hdfs基于linux用户的安全
Hadoop从2.4.0版本开始支持hdfs的ACL,在CDH5.0当中也集成了该特性。
1.配置
<span style="font-size:18px;">
<property>
<name>dfs.namenode.acls.enabled</name>
<value>true</value>
</property> </span>
<pre name="code" class="html" style="font-weight: bold;"><span style="font-size:18px;"> <!—设置HDFS ACL 权限的超级管理员群组或用户 </span>
<property> <name>dfs.permissions.supergroup </name><value>hadoop</value> </property> <span style="font-size:18px;"><span style="color: rgb(85, 85, 85); font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, STHeiti, sans-serif; line-height: 22.3999996185303px;"><span style="white-space:pre"> </span><!---是否在HDFS中开启权限检查。---></span>
<property>
<name>dfs.permissions.enabled</name>
<value>true</value>
</property> </span>
2.测试
hadoop fs -setfacl 命令参数
-setfacl [-R] [{-b|-k} {-m|-x <acl_spec>} <path>]|[--set <acl_spec> <path>]: Sets Access Control Lists (ACLs) of files and directories.
Options:
-b :Remove all but the base ACL entries. The entries for user, group and others are retained for compatibility with permission bits.
-k :Remove the default ACL.
-R :Apply operations to all files and directories recursively.
-m :Modify ACL. New entries are added to the ACL, and existing entries are retained.
-x :Remove specified ACL entries. Other ACL entries are retained.
--set :Fully replace the ACL, discarding all existing entries. The <acl_spec> must include entries for user, group, and others for compatibility with permission bits.
<acl_spec>: Comma separated list of ACL entries.
<path>: File or directory to modify.
hadoop fs -getfacl 命令参数
-R: List the ACLs of all files and directories recursively.
<path>: File or directory to list.
- 查询权限
[hadoop@hadoop001 ~]$ hadoop fs -getfacl /acl
# file: /acl
# owner: hadoop
# group: hadoop
user::rwx
user:zwf:rwx
group::r-x
mask::rwx
other::r-x
加-R是查询路径下所有文件的ACL权限 - 设置用户acl权限
[hadoop@hadoop001 ~]$ hadoop fs -setfacl -m user:zwf:r-- /acl
[hadoop@hadoop001 ~]$ hadoop fs -getfacl /acl
# file: /acl
# owner: hadoop
# group: hadoop
user::rwx
user:zwf:r--
group::r-x
mask::r-x
other::r-x - 设置组用户权限
[hadoop@hadoop001 ~]$ hadoop fs -setfacl -m group:zwf:rw- /acl
[hadoop@hadoop001 ~]$ hadoop fs -getfacl /acl
# file: /acl
# owner: hadoop
# group: hadoop
user::rwx
user:zwf:r--
group::r-x
group:zwf:rw-
mask::rwx
other::r-x
- 移除一个acl权限
[hadoop@hadoop001 ~]$ hadoop fs -setfacl -x group:zwf /acl
[hadoop@hadoop001 ~]$ hadoop fs -getfacl /acl
# file: /acl
# owner: hadoop
# group: hadoop
user::rwx
user:zwf:r--
group::r-x
group:root:r--
mask::r-x
other::r-x
其他可以查看参数进行尝试