Hadoop cluster security 1: How to enable HDFS permission ACl
来源:互联网 发布:唐山网站怎么做seo 编辑:程序博客网 时间:2024/04/26 19:01
Overall:
- hdfs is using the same users/groups with current linux system. One file owned to one user and one group.
- If one file need to be grunted access to multiple users ot groups. Then ACl should be used. HDFS ACLs give you the ability to specify fine-grained file permissions for specific named users or named groups, not just the file’s owner and group.
How to enable HDFS ACL:
- To use ACLs, first you’ll need to enable ACLs on the NameNode by adding the following configuration property to hdfs-site.xml and restarting the NameNode.
<property>
<name>dfs.permissions.enabled</name>
<value>true</value>
</property>
<property>
<name>dfs.namenode.acls.enabled</name>
<value>true</value>
</property> - HDFS CLI: setfacl and getfacl
- Reference: http://zh.hortonworks.com/blog/hdfs-acls-fine-grained-permissions-hdfs-files-hadoop/
hdfs user permission usecase:
Users/Files
File Name
Groups
Users
System logs
Original data
Middle Result
Final Result
Critical Data(Ready data)
TechMg
manager
r--
Rwx
Rwx
Rwx
Rwx
dataCollector
rw-
Rw-
r--
r--
r--
plateformDev
r--
r--
r--
r--
r--
DataProcessor
r--
Rw-
Rwx
Rwx
r--
DataAnalytics
r--
r--
r--
r--
r--
business
business
---
---
---
r--
---
appDev
appDev
rwx
Rwx
---
---
---
Key ACL command: acl_SystemLogs.sh
hdfs dfs -setfacl -m user:appDev:rwx /fftest/SystemLogs
hdfs dfs -setfacl -m group:appDev:rwx /fftest/SystemLogs
hdfs dfs -setfacl -m user:business:--- /fftest/SystemLogs
hdfs dfs -setfacl -m group:business:--- /fftest/SystemLogs
hdfs dfs -setfacl -m user:manager:r-- /fftest/SystemLogs
hdfs dfs -setfacl -m user:dataCollector:rw- /fftest/SystemLogs
hdfs dfs -setfacl -m user:plateformDev:r-- /fftest/SystemLogs
hdfs dfs -setfacl -m user:DataProcessor:r-- /fftest/SystemLogs
hdfs dfs -setfacl -m user:DataAnalytics:r-- /fftest/SystemLogs
hdfs dfs -setfacl -m group:appDev:rwx /fftest/SystemLogs
hdfs dfs -setfacl -m user:business:--- /fftest/SystemLogs
hdfs dfs -setfacl -m group:business:--- /fftest/SystemLogs
hdfs dfs -setfacl -m user:manager:r-- /fftest/SystemLogs
hdfs dfs -setfacl -m user:dataCollector:rw- /fftest/SystemLogs
hdfs dfs -setfacl -m user:plateformDev:r-- /fftest/SystemLogs
hdfs dfs -setfacl -m user:DataProcessor:r-- /fftest/SystemLogs
hdfs dfs -setfacl -m user:DataAnalytics:r-- /fftest/SystemLogs
ACL example:
drwxrwxr-x+ - hadoop ff 0 2015-05-20 13:58 /fftest/CriticalData
drwxrwxr-x+ - hadoop ff 0 2015-05-20 13:58 /fftest/FinalResult
drwxrwxr-x+ - hadoop ff 0 2015-05-20 13:57 /fftest/MiddleResult
drwxrwxr-x+ - hadoop ff 0 2015-05-20 13:57 /fftest/OriginalData
drwxrwxr-x+ - hadoop ff 0 2015-05-20 13:56 /fftest/SystemLogs
drwxrwxr-x+ - hadoop ff 0 2015-05-20 13:58 /fftest/FinalResult
drwxrwxr-x+ - hadoop ff 0 2015-05-20 13:57 /fftest/MiddleResult
drwxrwxr-x+ - hadoop ff 0 2015-05-20 13:57 /fftest/OriginalData
drwxrwxr-x+ - hadoop ff 0 2015-05-20 13:56 /fftest/SystemLogs
[hadoop@node1 tmp]$ hdfs dfs -getfacl /fftest/SystemLogs
15/05/20 16:35:04 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... u sing builtin-java classes where applicable
# file: /fftest/SystemLogs
# owner: hadoop
# group: ff
user::rwx
user:DataAnalytics:r--
user:DataProcessor:r--
user:appDev:rwx
user:business:---
user:dataCollector:rw-
user:manager:r--
user:plateformDev:r--
group::r-x
group:TechMg:r--
group:appDev:rwx
group:business:---
mask::rwx
other::r-x
15/05/20 16:35:04 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... u sing builtin-java classes where applicable
# file: /fftest/SystemLogs
# owner: hadoop
# group: ff
user::rwx
user:DataAnalytics:r--
user:DataProcessor:r--
user:appDev:rwx
user:business:---
user:dataCollector:rw-
user:manager:r--
user:plateformDev:r--
group::r-x
group:TechMg:r--
group:appDev:rwx
group:business:---
mask::rwx
other::r-x
[hadoop@node1 tmp]$ hdfs dfs -getfacl /fftest/OriginalData
15/05/20 16:46:36 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
# file: /fftest/OriginalData
# owner: hadoop
# group: ff
user::rwx
user:DataAnalytics:r--
user:DataProcessor:rw-
user:appDev:rw-
user:business:---
user:dataCollector:rw-
user:manager:rwx
user:plateformDev:r--
group::r-x
group:appDev:rwx
group:business:---
mask::rwx
other::r-x
15/05/20 16:46:36 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
# file: /fftest/OriginalData
# owner: hadoop
# group: ff
user::rwx
user:DataAnalytics:r--
user:DataProcessor:rw-
user:appDev:rw-
user:business:---
user:dataCollector:rw-
user:manager:rwx
user:plateformDev:r--
group::r-x
group:appDev:rwx
group:business:---
mask::rwx
other::r-x
Result: business user could not access criticalData, but manager user could
[manager@node1 ~]$ hadoop fs -cat /fftest/CriticalData/test
15/05/20 17:05:04 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
a
s
d
g
hg
15/05/20 17:05:04 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
a
s
d
g
hg
[business@node1 root]$ hadoop fs -cat /fftest/CriticalData/test
15/05/20 17:06:09 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
cat: Permission denied: user=business, access=EXECUTE, inode="/fftest/CriticalData":hadoop:ff:drwxrwxr-x:user:DataAnalytics:r--,user:DataProcessor:r--,user:appDev:---,user:business:---,user:dataCollector:r--,user:manager:rwx,user:plateformDev:r--,group::r-x,group:appDev:---,group:business:---
15/05/20 17:06:09 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
cat: Permission denied: user=business, access=EXECUTE, inode="/fftest/CriticalData":hadoop:ff:drwxrwxr-x:user:DataAnalytics:r--,user:DataProcessor:r--,user:appDev:---,user:business:---,user:dataCollector:r--,user:manager:rwx,user:plateformDev:r--,group::r-x,group:appDev:---,group:business:---
0 0
- Hadoop cluster security 1: How to enable HDFS permission ACl
- How-to: enable HDFS HA at a new cluster
- Hadoop cluster security2: How to enable hadoop Service Level Authorization
- How-to: enable hbase ACL and verify
- How-to: deploy hadoop client with some special user based on acl enbaled cluster
- How-to: enable fair scheduler in hadoop
- java.security.acl.Permission翻译
- 翻译:How to Benchmark a Hadoop Cluster
- How-to: transfer hbase data between two hadoop cluster
- Hadoop-2.4.1学习之HDFS文件权限和ACL
- How to enable web condor?
- How to enable navigation arrows
- How to enable the debugfs
- How to Enable Multi-Touch
- hadoop中使用ACL管理HDFS权限
- ccah-500 第24题 Which two features does Kerberos security add to a Hadoop cluster
- How To Cluster Rabbit-MQ
- How to solve permission denied
- 猫猫学iOS(五十五)多线程网络之图片下载框架之SDWebImage
- html5 父页面调用子页面js方法
- jmap -histo pid 输出的[C [B [I [S methodKlass的含义
- 大众浴室大众难寻 你怎么看?最新大众浴池图片|兴泉大众浴池|东郊大众浴池|丰台区大众浴池加盟
- 前向星
- Hadoop cluster security 1: How to enable HDFS permission ACl
- EntityFramework5.0 批量插入错误
- Spring组件扫描<context:component-scan/>使用详解
- c++ 设计模式之原型模式
- php查看mysql错误位置
- Oracle Sql 原理及优化
- OC视频笔记(不可变字典常用方法,与优化方法)(可变字典的常用方法)
- nova quota
- RBM为什么选择logsitic函数?