HBase 0.98 Introduces Cell-based Security
HBase and Accumulo are both Apache projects that provide a distributed data store modeled after Google’s BigTable infrastructure that run on Apache Hadoop.
A cell is the lowest addressable unit in HBase using a key. In earlier versions, cells inherited the permissions from the column family, which in turn inherited the permissions from the table.
Accumulo, which uses a similar data model, has a finer grained cell-based security model although it’s different from the conventional ACLs (Access Control Lists). The key is comprised of a label, which helps make fine-grained decisions on access to different parts of the data at the cell level. So, it’s possible to have multiple levels of information access to the same data depending on the contents of the label.
Issues HBASE-8496 and HBASE-7663 are addressed in HBase 0.98. They implement cell-based security via tags. These tags can store arbitrary Meta data, which allows extension of the ACL security model from the table to the column family to the cell. In addition, it’s possible to store visibility expressions in tags, which provide similar granularity levels for access of different pieces of information within the cell like Accumulo.
From an API perspective, a call like below would set the Access Permissions on the cell for user1.
put.setACL(“user1”, new Permission(Permission.Action.READ))
Andrew Purtell, a principal architect at Intel and a long-time contributor to HBase says, "With the release of Apache HBase 0.98, there is some security feature convergence happening here from the perspective of the end user. HBase has supported ACLs for a while. Now that we also support Accumulo-style visibility labels, we provide a superset of the features of both projects for our users." Purtell program managed the release, which was outlined in his cell-based security blog.
Ben Linders May 28, 2015