Configuring coarse-grained authorization with ACLs

The coarse-grained authorization can be configured with the following two ACLs: the Superuser Access Control List and the User Access Control List. The Superuser ACL is the list of all the superusers that can access the cluster. User-level access can be controlled by using the User ACL. By default, all the users can access the clusters. But when you enable authentication using Kerberos, only the users who are able to authenticate successfully can access the cluster.

  1. Go to the Kudu service.
  2. Click the Configuration tab.
  3. Select Category > Security.
  4. In the Search field, type ACL to show the relevant properties.
  5. Edit the following properties according to your cluster configuration:
    Field Usage Notes
    Superuser Access Control List Add a comma-separated list of superusers who can access the cluster. By default, this property is left blank.

    '*' indicates that all authenticated users will be given superuser access.

    User Access Control List Add a comma-separated list of users who can access the cluster. By default, this property is set to '*'.

    The default value of '*' allows all users access to the cluster. However, if authentication is enabled, this will restrict access to only those users who are able to successfully authenticate using Kerberos. Unauthenticated users on the same network as the Kudu servers will be unable to access the cluster.

    Add the impala user to this list to allow Impala to query data in Kudu. You might choose to add any other relevant usernames if you want to give access to Spark Streaming jobs.

  6. Click Save Changes.