Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Examples of Authorization

The following examples illustrate how to define authorization rule types to restrict access to requests matching:

  • Only users in a specific group and from specific IP addresses

    The following rule is restrictive. It only allows the guest user in the admin group to access WebHDFS from a system with the IP address of either 127.0.0.2 or 127.0.0.3:

    <provider>
        <role>authorization</role>
        <name>AclsAuthz</name>
        <enabled>true</enabled>
        <param>
            <name>webhdfs.acl</name>
            <value>guest;admin;127.0.0.2,127.0.0.3</value>
        </param>
    </provider>

    When the parameter acl.mode is not defined the default behavior is ALL, therefore following rule is the same as the one above:

    <provider>
        <role>authorization</role>
        <name>AclsAuthz</name>
        <enabled>true</enabled>
        <param>
            <name>webhdfs.acl.mode</name>
            <value>AND</value>
        </param>
        <param>
            <name>webhdfs.acl</name>
            <value>guest;admin;127.0.0.2,127.0.0.3</value>
        </param>
    </provider>
    [Note]Note

    If Guest is not in the admin group, the request is denied.

  • Two of the three conditions

    The following rule demonstrates how to require two conditions, user and group but not IP address, using the Wildcard. The rule allows the guest user that belongs to the admin group to send requests from anywhere because the IP field contains an asterisk which matches all IP addresses:

    <provider>
        <role>authorization</role>
        <name>AclsAuthz</name>
        <enabled>true</enabled>
        <param>
            <name>webhdfs.acl</name>
            <value>guest;admin;*</value>
        </param>
    </provider>
  • One of the three conditions

    When the $service .acl.mode parameter is set to OR, the request only needs to match one entry in any of the fields. The request fails with HTTP Status 403 unauthorized, if no conditions are met.

    The following example allows:

    • guest to send requests to WebHDFS from anywhere.

    • Any user in the admin group to send requests to WebHDFS from anywhere.

    • Any user, in any group, to send a request to WebHDFS from 127.0.0.2 or 127.0.0.3.

      <provider>
          <role>authorization</role>
          <name>AclsAuthz</name>
          <enabled>true</enabled>
          <param>
              <name>webhdfs.acl.mode</name>
              <value>OR</value>
          </param>
          <param>
              <name>webhdfs.acl</name>
              <value>guest;admin;127.0.0.2,127.0.03</value>
          </param>
      </provider>
  • Allow all requests

    The following rule grants all users, in any group, and from any IP addresses to access WebHDFS:

    [Note]Note

    When a wildcard is used in a field it matches any value. Therefore the Allow all requests example is the same as not defining an ACL.

    <provider>
        <role>authorization</role>
        <name>AclsAuthz</name>
        <enabled>true</enabled>
        <param>
            <name>webhdfs.acl</name>
            <value>*,*,*</value>
        </param>
    </provider>