Introduction

HBase cell visibility label feature provides fine grained access control to HBase data by allowing labels to be associated with the data cells. Cells across rows and columns can have visibility labels. Users or groups can be granted authorization to the labels.
For example, certain cells can have a visibility label called ‘private’. Only users granted authorization to ‘private’ can access the labeled data.
Another example, patient or customer data can be labeled ‘branch1′, branch2’ etc based on where the patient or customer is located or registered. A doctor or administrator can only access the data that he or she is authorized.

Configuration

VisibilityController is used to enable and enforce cell visibility labels. Set the following properties in hbase-site.xml before starting HBase.

    <property>
    <name>hbase.security.authorization</name>
    <value>true</value>
    </property>
    <property>
    <name>hfile.format.version</name>
    <value>3</value>
    </property>
    <property>
    <name>hbase.coprocessor.region.classes</name>
    <value>org.apache.hadoop.hbase.security.visibility.VisibilityController </value>
    </property>

The above configuration did not list properties for HBase Authentication. Kerberos Authentication should be enabled in a secure cluster.

From HBase version 1, the default value for ‘hfile.format.version’ is 3.

AccessController can be used with VisibilityController together. The AccessController must come first in the list. A user will be checked on table, column family and column level permissions before the VisibilityController checks access to the cells based on visibility labels.

API and Commands

VisibilityClient API can be used to manage labels and label authorizations.
For example, to create two labels called ‘private’, ‘topsecret’ in the system,

    VisibilityClient.addLabels(conf, new String[]{“private”, “topsecret”})

To grant ‘user1’ access to the label ‘private’,

    VisibilityClient.setAuths(conf, new String[] {“private”}, “user1”)

Groups can be granted visibility labels with an @ to prefix the group name. For example,

    VisibilityClient.setAuths(conf, new String[] {“private”}, “@group1”)

Mutation cell visibility API can used to apply labels to cell during put.
For example, to label the cell as ‘topsecrete’,

    put.setCellVisibility(new CellVisibility(“topsecrete”))

CellVisibility is an expression that can contain visibility labels combined with logical operators AND(&), OR(|) and NOT(!)
For example, to label the cell to be accessible by a user who is granted either ‘private’ or ‘topsecrete’ label,

    put.setCellVisibility(new CellVisibility(“private|topsecrete”))

Scan or Get API can specify the labels to indicate that the client wants to get the cells with the specified labels only. For example,

    scan.setAuthorizations(new Authorizations(new String[] {“private”}))

If the user does not specify the wanted labels when calling scan or get, the default is to retrieve all that is allowed for the user.

HBase shell commands are also provided to manage labels and label authorization. I will use them in the demo that follows.

Demo

As ‘hbase’ user:

    create ‘table2’, ‘f1’
    put ‘table2’, ‘row1’, ‘f1:c1’, ‘value1’
    put ‘table2’, ‘row2’, ‘f1:c1’, ‘value2’
    put ‘table2’, ‘row3’, ‘f1:c1’, ‘value3’
    grant ‘user1’, ‘RW’, ‘table2’

As ‘user1’:

    hbase(main):022:0> scan ‘table2’
    ROW COLUMN+CELL
    row1 column=f1:c1, timestamp=1410975310114, value=value1
    row2 column=f1:c1, timestamp=1413313972526, value=value2
    row3 column=f1:c1, timestamp=1413313981041, value=value3
    3 row(s) in 3.7250 seconds

As ‘hbase’:

Create a visibility label called ‘private’.

    hbase(main):024:0> add_labels ‘private’

Set the label on ‘row1’ in ‘table2’.

    hbase(main):025:0> set_visibility ‘table2’, ‘private’, {FILTER => “(PrefixFilter (‘row1’))”}

The command runs a scanner with the given criteria (rows that start with ‘row1’), rewrites the found cells with the label. This is for testing and demo only. In production, the labels would normally be written along with the cells when the cells are put into HBase via the Put API described above.

As ‘user1’:

    hbase(main):030:0> scan ‘table2’
    ROW COLUMN+CELL
    row2 column=f1:c1, timestamp=1413313972526, value=value2
    row3 column=f1:c1, timestamp=1413313981041, value=value3

‘user1’ can only see row2 and row3 which are not protected by the ‘private’ label.

As ‘hbase’:

Give ‘user1’ access to ‘private’ label.

    hbase(main):032:0> set_auths ‘user1’, ‘private’

As ‘user1’:

    hbase(main):034:0> scan ‘table2’, {AUTHORIZATIONS => [‘private’]}
    ROW COLUMN+CELL
    row1 column=f1:c1, timestamp=1410975310114, value=value1
    row2 column=f1:c1, timestamp=1413313972526, value=value2
    row3 column=f1:c1, timestamp=1413313981041, value=value3
    3 row(s) in 3.8290 seconds

Now ‘user1’ can see row1 along with row2 and row3.

Join The Discussion

Your email address will not be published. Required fields are marked *