The following examples illustrate how to define authorization rule types to restrict access to requests matching:
Only users in a specific group and from specific IP addresses
The following rule is restrictive. It only allows the guest user in the admin group to access WebHDFS from a system with the IP address of either 127.0.0.2 or 127.0.0.3:
<provider> <role>authorization</role> <name>AclsAuthz</name> <enabled>true</enabled> <param> <name>webhdfs.acl</name> <value>guest;admin;127.0.0.2,127.0.0.3</value> </param> </provider>
When the parameter
acl.mode
is not defined the default behavior is ALL, therefore following rule is the same as the one above:<provider> <role>authorization</role> <name>AclsAuthz</name> <enabled>true</enabled> <param> <name>webhdfs.acl.mode</name> <value>AND</value> </param> <param> <name>webhdfs.acl</name> <value>guest;admin;127.0.0.2,127.0.0.3</value> </param> </provider>
Note If Guest is not in the admin group, the request is denied.
Two of the three conditions
The following rule demonstrates how to require two conditions, user and group but not IP address, using the Wildcard. The rule allows the guest user that belongs to the admin group to send requests from anywhere because the IP field contains an asterisk which matches all IP addresses:
<provider> <role>authorization</role> <name>AclsAuthz</name> <enabled>true</enabled> <param> <name>webhdfs.acl</name> <value>guest;admin;*</value> </param> </provider>
One of the three conditions
When the
$service .acl.mode
parameter is set to OR, the request only needs to match one entry in any of the fields. The request fails with HTTP Status 403 unauthorized, if no conditions are met.The following example allows:
guest
to send requests to WebHDFS from anywhere.Any user in the admin group to send requests to WebHDFS from anywhere.
Any user, in any group, to send a request to WebHDFS from 127.0.0.2 or 127.0.0.3.
<provider> <role>authorization</role> <name>AclsAuthz</name> <enabled>true</enabled> <param> <name>webhdfs.acl.mode</name> <value>OR</value> </param> <param> <name>webhdfs.acl</name> <value>guest;admin;127.0.0.2,127.0.0.3</value> </param> </provider
>Allow all requests
The following rule grants all users, in any group, and from any IP addresses to access WebHDFS:
Note When a wildcard is used in a field it matches any value. Therefore the Allow all requests example is the same as not defining an ACL.
<provider> <role>authorization</role> <name>AclsAuthz</name> <enabled>true</enabled> <param> <name>webhdfs.acl</name> <value>*;*;*</value> </param> </provider>