Introduction

HBase provides comprehensive security support that covers Authentication, Authorization, and Privacy. HBase supports Kerberos for user Authentication, and RPC and at-rest privacy protection. The Authorization part covers secure access control to data stored in HBase, at table level, column family level and column level. HBase also supports finer grained cell level access control.

HBase provides two ways for cell level access control.

  • Cell level ACL
    Cell level ACL means explicit ‘RW’ access can be set on individual cells when the cell data is put into HBase.
  • Cell visibility label
    Visibility labels allow administrators to associate secure access to cells with visibility labels.

In this post, I will explain and illustrate cell level ACL. In the next post, I will discuss cell visibility label.

Configuration

HBase AccessController is used to enable and enforce cell ACL. Set the following properties in hbase-site.xml before starting HBase.

    <property>
    <name>hbase.security.authorization</name>
    <value>true</value>
    </property>
    <property>
    <name>hfile.format.version</name>
    <value>3</value>
    </property>
    <property>
    <name>hbase.coprocessor.region.classes</name>
    <value>org.apache.hadoop.hbase.security.access.AccessController</value>
    </property>
    <property>
    <name>hbase.security.access.early_out</name>
    <value>false</value>
    </property>

The above configuration did not list properties for HBase Authentication. Kerberos Authentication should be enabled in a secure cluster.

From HBase version 1, the default value for hfile.format.version is 3.

In HBase version 1, the access control early-out evaluation strategy is enabled by default. If a user is not granted access to table, a column family, or at least a column qualifier, an AccessDeniedException would be thrown. This essentially renders the cell level authorization not used. Access to the data is granted anyway if the user has a higher level authorization. To use Cell level ACL, set hbase.security.access.early_out to false in hbase-site.xml.

API and Commands

Use the Java API Mutation.setACL to grant authorization at the cell level:

Mutation.setACL(String user, Permission perms)
Mutation.setACL(Map<String, Permission> perms)

For example, to set ‘read’ permission to ‘user1’ on any cells contained in a particular Put operation:

put.setACL(“user1”, new Permission(Permission.Action.READ))

Group names can also be used, prefixed with @. For example,

put.setACL(“@users”, new Permission(Permission.Action.READ))

The ACLs are stored in the cells as tags.

In HBase shell, ‘grant‘ command can be used to grant cell level ACL. It rewrites existing cells with ACLs and stores them back to their exact coordinates. It is mostly for testing only. In real production, the cell ACLs are written when the cells are put into HBase. For illustration purpose, I will use shell commands.

Demo

As ‘hbase’ user:

hbase(main):006:0> create ‘table1’, ‘family1’
0 row(s) in 0.5890 seconds

hbase(main):008:0> put ‘table1’, ‘row1’, ‘family1:c1’, ‘value1’
0 row(s) in 0.1630 seconds

hbase(main):009:0> put ‘table1’, ‘row2’, ‘family1:c1’, ‘value2’
0 row(s) in 0.0050 seconds

hbase(main):010:0> put ‘table1’, ‘row3’, ‘family1:c1’, ‘value3’
0 row(s) in 0.0040 seconds

hbase(main):011:0> scan ‘table1’
ROW COLUMN+CELL
row1 column=family1:c1, timestamp=1445145631200, value=value1
row2 column=family1:c1, timestamp=1445145641859, value=value2
row3 column=family1:c1, timestamp=1445145648967, value=value3
3 row(s) in 0.0890 seconds

As ‘user1’:
hbase(main):012:0> scan ‘table1’
ROW COLUMN+CELL
0 row(s) in 0.0170 seconds
‘user1’ does not have any permissions on the cells, or at the higher table, column family, column level. Let’s ‘grant’ the permission on the cells.

As ‘hbase’ user:
hbase(main):014:0> grant ‘table1’, {‘user1’ => ‘RW’}, {FILTER => “(PrefixFilter (‘row1‘))”}
1 row(s) in 0.1120 seconds
The command runs a scanner with the given criteria (rows that start with ‘row1‘), rewrite the found cells with new ACLs.

As ‘user1’:
hbase(main):015:0> scan ‘table1’
ROW COLUMN+CELL
row1 column=family1:c1, timestamp=1413310193155, value=value1
1 row(s) in 0.0370 seconds
As ‘hbase’ user:

hbase(main):017:0> grant ‘table1’, {‘user1’ => ‘RW’}, {FILTER => “(PrefixFilter (‘row‘))”}
3 row(s) in 0.0380 seconds

The command rewrites the rows that start with ‘row‘ with new ACLs.

As ‘user1’:

hbase(main):019:0> scan ‘table1’
ROW COLUMN+CELL
row1 column=family1:c1, timestamp=1413310193155, value=value1
row2 column=family1:c1, timestamp=1413310200666, value=value2
row3 column=family1:c1, timestamp=1413310208109, value=value3
3 row(s) in 0.0380 seconds

The following illustrates the cell ACL for a group.

As ‘user2’:

hbase(main):001:0> scan ‘table1’
ROW COLUMN+CELL
0 row(s) in 0.0170 seconds

user2 does not have ‘R’ permission on the cell coordinate.

As ‘hbase’:

hbase(main):003:0> grant ‘table1’, {‘@users’ => ‘RW’}, {FILTER => “(PrefixFilter (‘row’))”}
3 row(s) in 4.8260 seconds

We granted ‘RW’ permissions on the cells to the group ‘users’. ‘user2’ is in the group.

As ‘user2’:

hbase(main):004:0> scan ‘table1’
ROW COLUMN+CELL
row1 column=family1:c1, timestamp=1445569240789, value=value1
row2 column=family1:c1, timestamp=1445279966552, value=value2
row3 column=family1:c1, timestamp=1445279973521, value=value3
3 row(s) in 1.3110 seconds

Conclusion

HBase Cell level ACL is a powerful security feature that provide fine grained access control to HBase data.

1 comment on"Apache HBase Cell Level Security, Part 1"

  1. How can you revoke the PrefixFilter?

Join The Discussion

Your email address will not be published. Required fields are marked *