hdfs,hive,yarn，hbase基于系统用户的安全管理

hdfs基于linux用户的安全

Hadoop从2.4.0版本开始支持hdfs的ACL，在CDH5.0当中也集成了该特性。

1.配置

<span style="font-size:18px;"> 
<property>  
	<name>dfs.namenode.acls.enabled</name>  
	<value>true</value>  
</property>  </span>

<pre name="code" class="html" style="font-weight: bold;"><span style="font-size:18px;"> <!—设置HDFS ACL 权限的超级管理员群组或用户 </span>

<property> <name>dfs.permissions.supergroup </name><value>hadoop</value> </property>

<span style="font-size:18px;"><span style="color: rgb(85, 85, 85); font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, STHeiti, sans-serif; line-height: 22.3999996185303px;"><span style="white-space:pre">	</span><!---是否在HDFS中开启权限检查。---></span>
<property>  
	<name>dfs.permissions.enabled</name>  
	<value>true</value>  
</property> </span>

2.测试

hadoop fs -setfacl 命令参数

-setfacl [-R] [{-b|-k} {-m|-x <acl_spec>} <path>]|[--set <acl_spec> <path>]: Sets Access Control Lists (ACLs) of files and directories.
Options:
-b :Remove all but the base ACL entries. The entries for user, group and others are retained for compatibility with permission bits.
-k :Remove the default ACL.
-R :Apply operations to all files and directories recursively.
-m :Modify ACL. New entries are added to the ACL, and existing entries are retained.
-x :Remove specified ACL entries. Other ACL entries are retained.
--set :Fully replace the ACL, discarding all existing entries. The <acl_spec> must include entries for user, group, and others for         compatibility with permission bits.
<acl_spec>: Comma separated list of ACL entries.
<path>: File or directory to modify.

hadoop fs -getfacl 命令参数

-getfacl [-R] <path>: Displays the Access Control Lists (ACLs) of files and directories. If a directory has a default ACL, then getfacl also displays the default ACL.
-R: List the ACLs of all files and directories recursively.
<path>: File or directory to list.

• 查询权限
  [hadoop@hadoop001 ~]$ hadoop fs -getfacl /acl
  # file: /acl
  # owner: hadoop
  # group: hadoop
  user::rwx
  user:zwf:rwx
  group::r-x
  mask::rwx
  other::r-x
  加-R是查询路径下所有文件的ACL权限
• 设置用户acl权限
  [hadoop@hadoop001 ~]$ hadoop fs -setfacl -m user:zwf:r-- /acl
  [hadoop@hadoop001 ~]$ hadoop fs -getfacl /acl
  # file: /acl
  # owner: hadoop
  # group: hadoop
  user::rwx
  user:zwf:r--
  group::r-x
  mask::r-x
  other::r-x
• 设置组用户权限
  [hadoop@hadoop001 ~]$ hadoop fs -setfacl -m group:zwf:rw- /acl
  [hadoop@hadoop001 ~]$ hadoop fs -getfacl /acl
  # file: /acl
  # owner: hadoop
  # group: hadoop
  user::rwx
  user:zwf:r--
  group::r-x
  group:zwf:rw-
  mask::rwx
  other::r-x

• 移除一个acl权限
  [hadoop@hadoop001 ~]$ hadoop fs -setfacl -x group:zwf /acl
  [hadoop@hadoop001 ~]$ hadoop fs -getfacl /acl
  # file: /acl
  # owner: hadoop
  # group: hadoop
  user::rwx
  user:zwf:r--
  group::r-x
  group:root:r--
  mask::r-x
  other::r-x

其他可以查看参数进行尝试