HBase when provisioning a secure cluster.
- ZooKeeper Usage:
-
/hbase- Default znode for unsecured and secured clusters
-
- Default ACLs:
- In unsecured setup
/hbase-world:anyone:cdrwa-
All children ZNodes are also world cdrwa
-
- Open for global read, write protected:
world:anyone:r,sasl:hbase:cdrwa-
/hbase -
/hbase/master -
/hbase/meta-region-server -
/hbase/hbaseid -
/hbase/table -
/hbase/rs
-
- No global read, r/w protected:
sasl:hbase:cdrwa:-
/hbase/acl -
/hbase/namespace -
/hbase/backup-masters -
/hbase/online-snapshot -
/hbase/draining -
/hbase/replication -
/hbase/region-in-transition -
/hbase/splitWAL -
/hbase/table-lock -
/hbase/recovering-regions -
/hbase/running -
/hbase/tokenauth
-
- Security Best Practice ACLs/Permissions and Required Steps:
-
HBase code determines which ACL to enforce based on the configured security mode of the cluster/hbase. Users are not expected to perform any modification of ZooKeeper ACLs on ZNodes and users should not alter any ACLs by hand.
-
- In unsecured setup
