Class AccessController

java.lang.Object
org.apache.hadoop.hbase.security.access.AccessController
All Implemented Interfaces:
Coprocessor, BulkLoadObserver, EndpointObserver, MasterCoprocessor, MasterObserver, RegionCoprocessor, RegionObserver, RegionServerCoprocessor, RegionServerObserver, org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService.Interface

@LimitedPrivate("Configuration") public class AccessController extends Object implements MasterCoprocessor, RegionCoprocessor, RegionServerCoprocessor, org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService.Interface, MasterObserver, RegionObserver, RegionServerObserver, EndpointObserver, BulkLoadObserver
Provides basic authorization checks for data access and administrative operations.

AccessController performs authorization checks for HBase operations based on:

  • the identity of the user performing the operation
  • the scope over which the operation is performed, in increasing specificity: global, table, column family, or qualifier
  • the type of action being performed (as mapped to Permission.Action values)

If the authorization check fails, an AccessDeniedException will be thrown for the operation.

To perform authorization checks, AccessController relies on the RpcServerEngine being loaded to provide the user identities for remote requests.

The access control lists used for authorization can be manipulated via the exposed AccessControlProtos.AccessControlService Interface implementation, and the associated grant, revoke, and user_permission HBase shell commands.