Configuring Access Control

This section describes how to configure access control permissions for files and directories to improve access security.

Procedure

  1. Choose Resources > Access > Account.
  2. Click the name of the desired account. On the page that is displayed, click the Protocol tab and select HDFS Service.
  3. In the Access Control area, click Modify.

    The Modify Access Control page is displayed on the right.

  4. Select an authentication mode.

    • Security: The security level is high. Third-party Kerberos is used for verification.
      1. (Optional) In Super User Certificate, select the super user certificate (in the format of .keytab) and click Upload to upload it.
      2. (Optional) In Kerberos Configuration, select the Kerberos configuration file (in the format of .conf) and click Upload to upload it.
    • Simple: The security level is low. The verification is performed on the host node.

      Super User Certificate and Kerberos Configuration are used in Security mode and are not required in Simple mode.

  5. In the Basic Configuration area, set the basic information. Table 1 describes related parameters.

    Table 1 Basic parameters

    Parameter

    Description

    Token Authentication

    Whether to enable token authentication.

    After token authentication is enabled, the token carries user information, which is used to authenticate users in service operations, such as data download.

    UMASK

    UMASK used for creating a file or directory. It is used to control the default permissions. If this parameter is left blank, files and directories can be read and write.

    NOTE:

    The UMASK is a three-bit octal digit.

    Super User Group

    Name of the super user group. The super user group has all operation permissions of namespaces.

    [Value range]

    • The name contains 1 to 64 characters.
    • The name can contain letters, digits, hyphens (-), underscores (_), and periods (.), and cannot start with a hyphen (-).

    Mapping Rule

    Mapping rule from Kerberos to the local user.

    The following two formats are supported:
    1. RULE:[n:string](regexp)s/pattern/replacement/
      • n: indicates the expected number of components in the principal, which can be 1 or 2.
      • string: extracts some components from the principal to form a short name. $0 indicates realm, $1 indicates the first component, and $2 indicates the second component.
      • (regexp): indicates a regular expression used to match the short name in [n:string]. The next rule is executed only when the matching is successful.
      • s/pattern/replacement/: indicates the sed replacement command, where pattern is the field that needs to be replaced, and replacement is the replacement field.
      NOTE:

      Multiple mapping rules can be configured. The principal matches each rule from top to bottom. If a rule does not match, it skips to the next one.

    2. DEFAULT: indicates the default rule, which outputs the first component of the principal as a short name by default.

    [Example]

    RULE:[1:$1@$0](hdfs@EXAMPLE.COM)s/.*/hdfs/

    RPC Encryption Mode

    RPC encryption mode.

    Possible options are authentication, integrity, and privacy.

  6. Set proxy users.

    1. Click Add.
    2. Table 2 describes related parameters.
      Table 2 Proxy user parameters

      Parameter

      Description

      Proxy User

      Name of a proxy user.

      [Value range]

      • The name contains 1 to 64 characters.
      • The name can contain letters, digits, hyphens (-), underscores (_), periods (.), and cannot start with a hyphen (-).

      Host

      Indicates a host IP address.

      [Value range]

      • The value contains one or more IPv4 addresses separated by commas (,). You can enter an asterisk (*) to represent all IPv4 addresses.
      • Host, User Group, and User cannot be left blank at the same time.

      User Group

      Indicates a host group name.

      [Value range]

      • The name contains 0 to 1023 characters.
      • The name can contain letters, digits, hyphens (-), underscores (_), and periods (.), and cannot start with a hyphen (-). The value can contain one or more user group names separated by commas (,). You can enter an asterisk (*) to represent all user groups.
      • Host, User Group, and User cannot be left blank at the same time.

      User

      Indicates a user name.

      [Value range]

      • The name contains 0 to 1023 characters.
      • The name can contain letters, digits, hyphens (-), underscores (_), and periods (.), and cannot start with a hyphen (-). The value can contain one or more user names separated by commas (,). You can enter an asterisk (*) to represent all users.
      • Host, User Group, and User cannot be left blank at the same time.
    3. (Optional) Click Remove to remove a proxy user.
    4. (Optional) Click Add to add a proxy user.

  7. Click OK.
Parent topic: Managing the HDFS Service