Database Reference
In-Depth Information
Configuring access control lists in Hadoop
The ACLs are configured in the
hadoop-policy.xml
file. This file is located under
Hadoop's configuration directory. If Cloudera Manager was used to set up CDH on your
cluster, you should see this configuration file under the
/opt/cloudera/parcels/
<CDH VERSION>/etc/hadoop/conf.dist
directory.
In the cluster, which we are using as examples in this topic, the file is present at the
/opt/
cloudera/parcels/CDH-5.0.1-1.cdh5.0.1.p0.47/etc/hadoop/
conf.dist
directory.
The
hadoop-policy.xml
file consists of name and value pairs for each of the proper-
ties. The value is specified as a comma-separated list of users and groups. The user and
groups list are separated by a space.
For example, the following value represents an access control list for users,
rohit
and
mark
and for groups,
scientist
and
miners
:
<value>rohit, mark scientist, miners</value>
By default the value is
*
, which stands for universal access to a service.
The following are a few of the properties:
•
security.client.protocol.acl
: This property defines the access control
list for the ClientProtocol interface that is used in user code for job submission.
Only the list of users configured in this property will be allowed to talk to the
cluster as a distributed filesystem client.
•
security.client.datanode.protocol.acl
: This property defines the
access control list for the client to datanode protocol that is used for communica-
tion between the client and the datanodes to retrieve data blocks. Only the list of
users configured in this property will be allowed to recover blocks from the datan-
ode.
•
security.datanode.protocol.acl
: This property defines the access con-
trol list that the datanodes use to communicate with the namenode. Only the list of
users configured in this property will be allowed to start the datanodes, which will
have access to the namenode.
