HDFS Extended ACLs
HDFS supports POSIX Access Control Lists (ACLs), as well as the traditional POSIX permissions model already supported. ACLs control access of HDFS files by providing a way to set different permissions for specific named users or named groups. They enhance the traditional permissions model by allowing users to define access control for arbitrary combinations of users and groups instead of a single owner/user or a single group.
Enabling HDFS Access Control Lists
Enabling HDFS ACLs Using Cloudera Manager
- Go to the HDFS service.
- Click the Configuration tab.
- Select
- Select
- Locate the Enable Access Control Lists property and select its checkbox to enable HDFS ACLs.
- Click Save Changes to commit the changes.
Enabling HDFS ACLs Using the Command Line
To enable ACLs using the command line, set the dfs.namenode.acls.enabled property to true in the NameNode's hdfs-site.xml.
<property> <name>dfs.namenode.acls.enabled</name> <value>true</value> </property>
Commands
To set and get file access control lists (ACLs), use the file system shell commands, setfacl and getfacl.
getfacl
hdfs dfs -getfacl [-R] <path> <!-- COMMAND OPTIONS <path>: Path to the file or directory for which ACLs should be listed. -R: Use this option to recursively list ACLs for all files and directories. -->
<!-- To list all ACLs for the file located at /user/hdfs/file --> hdfs dfs -getfacl /user/hdfs/file <!-- To recursively list ACLs for /user/hdfs/file --> hdfs dfs -getfacl -R /user/hdfs/file
setfacl
hdfs dfs -setfacl [-R] [-b|-k -m|-x <acl_spec> <path>]|[--set <acl_spec> <path>] <!-- COMMAND OPTIONS <path>: Path to the file or directory for which ACLs should be set. -R: Use this option to recursively list ACLs for all files and directories. -b: Revoke all permissions except the base ACLs for user, groups and others. -k: Remove the default ACL. -m: Add new permissions to the ACL with this option. Does not affect existing permissions. -x: Remove only the ACL specified. <acl_spec>: Comma-separated list of ACL permissions. --set: Use this option to completely replace the existing ACL for the path specified. Previous ACL entries will no longer apply. -->
Examples:
<!-- To give user ben read & write permission over /user/hdfs/file --> hdfs dfs -setfacl -m user:ben:rw- /user/hdfs/file <!-- To remove user alice's ACL entry for /user/hdfs/file --> hdfs dfs -setfacl -x user:alice /user/hdfs/file <!-- To give user hadoop read & write access, and group or others read-only access --> hdfs dfs -setfacl --set user::rw-,user:hadoop:rw-,group::r--,other::r-- /user/hdfs/file
For more information on using HDFS ACLs, see the HDFS Permissions Guide on the Apache website.
HDFS Extended ACL Example
- Make the files and sub-directories created within the content directory readable by team "hadoopdev":
$ hdfs dfs -setfacl -m group:hadoopdev:r-x /project
- Set the default ACL setting for the parent directory:
$ hdfs dfs -setfacl -m default:group:hadoopdev:r-x /project
- Create a sub-directory for the content you wish to share:
$ hdfs dfs -mkdir /project/dev
- Inspect the new sub-directory ACLs to verify that HDFS has applied the new default values:
$ hdfs dfs -getfacl -R /project file: /project owner: alice group: appdev user::rwx group::r-x other::r-x default:user::rwx default:group::r-x default:group:hadoopdev:r-x default:mask::r-x default:other::r-x file: /project/dev owner: alice group: appdev user::rwx group::r-x group:hadoopdev:r-x mask::r-x other::r-x default:user::rwx default:group::r-x default:group:hadoopdev:r-x default:mask::r-x default:other::r-x