无authentication有authorization模式下使用hbase
hbase默认情况下对客户端不做任何权限控制,这对于很多应用场景是不适用的。而kerberos的SASL验证方式比较啰嗦(主要是增加服务端、客户端的认证配置),而且Secure Access to Apache HBase会对性能有%10左右的损失,这对于轻安全重性能的场景下同样不适合。“Simple User Access to Apache HBase”是一种无authentication有authorization的使用模式,我们可以通过对预定义的用户进行授权,而不需要预先做身份验证。这样可以做到不需增加身份验证的配置工作,而对不同用户的访问权限进行控制与隔离。
实验环境:
hbase版本1.0.2
hadoop版本2.7.1
jdk版本 1.7
服务端侧配置
Add the following to the hbase-site.xml file on every server machine in the cluster:
<property> <name>hbase.security.authentication</name> <value>simple</value> </property> <property> <name>hbase.security.authorization</name> <value>true</value> </property> <property> <name>hbase.coprocessor.master.classes</name> <value>org.apache.hadoop.hbase.security.access.AccessController</value> </property> <property> <name>hbase.coprocessor.region.classes</name> <value>org.apache.hadoop.hbase.security.access.AccessController</value> </property> <property> <name>hbase.coprocessor.regionserver.classes</name> <value>org.apache.hadoop.hbase.security.access.AccessController</value> </property>
客户端侧配置
Add the following to the hbase-site.xml file on every client:
<property> <name>hbase.security.authentication</name> <value>simple</value> </property>
默认即为simple模式,因此不配这个也没关系。
在服务端增加访问用户(即运行客户端进程的当前系统用户)的权限配置,
如,
注意:此处的用户,即为客户端进程运行时进程所属的系统用户。因此没有用户添加的过程,可以直接对用户授权。
客户端代码示例,
pom.xml
<dependencies> <dependency> <groupId>org.apache.hbase</groupId> <artifactId>hbase-client</artifactId> <version>1.0.2</version> </dependency> </dependencies>
hbase-site.xml
<?xml version="1.0" encoding="UTF-8"?> <?xml-stylesheet type="text/xsl" href="configuration.xsl"?> <configuration> <property> <name>hbase.security.authentication</name> <value>simple</value> </property> <property> <name>hbase.zookeeper.quorum</name> <value>zknode1,zknode2,zknode3</value> </property> <property> <name>zookeeper.znode.parent</name> <value>/bda/hbase3</value> </property> </configuration>
client代码,
package com.test; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseConfiguration; import org.apache.hadoop.hbase.HColumnDescriptor; import org.apache.hadoop.hbase.HTableDescriptor; import org.apache.hadoop.hbase.TableName; import org.apache.hadoop.hbase.client.Admin; import org.apache.hadoop.hbase.client.Connection; import org.apache.hadoop.hbase.client.ConnectionFactory; public class HBaseTest { public static void main(String args[]) { Connection connection = null; Configuration configuration = HBaseConfiguration.create(); try { TableName tableName = TableName.valueOf("ziyang_client_test"); connection = ConnectionFactory.createConnection(configuration); Admin hBaseAdmin = connection.getAdmin(); if (hBaseAdmin.isTableAvailable(tableName)) { hBaseAdmin.disableTable(tableName); hBaseAdmin.deleteTable(tableName); System.out.println(tableName + " is exist,detele...."); } HTableDescriptor tableDescriptor = new HTableDescriptor(tableName); tableDescriptor.addFamily(new HColumnDescriptor("column1")); tableDescriptor.addFamily(new HColumnDescriptor("column2")); tableDescriptor.addFamily(new HColumnDescriptor("column3")); hBaseAdmin.createTable(tableDescriptor); System.out.println(tableName + " created...."); } catch (Exception e) { e.printStackTrace(); } finally { if(connection != null){ connection.close(); } } } }