Saturday, 2 January 2016

Hadoop: Access control list (ACL)

Access control lists are applied to data in HDFS to restrict access to data to approved entities.

Why Access control list?
Hadoop supports UNIX file permission model. Briefly, every file/directory in UNIX has 3 categories of permissions.

Owner permissions: The owner's permissions determine what actions the owner of the file can perform on the file.

Group permissions: The group's permissions determine what actions a user, who is a member of the group that a file belongs to, can perform on the file.

Other permissions: The permissions for others indicate what action all other users can perform on the file.

$ hadoop fs -ls /user/harikrishna_gurram/dir1/sample.txt
-rw-r--r--   3 harikrishna_gurram supergroup        468 2015-06-18 12:45 /user/harikrishna_gurram/dir1/sample.txt

Let’s observe above file “sample.txt”,

Owner can able to read and write to the file.
A Person, who is part of the group can able to read file.
Other also can able to read the file.

Failed Scenario
Suppose I want to give write permissions to Ram, Preethi in addition to owner of the file. Unfortunately, there is no way for permission bits to express this requirement.

In scenarios like above, access control list works very well. By using access control lists you can specify file permissions for specific named users or named groups.

To use ACLs first you need to enable it
Add following lines to hdfs-site.xml (File locate din {Hadoop-Inatall_dir}/etc/hadoop).

<property>
         <name>dfs.namenode.acls.enabled</name>
         <value>true</value>
</property>


Restart Namenode.
$ hadoop-daemon.sh stop namenode
stopping namenode
$ hadoop-daemon.sh start namenode
starting namenode, logging to /Users/harikrishna_gurram/softwares/Hadoop/hadoop-2.6.0/logs/hadoop-harikrishna_gurram-namenode-localhost.out

Hadoop provides following commands to work with ACLs
setfacl: Sets Access Control Lists (ACLs) of files and directories.

Usage:
hadoop fs [generic options] -setfacl [-R] [{-b|-k} {-m|-x <acl_spec>} <path>]|[--set <acl_spec> <path>]

Options:
-b: Remove all but the base ACL entries. The entries for user, group and others are retained for compatibility with permission bits.
-k: Remove the default ACL.
-R: Apply operations to all files and directories recursively.
-m: Modify ACL. New entries are added to the ACL, and existing entries are retained.
-x: Remove specified ACL entries. Other ACL entries are retained.
--set: Fully replace the ACL, discarding all existing entries. The acl_spec must include entries for user, group, and others for compatibility with permission bits.
acl_spec: Comma separated list of ACL entries.
path: File or directory to modify.

getfacl: Displays the Access Control Lists (ACLs) of files and directories.

Usage:
hadoop fs [generic options] -getfacl [-R] <path>

Options:
-R: List the ACLs of all files and directories recursively.

path: File or directory to list.
$ hadoop fs -getfacl /user/harikrishna_gurram/dir1
# file: /user/harikrishna_gurram/dir1
# owner: harikrishna_gurram
# group: supergroup
user::rwx
group::r-x
other::r-x


As you observe,
Owner has rwx permissions
A persion in supergroup has r-x permissions
Others also has r-x permissions.

I want to add a group “special” which has rw- permissions on dir1.

$ hadoop fs -setfacl -m group:special:rw- /user/harikrishna_gurram/dir1

Above command add rw- permissions to special group pn directory “/user/harikrishna_gurram/dir1”.

$ hadoop fs -getfacl /user/harikrishna_gurram/dir1
# file: /user/harikrishna_gurram/dir1
# owner: harikrishna_gurram
# group: supergroup
user::rwx
group::r-x
group:special:rw-
mask::rwx
other::r-x


Additionally, the output of ls has been modified to append ‘+’ to the permissions of a file or directory that has an ACL.

$ hadoop fs -ls /user/harikrishna_gurram/
Found 4 items
drwxrwxr-x+  - harikrishna_gurram supergroup          0 2015-06-18 15:06 /user/harikrishna_gurram/dir1
drwxr-xr-x   - harikrishna_gurram supergroup          0 2015-06-18 15:06 /user/harikrishna_gurram/dir2
drwxr-xr-x   - harikrishna_gurram supergroup          0 2015-06-18 14:54 /user/harikrishna_gurram/first
-rw-r--r--   3 harikrishna_gurram supergroup        973 2015-06-18 16:21 /user/harikrishna_gurram/sample.zip


As you observe above output, + sign is added to “/user/harikrishna_gurram/dir1”.





Previous                                                 Next                                                 Home

No comments:

Post a Comment