How-to: Enable User Authentication and Authorization in Apache HBase

最新推荐文章于 2024-07-21 10:24:42 发布
转载 最新推荐文章于 2024-07-21 10:24:42 发布 · 1.3k 阅读 · 0

本文探讨了如何使用Kerberos为Hadoop和HBase提供用户认证,并介绍了HBase如何实施用户授权来授予特定用户对特定数据集的操作权限。此外,还讨论了通过配置防火墙和使用SASL进行加密协商等措施加强安全性。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

With the default Apache HBase configuration, everyone is allowed to read from and write to all tables available in the system. For many enterprise setups, this kind of policy is unacceptable. 

Administrators can set up firewalls that decide which machines are allowed to communicate with HBase. However, machines that can pass the firewall are still allowed to read from and write to all tables.  This kind of mechanism is effective but insufficient because HBase still cannot differentiate between multiple users that use the same client machines, and there is still no granularity with regard to HBase table, column family, or column qualifier access.

In this post, we will discuss how Kerberos is used with Hadoop and HBase to provide User Authentication, and how HBase implements User Authorization to grant users permissions for particular actions on a specified set of data.

Secure HBase: Authentication & Authorization

A secure HBase aims to protect against sniffers, unauthenticated/unauthorized users and network-based attacks. It does not protect against authorized users who accidentally delete all the data. 

HBase can be configured to provide User Authentication, which ensures that only authorized users can communicate with HBase. The authorization system is implemented at the RPC level, and is based on the Simple Authentication and Security Layer (SASL), which supports (among other authentication mechanisms) Kerberos. SASL allows authentication, encryption negotiation and/or message integrity verification on a per connection basis ( “hbase.rpc.protection” configuration property).

The next step after enabling User Authentication is to give an admin the ability to define a series of User Authorization rules that allow or deny particular actions. The Authorization system, also known as the Access Controller Coprocessor or Access Control List (ACL), is available from HBase 0.92 (CDH4) onward and gives the ability to define authorization policy (Read/Write/Create/Admin), with table/family/qualifier granularity, for a specified user.

Kerberos

Kerberos is a networked authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. The Kerberos protocol uses strong cryptography (AES, 3DES, …) so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identities, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.

Ticket exchange protocol

At a high level, to access a service using Kerberos, each client must follow three steps:

  • Kerberos Authentication: The client authenticates itself to the Kerberos Authentication Server and receive a Ticket Granting Ticket (TGT).
  • Kerberos Authorization: The client request a service ticket from the Ticket Granting Server, which issues a ticket and a session key if the client TGT sent with the request is valid.
  • Service Request: The client uses the service ticket to authenticate itself to the server that is providing the service the client is using (e.g. HDFS, HBase, …)

HBase, HDFS, ZooKeeper SASL

Since HBase depends on HDFS and ZooKeeper, secure HBase relies on a secure HDFS and a secure ZooKeeper. This means that the HBase servers need to create a secure service session, as described above, to communicate with HDFS and ZooKeeper.

All the files written by HBase are stored in HDFS. As in Unix filesystems, the access control provided by HDFS is based on users, groups and permissions.  All the files created by HBase have “hbase” as user, but this access control is based on the username provided by the system, and everyone that can access the machine is potentially able to “sudo” as the user “hbase”. Secure HDFS adds the authentication steps that guarantee that the “hbase” user is trusted.

ZooKeeper has an Access Control List (ACL) on each znode that allows read/write access to the users based on user information in a similar manner to HDFS.

HBase ACL

Now that our users are authenticated via Kerberos, we are sure that the username that we received is one of our trusted users.  Sometimes this is not enough granularity – we want to control that a specified user is able to read or write a table. To do that, HBase provides an Authorization mechanism that allows restricted access for specified users.

To enable this feature, you must enable the Access Controller coprocessor, by adding it to hbase-site.xml under the master and region server coprocessor classes. (See how to setup the HBase security configuration here.)

A coprocessor is code that runs inside each HBase Region Server and/or Master.  It is able to intercept most operations (put, get, delete, …), and run arbitrary code before and/or after the operation is executed. 

Using this ability to execute some code before each operation, the Access Controller coprocessor can check the user rights and decide if the user can or cannot execute the operation.

Rights management and _acl_ table

The HBase shell has a couple of commands that allows an admin to manage the user rights:

  • grant [table] [family] [qualifier]
  • revoke [table] [family] [qualifier]

As you see, an admin has the ability to restrict user access based on the table schema:

  • Give User-W only read rights to Table-X/Family-Y (grant ‘User-W’ ‘R’ ‘Table-X’, ‘Family-Y’)
  • Give User-W the full read/write rights to Qualifier-Z (grant ‘User-W’ ‘RW’ ‘Table-X’, ‘Family-Y’, ‘Qualifier-Z’)

An admin also has the ability to grant global rights, which operate at the cluster level, such as creating tables, balancing regions, shutting down the cluster and so on:

  • Give User-W the ability to create tables (grant ‘User-W’, ‘C’)
  • Give User-W the ability to manage the cluster (grant ‘User-W’, ‘A’)

All the permissions are stored in a table created by the Access Controller coprocessor, called _acl_. The primary key of this table is the table name that you specify in the grant command. The _acl_ table has just one column family and each qualifier describes the granularity of rights for a particular table/user.  The value contains the actual rights granted.

As you can see, the HBase shell commands are tightly related to how the data is stored. The grant command adds or updates one row, and the revoke command removes one row from the _acl_ table.

Access Controller under the hood

As mentioned previously, the Access Controller coprocessor uses the ability to intercept each user request, and check if the user has the rights to execute the operations.

For each operation, the Access Controller needs to query the _acl_ table to see if the user has the rights to execute the operation.

However, this operation can have a negative impact on performance. The solution to fix this problem is using the _acl_ table for persistence and ZooKeeper to speed up the rights lookup. Each region server loads the _acl_ table in memory and get notified of changes by the ZkPermissionWatcher. In this way, every region server has the updated value every time and each permission check is performed by using an in-memory map. 

Roadmap

While Kerberos is a stable, well-tested and proven authentication system, the HBase ACL feature is still very basic and its semantics are still evolving. HBASE-6096 is the umbrella JIRA as reference for all the improvements to ship in a v2 of the ACL feature.

Another open topic on authorization and access control is implementing a per-KeyValue security system (HBASE-6222) that will give the ability to have different values on the same cell associated with a security tag. That would allow to showing a particular piece of information based on the user’s permissions.

Conclusion

HBase Security adds two extra features that allow you to protect your data against sniffers or other network attacks (by using Kerberos to authenticate users and encrypt communications between services), and allow you to define User Authorization policies, restrict operations, and limit data visibility for particular users. 

Matteo Bertozzi is a Software Engineer at Spotify and an HBase Consultant at Cloudera. 

Ref: http://blog.cloudera.com/blog/2012/09/understanding-user-authentication-and-authorization-in-apache-hbase/

hbase读写性能测试调优_初稿
zx8167107的博客
12-08 1万+
Hbase读写性能测试调优    日期 版本 修订 审批 修订说明 2016.9.23 1.0 章鑫   初始版本               1        前言 本篇文章主要讲的是hbase
Hbase最全面入门指南
路边摊阿达西的博客
11-22 877
1.1.介绍 Section1.2, “快速开始”会介绍如何运行一个单机版的HBase.他运行在本地磁盘上。Section2, “配置”会介绍如何运行一个分布式的HBase。他运行在HDFS上 1.2.快速开始 本指南介绍了在单机安装HBase的方法。会引导你通过shell创建一个表,插入一行,然后删除它,最后停止HBase。只要10分钟就可以完成以下的操作。 1.2.1....
HBase-1.0.1.1的Java API使用记录
just_young的专栏
07-31 2406
最近项目中使用了HBase作为数据记录,这里简单记录一下使用的Java API,网上很多API都是比较早期的,现在已经属于过时了,所以在这里总结一下。 1. 首先是Configuration类,这个配置类来自org.apache.hadoop.conf.Configuration,首先要初始化它,这是一个重量级操作。Connection接口,来自org.apache.hadoop.hbase.c
【转】How-to: Enable User Authentication and Authorization in Apache HBase
weixin_30426957的博客
01-29 164
With the defaultApache HBaseconfiguration,everyone is allowed to read from and write to all tables available in the system. For many enterprise setups, this kind of policy is unacceptable. A...
1、apache-kylin-3.1.3-bin-hadoop3介绍及部署、验证详解
热门推荐
alanchanchn的专栏
06-22 6万+
Apache Kylin™是一个开源的、分布式的分析型数据仓库,提供 Hadoop 之上的 SQL 查询接口及多维分析(OLAP)能力以支持超大规模数据,最初由eBay Inc.开发并贡献至开源社区。Apache Kylin™ 令使用者仅需三步,即可实现超大数据集上的亚秒级查询。定义数据集上的一个星形或雪花形模型在定义的数据表上构建cube使用标准 SQL 通过 ODBC、JDBC 或 RESTFUL API 进行查询,仅需亚秒级响应时间即可获得查询结果。
hbase-default.xml详解--注释
好学若饥,谦卑若愚
03-08 1万+
<?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="configuration.xsl"?> <configuration> <!-- hbase的本地临时目录,每次机器重启数据会丢失,建议放到某个持久化文件目录下 --> &lt
HBase 默认配置文件 hbase-default.xml 注释解析HBase默认配置文件注释解析:hbase-default.xml、
weixin_43459847的博客
02-23 743
hbase配置文件
apache-cassandra-4.1.3单机部署及集群部署及简单操作
11-17 1502
是一套开源分布式NoSQL数据库系统。它最初由Facebook开发,用于储存收件箱等简单格式数据,用于储存特别大的数据,集GoogleBigTable的数据模型与Amazon Dynamo的完全分布式的架构于一身。是一套开源分布式Key-Value存储系统。这样单机版本的cassandra安装完成了。一、apache-cassandra介绍。二、apache-cassandra下载。六、进入cassandra。五、启动cassandra。选择一个自己喜欢的版本。四、修改python。
hbase-default.xml 默认文件
记录点点滴滴
01-25 2722
hbase-default.xml 默认文件 <?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="configuration.xsl"?> <!-- /** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file
Hbase官方文档中文版
小宁哥博客
05-15 4414
版权声明:本文为博主原创文章,转载请标注博主链接: https://blog.csdn.net/qq_35036995/article/details/80320009 摘要 这是 Apache HBase (TM)的官方文档。 HBase是一个分布式,版本化,面向列的数据库,构建在 Apache Hadoop和 Apache ZooKeeper之上。   目录 序 1. 入门 1....
Apache Software Foundation Index: Project Listing
H.B.Hooper
03-18 4148
http://projects.apache.org/indexes/quick.html HomeIndexes AlphabeticalCategoriesLanguagePMCProject ListingReleasesStandards FeedsDOAP Files GuidelinesCreate a DOAP FileDO
CDH6.3.2 集成配置 ATLAS-2.1.0
qinxw1687的博客
02-18 2820
APACHE ATLAS安装部署,数据治理。
2020.12.17课堂笔记(HBase分布式环境搭建)
超可爱慕之
12-17 542
HBase分布式环境搭建 一、HBase分布式环境安装 1.1 Zookeeper正常部署启动 首先保证Zookeeper集群的正常部署,并启动: [root@hadoop102 zookeeper]$ $ZK_HOME/bin/zkServer.sh start [root@hadoop103 zookeeper]$ $ZK_HOME/bin/zkServer.sh start [root@hadoop104 zookeeper]$ $ZK_HOME/bin/zkServer.sh start 1.2
Atlas2.1.0集成CDH6.3.0部署
十八闲客的博客,专注于大数据运维
07-21 1150
Atlas 是什么?Atlas是一组可扩展和可扩展的核心基础治理服务,使企业能够有效地满足Hadoop中的合规性要求,并允许与整个企业数据生态系统集成。Apache Atlas为组织提供了开放的元数据管理和治理功能,以建立其数据资产的目录,对这些资产进行分类和治理,并为数据科学家,分析师和数据治理团队提供围绕这些数据资产的协作功能。如果没有Atlas大数据表依赖问题不好解决,元数据管理需要自行开发,如:hive血缘依赖图对于表依赖问题,没有一个可以查询的工具,不方便错误定位,即业务sql开发。
嵌入式C语言从入门到精通视频教程.zip
08-21
目录: 1.1C语言会被淘汰吗?.mp4 1.2 如何成为嵌入式高手.mp4 1.3 搭建开发环境.mp4 1.4初识程序结构.mp4 1.5单片机程序的编译与运行简介.mp4 2.1 单片机中数据表现形式.mp4 2.2 为什么要引入数据类型.mp4 2.3 为什么要使用C99的整数类型.mp4 2.4 sizeof用法.mp4 2.5 GPIO输出速度影响什么.mp4 2.5 负数的二进制表现形式.mp4 2.6 变量的用法与注意事项.mp4 2.7 浮点型数据类型 2.8 一个字符引入的BUG 2.9 浮点数应用注意事项 2.10 为什么要引入ASCII码 3.1 C语言有哪些运算符 3.2 算数运算符及应用案例 3.3 算数复合赋值运算符 3.4 增1和减1运算符及应用案例 3.5 单片机是如何控制外设的 3.6 牢记位运算符的口诀 3.7 逻辑移位与算数移位的区别 3.8 左移右移位运算应用案例 3.9 位运算应用案例1.mp4 3.10 位运算应用案例2 .mp4 4.1 printf的基本用法.mp4 4.2 printf的精细格式控制.mp4 4.3 printf输出转义序列.mp4 5.1数据运算的类型转换.mp4 5.2数据截断和数据扩充的规则.mp4 5.3数据扩充的应用案例和总结.mp4 5.4数据运算发生溢出的危害.mp4 5.5 数据扩充案例.mp4 5.6 24000000U中的U是做什么用的?.mp4 6.1 bool数据类型.mp4 ............ 网盘文件永久链接
该课题为基于Matlab的人脸考勤系统。如果需要硬件结合的话,可以调取摄像头。带有人机交互界面。可以在人机交互界面的基础之上,进行相应的拓展。人脸库可以使用您自己的真实人脸库。(11).zip
08-21
该课题为基于Matlab的人脸考勤系统。如果需要硬件结合的话,可以调取摄像头。带有人机交互界面。可以在人机交互界面的基础之上,进行相应的拓展。人脸库可以使用您自己的真实人脸库。(11).zip
该课题为基于Matlab的运动目标跟踪系统。可以实时框定运动目标。对运动目标的行为做识别。带有人机交互界面,需要在人机交互界面的基础上进行拓展(12).zip
08-21
该课题为基于Matlab的运动目标跟踪系统。可以实时框定运动目标。对运动目标的行为做识别。带有人机交互界面,需要在人机交互界面的基础上进行拓展(12).zip
毫米波MIMO系统中基于凹度近似的功率分配.zip
08-21
1.版本:matlab2014a/2019b/2024b 2.附赠案例数据可直接运行。 3.代码特点:参数化编程、参数可方便更改、代码编程思路清晰、注释明细。 4.适用对象:计算机,电子信息工程、数学等专业的大学生课程设计、期末大作业和毕业设计。
该课题为基于Matlab的运动目标跟踪系统。可以实时框定运动目标。对运动目标的行为做识别。带有人机交互界面,需要在人机交互界面的基础上进行拓展(21).zip
最新发布
08-21
该课题为基于Matlab的运动目标跟踪系统。可以实时框定运动目标。对运动目标的行为做识别。带有人机交互界面,需要在人机交互界面的基础上进行拓展(21).zip
存管TOR1配置 1.配置本地管理账号 aaa-authentication-template 2001 aaa-authentication-type local $ aaa-authorization-template 2001 aaa-authorization-type local $ system-user authorization-template 1 bind aaa-authorization-template 2001 local-privilege-level 15 $ authentication-template 2 bind aaa-authentication-template 2001 local-privilege-level 2 $ user-name Lnlt@123 bind authentication-template 1 bind authorization-template 1 password encrypted Lnlt@123 $ user-authen-restriction fail-time 3 lock-minute 5 strong-password check enable $
07-03
<think>我们正在配置网络设备的本地管理账户和AAA认证授权模板。根据引用内容,配置步骤如下:1.**创建本地用户**:使用`local-user`命令创建本地用户,并设置密码和权限级别。 2. **配置AAA方案**:包括认证方案、授权方案和计费方案(如果不需要计费,可以跳过计费方案配置)。 3. **配置域**:在域下应用认证、授权和计费方案(对于本地认证,通常使用默认域`system`)。具体步骤:###1.创建本地用户进入系统视图,创建本地用户(例如用户名为admin),设置密码和权限级别(3级为最高权限):```bashsystem-viewlocal-useradmin classmanagepassword simpleyour_password#设置简单密码,或使用cipher加密authorization-attribute user-role level-3#设置权限级别为3service-typeterminal#设置用户服务类型为终端接入(如telnet、ssh) ```###2.配置AAA认证方案(本地认证) 创建认证方案并配置为本地认证: ```bashaaaauthentication-scheme local_auth#创建认证方案,名称自定义authentication-mode local#认证模式为本地认证```###3.配置AAA授权方案(本地授权) 创建授权方案并配置为本地授权:```bashauthorization-schemelocal_author#创建授权方案,名称自定义authorization-modelocal#授权模式为本地授权``` ###4.配置域并应用方案在域(如默认域`system`)下应用认证方案和授权方案:```bashdomainsystem#进入系统默认域authentication-schemelocal_auth#应用认证方案authorization-scheme local_author#应用授权方案```###5.配置用户接口(如Console、VTY)的认证方式对于Console口(con0),建议使用认证模式为`none`(不需要认证)或`password`(密码认证),但为了安全,通常设置密码认证。例如: ```bashuser-interface con0authentication-modescheme#使用AAA认证方案(即上面配置的本地认证)``` 对于VTY(虚拟终端)接口,配置为使用AAA认证方案: ```bashuser-interface vty04#进入VTY0到4authentication-mode scheme#使用AAA认证方案``` ###注意事项-如果同时配置了RADIUS和本地认证,可以在认证方案中配置备份认证方式(如`authentication-mode radiuslocal`,表示先尝试RADIUS认证,失败后使用本地认证)。-计费方案在本地认证中通常不需要配置,因为计费一般由RADIUS服务器完成。###配置示例(综合) ```bashsystem-view#创建本地用户local-user adminclass managepasswordsimple Admin@123authorization-attribute user-rolelevel-3service-typeterminal#配置AAA认证方案aaaauthentication-schemelocal_authauthentication-mode local#配置AAA授权方案authorization-scheme local_authorauthorization-modelocal#在system域下应用domain systemauthentication-schemelocal_authauthorization-scheme local_author#配置用户接口认证user-interface con0authentication-modescheme#使用AAA认证user-interface vty04authentication-mode scheme``` ###验证-使用创建的用户名和密码通过Console或Telnet/SSH登录设备,检查权限。###引用说明[^1]:在域下绑定认证、授权方案。[^2]:配置RADIUS的基本思路(但本文配置的是本地认证)。 [^3]:建议在VTY接口使用备份认证为本地,在Console口使用备份认证为none(但本文配置为scheme,即使用AAA方案)。 [^4]:创建本地用户并设置权限。§§相关问题§§1.如何配置RADIUS认证作为主认证,本地认证作为备份? 2.如何设置不同权限级别的本地用户?3.如何恢复忘记的本地管理员密码?</think>### 配置本地管理账户及AAA认证授权模板 根据华三/华为等网络设备的配置规范,以下是配置本地管理账户和AAA模板的完整步骤: #### 1. **创建本地管理账户** ```bash system-view aaa local-user admin password cipher P@ssw0rd123 # 设置加密密码 local-user admin service-type terminal ssh # 允许终端和SSH接入 local-user admin authorization-attribute user-role network-admin # 授予管理员权限 local-user admin state active # 激活账户 ``` #### 2. **配置AAA认证方案** ```bash aaa authentication-scheme LOCAL_AUTH # 创建认证方案 authentication-mode local # 指定本地认证[^4] ``` #### 3. **配置AAA授权方案** ```bash authorization-scheme LOCAL_AUTHOR # 创建授权方案 authorization-mode local # 本地授权模式[^1] ``` #### 4. **配置AAA业务方案(可选)** ```bash accounting-scheme LOCAL_ACCT # 创建计费方案(可选) accounting-mode none # 本地操作通常无需计费 ``` #### 5. **在域中绑定AAA方案** ```bash domain default_admin # 进入管理域 authentication-scheme LOCAL_AUTH # 绑定认证方案 authorization-scheme LOCAL_AUTHOR # 绑定授权方案[^1] accounting-scheme LOCAL_ACCT # 绑定计费方案(可选) ``` #### 6. **配置用户接口认证** ```bash user-interface vty 0 4 # 配置虚拟终端 authentication-mode aaa # 启用AAA认证[^3] protocol inbound ssh # 限制SSH接入 user-interface console 0 # 配置控制台 authentication-mode aaa # 启用AAA认证 ``` #### 7. **关键安全配置(重要)** ```bash aaa administrator admin service-type terminal ssh # 限制管理协议 security-level 3 # 设置安全等级 ``` ### 配置验证命令 ```bash display local-user # 查看本地用户 display aaa scheme # 检查AAA方案 display domain default_admin # 验证域绑定 ``` ### 配置注意事项 1. **密码安全**:使用`cipher`代替`simple`加密密码[^4] 2. **备份认证**:VTY接口建议配置`authentication-mode radius local`实现RADIUS+本地双认证[^3] 3. **权限隔离**:不同角色创建独立账户(如`operator`角色仅配`user-role level-1`) 4. **控制台保护**:Console口必须配置认证,避免设备物理接触风险 > 配置示例基于H3C Comware V7平台,华为/Huawei设备命令类似(需替换`aaa`为`aaa-administrator`等)
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值