Security considerations when Db2 Big SQL accesses HBase objects

HBase objects, such as tables or indexes, can be accessed by a Db2 Big SQL user when the appropriate authorization rules for the HBase resources are established.

To enable HBase authorization, do the following steps:

Add the following properties to the hbase-site.xml file on every HBase server host.


<property>
  <name>hbase.security.authorization</name>
  <value>true</value>
</property>
<property>
   <name>hbase.coprocessor.master.classes</name>
   <value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
   <name>hbase.coprocessor.region.classes</name>
   <value>org.apache.hadoop.hbase.security.access.AccessController, org.apache.hadoop.hbase.coprocessor.example.BulkDeleteEndpoint</value>
</property>

Configure the access control lists for authorization in the HBase shell with GRANT and REVOKE statements.

All HBase tables are created in the distributed file system in the following directory:

/hbase/data/default

The permissions for this directory are not restrictive, and there is no directory inheritance. Therefore, you must explicitly change permissions on any HBase table data that you want to secure.

By default, the bigsql user has these privileges:

 
bigsql hbase,hbase:acl,,: 
  [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]

With the RWXCA privileges, the bigsql user has the authority to perform all of the operations in HBase. You can determine the current existing permissions with the following command:

hbase>user_permission <tablename>

But, if an EXTERNAL HBase table must be read from Db2 Big SQL, then the users in Db2 Big SQL must be explicitly granted the correct permissions. In the HBase shell , create the following GRANT statements to give permissions to bigsql and to users that would be creating HBase tables.


hbase> grant 'bigsql', 'RWXC', '<tablename>'