Enabling HDFS Extended ACLs
As of CDH 5.1, HDFS supports POSIX Access Control Lists (ACLs), as well as the traditional POSIX permissions model already supported. ACLs control access of HDFS files by providing a way to set different permissions for specific named users or named groups.
<property> <name>dfs.namenode.acls.enabled</name> <value>true</value> </property>
To set and get file access control lists (ACLs), use the file system shell commands, setfacl and getfacl.
hdfs dfs -getfacl [-R] <path> <!-- COMMAND OPTIONS <path>: Path to the file or directory for which ACLs should be listed. -R: Use this option to recursively list ACLs for all files and directories. -->
<!-- To list all ACLs for the file located at /user/hdfs/file --> hdfs dfs -getfacl /user/hdfs/file <!-- To recursively list ACLs for /user/hdfs/file --> hdfs dfs -getfacl -R /user/hdfs/file
hdfs dfs -setfacl [-R] [-b|-k -m|-x <acl_spec> <path>]|[--set <acl_spec> <path>] <!-- COMMAND OPTIONS <path>: Path to the file or directory for which ACLs should be set. -R: Use this option to recursively list ACLs for all files and directories. -b: Revoke all permissions except the base ACLs for user, groups and others. -k: Remove the default ACL. -m: Add new permissions to the ACL with this option. Does not affect existing permissions. -x: Remove only the ACL specified. <acl_spec>: Comma-separated list of ACL permissions. --set: Use this option to completely replace the existing ACL for the path specified. Previous ACL entries will no longer apply. -->
<!-- To give user ben read & write permission over /user/hdfs/file --> hdfs dfs -setfacl -m user:ben:rw- /user/hdfs/file <!-- To remove user alice's ACL entry for /user/hdfs/file --> hdfs dfs -setfacl -x user:alice /user/hdfs/file <!-- To give user hadoop read & write access, and group or others read-only access --> hdfs dfs -setfacl --set user::rw-,user:hadoop:rw-,group::r--,other::r-- /user/hdfs/file
More details about using this feature can be found in the HDFS Permissions Guide on the Apache website.