Access Control Matrix
Permission sets required to perform operations in HBase.
The following matrix shows the permission set required to perform operations in HBase. Before using the table, read through the information about how to interpret it.
Interpreting the ACL Matrix Table
The following conventions are used in the ACL Matrix table:
Scopes
Permissions are evaluated starting at the widest scope and working to the narrowest scope.
A scope corresponds to a level of the data model. From broadest to narrowest, the scopes are as follows:
Scopes
- Global
- Namespace (NS)
- Table
- Column Family (CF)
- Column Qualifier (CQ)
- Cell
For instance, a permission granted at table level dominates any grants done at the Column Family, Column Qualifier, or cell level. The user can do what that grant implies at any location in the table. A permission granted at global scope dominates all: the user is always allowed to take that action everywhere.
Permissions
Possible permissions include the following:
Permissions
- Superuser - a special user that belongs to group "supergroup" and has unlimited access
- Admin (A)
- Create (C)
- Write (W)
- Read (R)
- Execute (X)
For the most part, permissions work in an expected way, with the following caveats:
Having Write permission does not imply Read permission.
It is possible and sometimes desirable for a user to be able to write data that same user cannot read. One such example is a log-writing process.
The hbase:meta table is readable by every user, regardless of the user's other grants or restrictions.
This is a requirement for HBase to function correctly.
CheckAndPut and CheckAndDelete operations will fail if the user does not have both Write and Read permission.
Increment and Append operations do not require Read access.
The superuser, as the name suggests has permissions to perform all possible operations.
And for the operations marked with *, the checks are done in post hook and only subset of results satisfying access checks are returned back to the user.
The following table is sorted by the interface that provides each operation. In case the table goes out of date, the unit tests which check for accuracy of permissions can be found in hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java, and the access controls themselves can be examined in hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java.
ACL Matrix
| Interface | Operation | Permissions |
|---|---|---|
| Master | createTable | superuser|global(C)|NS(C) |
| modifyTable | superuser|global(A)|global(C)|NS(A)|NS(C)|TableOwner|table(A)|table(C) | |
| deleteTable | superuser|global(A)|global(C)|NS(A)|NS(C)|TableOwner|table(A)|table(C) | |
| truncateTable | superuser|global(A)|global(C)|NS(A)|NS(C)|TableOwner|table(A)|table(C) | |
| addColumn | superuser|global(A)|global(C)|NS(A)|NS(C)|TableOwner|table(A)|table(C) | |
| modifyColumn | superuser|global(A)|global(C)|NS(A)|NS(C)|TableOwner|table(A)|table(C)|column(A)|column(C) | |
| deleteColumn | superuser|global(A)|global(C)|NS(A)|NS(C)|TableOwner|table(A)|table(C)|column(A)|column(C) | |
| enableTable | superuser|global(A)|global(C)|NS(A)|NS(C)|TableOwner|table(A)|table(C) | |
| disableTable | superuser|global(A)|global(C)|NS(A)|NS(C)|TableOwner|table(A)|table(C) | |
| disableAclTable | Not allowed | |
| move | superuser|global(A)|NS(A)|TableOwner|table(A) | |
| assign | superuser|global(A)|NS(A)|TableOwner|table(A) | |
| unassign | superuser|global(A)|NS(A)|TableOwner|table(A) | |
| regionOffline | superuser|global(A)|NS(A)|TableOwner|table(A) | |
| balance | superuser|global(A) | |
| balanceSwitch | superuser|global(A) | |
| shutdown | superuser|global(A) | |
| stopMaster | superuser|global(A) | |
| snapshot | superuser|global(A)|NS(A)|TableOwner|table(A) | |
| listSnapshot | superuser|global(A)|SnapshotOwner | |
| cloneSnapshot | superuser|global(A)|(SnapshotOwner & TableName matches) | |
| restoreSnapshot | superuser|global(A)|SnapshotOwner & (NS(A)|TableOwner|table(A)) | |
| deleteSnapshot | superuser|global(A)|SnapshotOwner | |
| createNamespace | superuser|global(A) | |
| deleteNamespace | superuser|global(A) | |
| modifyNamespace | superuser|global(A) | |
| getNamespaceDescriptor | superuser|global(A)|NS(A) | |
| listNamespaceDescriptors* | superuser|global(A)|NS(A) | |
| flushTable | superuser|global(A)|global(C)|NS(A)|NS(C)|TableOwner|table(A)|table(C) | |
| getTableDescriptors* | superuser|global(A)|global(C)|NS(A)|NS(C)|TableOwner|table(A)|table(C) | |
| getTableNames* | superuser|TableOwner|Any global or table perm | |
| setUserQuota(global level) | superuser|global(A) | |
| setUserQuota(namespace level) | superuser|global(A) | |
| setUserQuota(Table level) | superuser|global(A)|NS(A)|TableOwner|table(A) | |
| setTableQuota | superuser|global(A)|NS(A)|TableOwner|table(A) | |
| setNamespaceQuota | superuser|global(A) | |
| addReplicationPeer | superuser|global(A) | |
| removeReplicationPeer | superuser|global(A) | |
| enableReplicationPeer | superuser|global(A) | |
| disableReplicationPeer | superuser|global(A) | |
| getReplicationPeerConfig | superuser|global(A) | |
| updateReplicationPeerConfig | superuser|global(A) | |
| listReplicationPeers | superuser|global(A) | |
| getClusterStatus | any user | |
| Region | openRegion | superuser|global(A) |
| closeRegion | superuser|global(A) | |
| flush | superuser|global(A)|global(C)|TableOwner|table(A)|table(C) | |
| split | superuser|global(A)|TableOwner|TableOwner|table(A) | |
| compact | superuser|global(A)|global(C)|TableOwner|table(A)|table(C) | |
| getClosestRowBefore | superuser|global(R)|NS(R)|TableOwner|table(R)|CF(R)|CQ(R) | |
| getOp | superuser|global(R)|NS(R)|TableOwner|table(R)|CF(R)|CQ(R) | |
| exists | superuser|global(R)|NS(R)|TableOwner|table(R)|CF(R)|CQ(R) | |
| put | superuser|global(W)|NS(W)|table(W)|TableOwner|CF(W)|CQ(W) | |
| delete | superuser|global(W)|NS(W)|table(W)|TableOwner|CF(W)|CQ(W) | |
| batchMutate | superuser|global(W)|NS(W)|TableOwner|table(W)|CF(W)|CQ(W) | |
| checkAndPut | superuser|global(RW)|NS(RW)|TableOwner|table(RW)|CF(RW)|CQ(RW) | |
| checkAndPutAfterRowLock | superuser|global(R)|NS(R)|TableOwner|Table(R)|CF(R)|CQ(R) | |
| checkAndDelete | superuser|global(RW)|NS(RW)|TableOwner|table(RW)|CF(RW)|CQ(RW) | |
| checkAndDeleteAfterRowLock | superuser|global(R)|NS(R)|TableOwner|table(R)|CF(R)|CQ(R) | |
| incrementColumnValue | superuser|global(W)|NS(W)|TableOwner|table(W)|CF(W)|CQ(W) | |
| append | superuser|global(W)|NS(W)|TableOwner|table(W)|CF(W)|CQ(W) | |
| appendAfterRowLock | superuser|global(W)|NS(W)|TableOwner|table(W)|CF(W)|CQ(W) | |
| increment | superuser|global(W)|NS(W)|TableOwner|table(W)|CF(W)|CQ(W) | |
| incrementAfterRowLock | superuser|global(W)|NS(W)|TableOwner|table(W)|CF(W)|CQ(W) | |
| scannerOpen | superuser|global(R)|NS(R)|TableOwner|table(R)|CF(R)|CQ(R) | |
| scannerNext | superuser|global(R)|NS(R)|TableOwner|table(R)|CF(R)|CQ(R) | |
| scannerClose | superuser|global(R)|NS(R)|TableOwner|table(R)|CF(R)|CQ(R) | |
| bulkLoadHFile | superuser|global(C)|TableOwner|table(C)|CF(C) | |
| prepareBulkLoad | superuser|global(C)|TableOwner|table(C)|CF(C) | |
| cleanupBulkLoad | superuser|global(C)|TableOwner|table(C)|CF(C) | |
| Endpoint | invoke | superuser|global(X)|NS(X)|TableOwner|table(X) |
| AccessController | grant(global level) | global(A) |
| grant(namespace level) | global(A)|NS(A) | |
| grant(table level) | global(A)|NS(A)|TableOwner|table(A)|CF(A)|CQ(A) | |
| revoke(global level) | global(A) | |
| revoke(namespace level) | global(A)|NS(A) | |
| revoke(table level) | global(A)|NS(A)|TableOwner|table(A)|CF(A)|CQ(A) | |
| getUserPermissions(global level) | global(A) | |
| getUserPermissions(namespace level) | global(A)|NS(A) | |
| getUserPermissions(table level) | global(A)|NS(A)|TableOwner|table(A)|CF(A)|CQ(A) | |
| hasPermission(table level) | global(A)|SelfUserCheck | |
| RegionServer | stopRegionServer | superuser|global(A) |
| mergeRegions | superuser|global(A) | |
| rollWALWriterRequest | superuser|global(A) | |
| replicateLogEntries | superuser|global(W) | |
| RSGroup | addRSGroup | superuser|global(A) |
| balanceRSGroup | superuser|global(A) | |
| getRSGroupInfo | superuser|global(A) | |
| getRSGroupInfoOfTable | superuser|global(A) | |
| getRSGroupOfServer | superuser|global(A) | |
| listRSGroups | superuser|global(A) | |
| moveServers | superuser|global(A) | |
| moveServersAndTables | superuser|global(A) | |
| moveTables | superuser|global(A) | |
| removeRSGroup | superuser|global(A) | |
| removeServers | superuser|global(A) |