Enabling HDFS Extended ACLs
As of CDH 5.1, HDFS supports POSIX Access Control Lists (ACLs), in addition to the traditional POSIX permissions model already supported. ACLs provide fine-grained control of permissions for HDFS files by providing a way to set different permissions for specific named users or named groups.
Enabling ACLs
By default, ACLs are disabled on a cluster. To enable them, set the dfs.namenode.acls.enabled property to true in the NameNode's hdfs-site.xml.
<property> <name>dfs.namenode.acls.enabled</name> <value>true</value> </property>
Commands
You can use the File System Shell commands, setfacl and getfacl, to modify and retrieve files' ACLs.
getfacl
hdfs dfs -getfacl [-R] <path> <!-- COMMAND OPTIONS <path>: Path to the file or directory for which ACLs should be listed. -R: Use this option to recursively list ACLs for all files and directories. -->
Examples:
<!-- To list all ACLs for the file located at /user/hdfs/file --> hdfs dfs -getfacl /user/hdfs/file <!-- To recursively list ACLs for /user/hdfs/file --> hdfs dfs -getfacl -R /user/hdfs/file
setfacl
hdfs dfs -setfacl [-R] [-b|-k -m|-x <acl_spec> <path>]|[--set <acl_spec> <path>] <!-- COMMAND OPTIONS <path>: Path to the file or directory for which ACLs should be set. -R: Use this option to recursively list ACLs for all files and directories. -b: Revoke all permissions except the base ACLs for user, groups and others. -k: Remove the default ACL. -m: Add new permissions to the ACL with this option. Does not affect existing permissions. -x: Remove only the ACL specified. <acl_spec>: Comma-separated list of ACL permissions. --set: Use this option to completely replace the existing ACL for the path specified. Previous ACL entries will no longer apply. -->
Examples:
<!-- To give user ben read & write permission over /user/hdfs/file --> hdfs dfs -setfacl -m user:ben:rw- /user/hdfs/file <!-- To remove user alice's ACL entry for /user/hdfs/file --> hdfs dfs -setfacl -x user:alice /user/hdfs/file <!-- To give user hadoop read & write access, and group or others read-only access --> hdfs dfs -setfacl --set user:hadoop:rw-,group::r--,other::r-- /user/hdfs/file
More details about using this feature can be found here.