ZooKeeper ACLs Best Practices: HDFS

You must follow the best practices for tightening the ZooKeeper ACLs or permissions for HDFS when provisioning a secure cluster.

  • ZooKeeper Usage:
    • hadoop-ha: Default ZNode for unsecured and secured clusters.

  • Default ACLs:

    • In an unsecured deployment, the default ACL is world: anyone: cdrwa

    • In a secured deployment, the default ACL is digest: hdfs-fcs: cdrwa

  • Security Best Practice ACLs/Permissions and Required Steps:

    • HDFS ZNodes are protected with digest authentication by default in a secure CDP cluster. You need not modify Zookeeper ACLs on HDFS ZNodes or alter any ACLs by hand.