KMS ACL Syntax and Tips
You can specify ACL blacklist and whitelist entries for either users, groups, or both users and groups.
Blacklist and Whitelist Syntax
- Users only:
There are no spaces following the commas separating the users in the list.
- Groups only:
There is a space between nobody and the comma-separated group list. The nobody user, if it exists, must not have privileges to log in to or interact with the system. If you are uncertain about its access privileges, specify a different nonexistent user in its place.
- Users and Groups:
The comma-separated user list is separated from the comma-separated group list by a space.
Blocking User Access
If you wish to block access to an operation entirely, use the value of an empty space, or some non-existent values (for example,'NOUSERS NOGROUPS'). By doing this, you ensure that no user maps to a particular operation by default. Alternatively, you can restrict those features to Key Administrators only by setting the value to Keyadmin users and/or groups.
Group Membership in KMS ACLs
The group membership used by ACL entries depends upon the configured group mapping mechanism for HDFS. By default, group membership is determined on the local Linux system running the KMS service. If you have configured HDFS to use LDAP for group mapping, then group membership for the ACL entries is determined using the configured LDAP settings.