Configuring Access Control

This operation enables you to configure access control permissions for files and directories to improve access security.

Procedure

  1. Choose Services > HDFS Service > Account.
  2. Click More on the right of the desired account and select Manage Access Control.

    The Modify Access Control page is displayed on the right.

    You can also click the name of the desired account, click the Access Control tab on the General page, and click Modify.

  3. Select an authentication mode.

    • Security: The security level is high. The third-party Kerberos is used for verification.
      1. (Optional) In Super User Certificate, select the super user certificate (in the format of .keytab) and click Upload to upload it.
      2. (Optional) In Kerberos Configuration, select the Kerberos configuration file (in the format of .conf) and click Upload to upload it.
    • Simple: The security level is low. The verification is performed on the host node.

      Super User Certificate and Kerberos Configuration are used in Security mode and are not required in Simple mode.

  4. In the Basic Configuration area, set basic information. Table 1 describes related parameters.

    Table 1 Basic parameters

    Parameter

    Description

    Token Authentication

    Indicates whether to enable token authentication.

    After token authentication is enabled, the token carries user information, which is used to authenticate users in service operations, such as data download.

    UMASK

    Indicates the UMASK used for creating a file or directory, which is used to control the default permission. If this parameter is left blank, files and directories can be read and write.

    NOTE:

    The value is a three-digit octal digit.

    Super User Group

    Indicates the name of the super user group. The super user group has all operation permissions of namespaces.

    [Value range]

    • The name contains 1 to 64 characters.
    • The name can contain letters, digits, hyphens (-), underscores (_), and periods (.), and cannot start with a hyphen (-).

    Mapping Rule

    Indicates the mapping rules from Kerberos to local users.

    The following two formats are supported:
    1. RULE:[n:string](regexp)s/pattern/replacement/
      • n: indicates the expected number of components in the principal. The value can be 1 or 2.
      • string: extracts some components from the principal to form a short name. $0 indicates realm, $1 indicates the first component, and $2 indicates the second component.
      • (regexp): indicates a regular expression used to match the short name in [n:string]. The next rule is executed only when the matching is successful.
      • s/pattern/replacement/: indicates the sed replacement command, where pattern is the field that needs to be replaced, and replacement is the replacement field.
      NOTE:

      Multiple mapping rules can be configured. The principal matches each rule from top to bottom. If a rule does not match, it skips to the next one.

    2. DEFAULT: indicates the default rule, which outputs the first component of the principal as a short name by default.

    [Example]

    RULE:[1:$1@$0](hdfs@EXAMPLE.COM)s/.*/hdfs/

    RPC Encryption Mode

    Indicates the RPC encryption mode.

    Possible options are authentication, integrity, and privacy.

  5. Set proxy users.

    1. Click Add.
    2. Table 2 describes related parameters.
      Table 2 Proxy user parameters

      Parameter

      Description

      Proxy User

      Indicates the name of a proxy user.

      [Value range]

      • The name contains 1 to 64 characters.
      • The name can contain letters, digits, hyphens (-), underscores (_), periods (.), and cannot start with a hyphen (-).

      Host

      Indicates a host IP address.

      [Value range]

      • The value contains one or more IPv4 addresses separated by commas (,). You can enter an asterisk (*) to represent all IPv4 addresses.
      • Host, User Group, and User cannot be left blank at the same time.

      User Group

      Indicates a host group name.

      [Value range]

      • The name contains 0 to 1032 characters.
      • The name can contain letters, digits, hyphens (-), underscores (_), and periods (.), and cannot start with a hyphen (-). The value can contain one or more user group names separated by commas (,). You can enter an asterisk (*) to represent all user groups.
      • Host, User Group, and User cannot be left blank at the same time.

      User

      Indicates a user name.

      [Value range]

      • The name contains 0 to 1032 characters.
      • The name can contain letters, digits, hyphens (-), underscores (_), and periods (.), and cannot start with a hyphen (-). The value can contain one or more user names separated by commas (,). You can enter an asterisk (*) to represent all users.
      • Host, User Group, and User cannot be left blank at the same time.
    3. (Optional) Click Remove to remove a proxy user.
    4. (Optional) Click Add to add a proxy user.

  6. Click OK.
Parent topic: Configuring and Managing Accounts