revoke

Definition

Revokes a user access rights.

IMPORTANT

Notice, that this command can be executed only by users with ADMIN rights. So, run it under superuser hbase or grant the appropriate rights to your user:

sudo -u hbase hbase shell
grant '<user_name>', 'A'

Usage

revoke '<user_name>' | '@<group_name>' [,
       '@<namespace_name>'] | [, '[<namespace_name>:]<table_name>' [, '<column_family>' [, '<column_qualifier>']]]
Arguments
Parameter Description

user_name

A user name

group_name

A users group name

namespace_name

A namespace name

table_name

A table name

column_family

A column family name

column_qualifier

A column qualifier

NOTE
A namespace and a group name should be preceded with the @ character.

Examples

Revoking rights on the specified table column

hbase(main):011:0> user_permission 'ns1:temp2'
User                     Namespace,Table,Family,Qualifier:Permission
 dasha                   ns1,ns1:temp2,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
 dasha                   ns1,ns1:temp2,cf1,c1: [Permission: actions=READ,WRITE]
2 row(s)
Took 0.0315 seconds
hbase(main):001:0> revoke 'dasha', 'ns1:temp2', 'cf1', 'c1'
Took 0.5811 seconds
hbase(main):003:0> user_permission 'ns1:temp2'
User                  Namespace,Table,Family,Qualifier:Permission
 dasha                ns1,ns1:temp2,,: [Permission: actions=READ,WRITE,EXEC,CREA
                      TE,ADMIN]
1 row(s)
Took 0.0458 seconds

Revoking rights on the specified table

hbase(main):003:0> user_permission 'ns1:temp2'
User                  Namespace,Table,Family,Qualifier:Permission
 dasha                ns1,ns1:temp2,,: [Permission: actions=READ,WRITE,EXEC,CREA
                      TE,ADMIN]
1 row(s)
Took 0.0458 seconds
hbase(main):008:0> revoke 'dasha', 'ns1:temp2'
Took 0.0295 seconds
hbase(main):009:0> user_permission 'ns1:temp2'
User                  Namespace,Table,Family,Qualifier:Permission
0 row(s)
Took 0.0374 seconds

Revoking rights on the specified namespace

hbase(main):010:0> user_permission '@ns1'
User                     Namespace,Table,Family,Qualifier:Permission
 dasha                   ns1,,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
1 row(s)
Took 0.0419 seconds
hbase(main):004:0> revoke 'dasha', '@ns1'
Took 0.0268 seconds
hbase(main):006:0> user_permission '@ns1'
User                  Namespace,Table,Family,Qualifier:Permission
0 row(s)
Took 0.0355 seconds

Revoking rights without using namespaces and tables

hbase(main):011:0> revoke 'dasha'
Took 0.0125 seconds
hbase(main):012:0> user_permission
User                  Namespace,Table,Family,Qualifier:Permission

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'dasha' (global, action=ADMIN)
        at org.apache.hadoop.hbase.security.access.AccessChecker.requireGlobalPermission(AccessChecker.java:158)
        at org.apache.hadoop.hbase.security.access.AccessChecker.requirePermission(AccessChecker.java:129)
        at org.apache.hadoop.hbase.security.access.AccessController.getUserPermissions(AccessController.java:2182)
        at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.getUserPermissions(AccessControlProtos.java:10039)
        at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10197)
        at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8049)
        at org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2409)
        at org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2391)
        at org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:42010)
        at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:413)
        at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:130)
        at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:324)
        at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:304)

Show all permissions for the particular user.
Syntax : user_permission <table>

Note: A namespace must always precede with '@' character.

For example:

    hbase> user_permission
    hbase> user_permission '@ns1'
    hbase> user_permission '@.*'
    hbase> user_permission '@^[a-c].*'
    hbase> user_permission 'table1'
    hbase> user_permission 'namespace1:table1'
    hbase> user_permission '.*'
    hbase> user_permission '^[A-C].*'

Took 0.5466 seconds
Found a mistake? Seleсt text and press Ctrl+Enter to report it