My understanding of the hbase.superuser ACL is that members of a user group specified here (prefixed with @) will have full rights on HBase. However, it seems that the ADMIN right is missing.
Below, I have an example of using HBase as user "anastetsky" who belongs to a group specified in hbase.superuser. No explicit permissions have been granted to any user. I attempt to grant myself permissions (an ADMIN action), which fails. I then create a table "foo" to show that I still have "create" rights, because I belong to a superuser group. Members of the group can also "write" and "read", but not "admin". --- hbase(main):001:0> user_permission User Table,Family,Qualifier:Permission SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/usr/lib/hadoop/lib/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/usr/lib/zookeeper/lib/slf4j-log4j12-1.6.1.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. 0 row(s) in 4.3950 seconds hbase(main):002:0> grant 'anastetsky','RWC' ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions ([email protected], scope=GLOBAL, family=, action=ADMIN) at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:356) at org.apache.hadoop.hbase.security.access.AccessController.grant(AccessController.java:1272) at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.grant(AccessControlProtos.java:9933) at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10097) at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:5102) at org.apache.hadoop.hbase.regionserver.HRegionServer.execService(HRegionServer.java:3198) at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:26933) at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2175) at org.apache.hadoop.hbase.ipc.RpcServer$Handler.run(RpcServer.java:1879) Here is some help for this command: Grant users specific rights. Syntax : grant <user> <permissions> [<table> [<column family> [<column qualifier>]] permissions is either zero or more letters from the set "RWXCA". READ('R'), WRITE('W'), EXEC('X'), CREATE('C'), ADMIN('A') For example: hbase> grant 'bobsmith', 'RWXCA' hbase> grant 'bobsmith', 'RW', 't1', 'f1', 'col1' hbase(main):003:0> create 'foo','bar' 0 row(s) in 1.0650 seconds Thanks in advance, Alex.
