Access
control lists are applied to data in HDFS to restrict access to data to
approved entities.
Why Access
control list?
Hadoop
supports UNIX file permission model. Briefly, every file/directory in UNIX has
3 categories of permissions.
Owner permissions: The owner's permissions determine what actions the
owner of the file can perform on the file.
Group permissions: The group's permissions determine what actions a
user, who is a member of the group that a file belongs to, can perform on the
file.
Other permissions: The permissions for others indicate what action
all other users can perform on the file.
$ hadoop fs
-ls /user/harikrishna_gurram/dir1/sample.txt
-rw-r--r-- 3 harikrishna_gurram supergroup 468 2015-06-18 12:45
/user/harikrishna_gurram/dir1/sample.txt
Let’s observe
above file “sample.txt”,
Owner can
able to read and write to the file.
A Person,
who is part of the group can able to read file.
Other also
can able to read the file.
Failed Scenario
Suppose I
want to give write permissions to Ram, Preethi in addition to owner of the
file. Unfortunately, there is no way for permission bits to express this
requirement.
In scenarios
like above, access control list works very well. By using access control lists
you can specify file permissions for specific named users or named groups.
To use ACLs first you need to enable it
Add
following lines to hdfs-site.xml (File locate din
{Hadoop-Inatall_dir}/etc/hadoop).
<property>
<name>dfs.namenode.acls.enabled</name>
<value>true</value>
</property>
Restart
Namenode.
$ hadoop-daemon.sh stop namenode stopping namenode $ hadoop-daemon.sh start namenode starting namenode, logging to /Users/harikrishna_gurram/softwares/Hadoop/hadoop-2.6.0/logs/hadoop-harikrishna_gurram-namenode-localhost.out
Hadoop provides following commands to work with
ACLs
setfacl: Sets Access Control Lists (ACLs) of
files and directories.
Usage:
hadoop fs
[generic options] -setfacl [-R] [{-b|-k} {-m|-x <acl_spec>}
<path>]|[--set <acl_spec> <path>]
Options:
-b: Remove all but the base ACL entries. The entries for user, group and
others are retained for compatibility with permission bits.
-k: Remove the default ACL.
-R: Apply operations to all files and directories recursively.
-m: Modify ACL. New entries are added to the ACL, and existing entries
are retained.
-x: Remove specified ACL entries. Other ACL entries are retained.
--set: Fully replace the ACL, discarding all existing entries. The acl_spec
must include entries for user, group, and others for compatibility with
permission bits.
acl_spec: Comma separated list of ACL entries.
path: File
or directory to modify.
getfacl: Displays the Access Control Lists
(ACLs) of files and directories.
Usage:
hadoop fs
[generic options] -getfacl [-R] <path>
Options:
-R: List the ACLs of all files and directories recursively.
path: File or directory to list.
$ hadoop fs -getfacl /user/harikrishna_gurram/dir1 # file: /user/harikrishna_gurram/dir1 # owner: harikrishna_gurram # group: supergroup user::rwx group::r-x other::r-x
As you
observe,
Owner has
rwx permissions
A persion in
supergroup has r-x permissions
Others also
has r-x permissions.
I want to
add a group “special” which has rw- permissions on dir1.
$ hadoop fs
-setfacl -m group:special:rw- /user/harikrishna_gurram/dir1
Above
command add rw- permissions to special group pn directory “/user/harikrishna_gurram/dir1”.
$ hadoop fs -getfacl /user/harikrishna_gurram/dir1 # file: /user/harikrishna_gurram/dir1 # owner: harikrishna_gurram # group: supergroup user::rwx group::r-x group:special:rw- mask::rwx other::r-x
Additionally,
the output of ls has been modified to append ‘+’ to the permissions of a file
or directory that has an ACL.
$ hadoop fs -ls /user/harikrishna_gurram/ Found 4 items drwxrwxr-x+ - harikrishna_gurram supergroup 0 2015-06-18 15:06 /user/harikrishna_gurram/dir1 drwxr-xr-x - harikrishna_gurram supergroup 0 2015-06-18 15:06 /user/harikrishna_gurram/dir2 drwxr-xr-x - harikrishna_gurram supergroup 0 2015-06-18 14:54 /user/harikrishna_gurram/first -rw-r--r-- 3 harikrishna_gurram supergroup 973 2015-06-18 16:21 /user/harikrishna_gurram/sample.zip
As you
observe above output, + sign is added to “/user/harikrishna_gurram/dir1”.
No comments:
Post a Comment