HDFS - Permissions (Authorization)

About

What is Authorization (AuthZ)? Identity and Access Management in HDFS

Articles Related

Method

A user authorization is defined through one of the below method:

• POSIX style permissions/HDFS ACLs
• or Apache Ranger
• Apache Knox (Authentication Services)

Permission are disabled by default.

Management

Enable

dfs.permissions.enabled If “true”, enable permission checking in HDFS. If “false”, permission checking is turned off, but all other behavior is unchanged. Switching from one parameter value to the other does not change the mode, owner or group of files or directories.

hdfs getconf -confKey dfs.permissions.enabled

false

Admin

Group

dfs.permissions.superusergroup The name of the group of super-users. The value should be a single group name.

hdfs getconf -confKey dfs.permissions.superusergroup

hdfs

Users

dfs.cluster.administrators ACL for the admins, this configuration is used to control which user can access the default servlets in the namenode, etc.

Value Syntax:

• The value should be a comma separated list of users and groups.

[user1,user2,...userN] [group1,group2,...groupN]

where:

• The user list comes first
• The user and group list are separated by a space
• Users and groups are optional
• * grants access to all users and groups, e.g. *, * and * are all valid.

Example:

• user1,user2 group1,group2.
• user1, group1, , user1 group1, user1,user2 group1,group2 are all valid

Documentation / Reference

• Hdfs Permission Guide