Configure HDFS ACLs

Every file/folder in linux is owned by a owner and the group. If an user needs to access the file (read, write, modify) either the user has to be part of the group or the file has appropriate “others” permissions. In this model, we can’t set different permissions userwise, groupwise catering to our requirements.

ACLs control the access of HDFS files by providing a way to set different permissions for specific named users or named groups.

They enhance the traditional permissions model by allowing users to define access control for various combination of users and groups instead of a single owner/user or a single group.

 

Enabling HDFS ACLs Using Cloudera Manager

  1. Go to the CM – HDFS service.
  2. Click the Configuration tab.
  3. Select Scope > Service_name (Service-Wide)
  4. Locate the Enable Access Control Lists property and select its checkbox to enable HDFS ACLs.
  5. Click Save Changes to commit the changes.

Without enabling HDFS ACLS, we can’t perform ACL operations in HDFS.

 

Enabling HDFS ACLs Using the Command Line

To enable ACLs using the command line, set the dfs.namenode.acls.enabled property to true in the NameNode’s hdfs-site.xml.

<property>
<name>dfs.namenode.acls.enabled</name>
<value>true</value>
</property>

Commands

To set and get file access control lists (ACLs), use the file system shell commands, setfacl and getfacl.

getfacl

hdfs dfs -getfacl [-R] <path>

<!-- COMMAND OPTIONS
<path>: Path to the file or directory for which ACLs should be listed.
-R: Use this option to recursively list ACLs for all files and directories.
-->

Examples:

<!-- To list all ACLs for the file located at /user/kannan -->
hdfs dfs -getfacl /user/kannan

<!-- To recursively list ACLs for /user/hdfs/file
hdfs dfs -getfacl -R /user/kannan

Note: We can set different ACLs for a directory, sub directory, files inside the directories.

setfacl

hdfs dfs -setfacl [-R] [-b|-k -m|-x <acl_spec> <path>]|[--set <acl_spec> <path>]

<!-- COMMAND OPTIONS
<path>: Path to the file or directory for which ACLs should be set.
-R: Use this option to recursively list ACLs for all files and directories.
-b: Revoke all permissions except the base ACLs for user, groups and others.
-k: Remove the default ACL.
-m: Add new permissions to the ACL with this option. Does not affect existing permissions.
-x: Remove only the ACL specified.
<acl_spec>: Comma-separated list of ACL permissions.
--set: Use this option to completely replace the existing ACL for the path specified. 
       Previous ACL entries will no longer apply.
-->

Examples:

### To give user stonecold read, write permission over /user/cold/file ###
hdfs dfs -setfacl -m user:stonecold:rw- /user/cold/file

### To remove user undertaker ACL entry for /user/taker/file ###
hdfs dfs -setfacl -x user:underataker /user/taker/file

 

Leave a Reply

%d bloggers like this: