KMS ACL Syntax and Tips

You can specify ACL blacklist and whitelist entries for either users, groups, or both users and groups.

Blacklist and Whitelist Syntax

The ACL syntax for both blacklist and whitelist entries is as follows:
  • Users only: user1,user2,userN

    There are no spaces following the commas separating the users in the list.

  • Groups only: nobody group1,group2,groupN

    There is a space between nobody and the comma-separated group list. The nobody user, if it exists, must not have privileges to log in to or interact with the system. If you are uncertain about its access privileges, specify a different nonexistent user in its place.

  • Users and Groups: user1,user2,userN group1,group2,groupN

    The comma-separated user list is separated from the comma-separated group list by a space.

Blocking User Access

If you wish to block access to an operation entirely, use the value of an empty space, or some non-existent values (for example,'NOUSERS NOGROUPS'). By doing this, you ensure that no user maps to a particular operation by default. Alternatively, you can restrict those features to Key Administrators only by setting the value to Keyadmin users and/or groups.

Group Membership in KMS ACLs

The group membership used by ACL entries depends upon the configured group mapping mechanism for HDFS. By default, group membership is determined on the local Linux system running the KMS service. If you have configured HDFS to use LDAP for group mapping, then group membership for the ACL entries is determined using the configured LDAP settings.