HDFS ACL

Before start using ACL, make sure it is enable. If you are using Cloudera distribution use below property in HDFS configuration:

  

Alternatively you can find in yarn-site.xml

etc/hadoop/yarn-site.xml

Parameter	Value	Notes
yarn.acl.enable	true / false	Enable ACLs? Defaults to false.

/etc/hadoop/conf/yarn-site.xml

<?xml version="1.0" encoding="UTF-8"?>

<!--Autogenerated by Cloudera Manager-->

<configuration>

  <property>

    <name>yarn.acl.enable</name>

    <value>true</value>

  </property>

  <property>

    <name>yarn.admin.acl</name>

    <value>*</value>

  </property>

In some cases, it is required to specify blocked access control list for a service. This specifies the list of users and groups who are not authorized to access the service. The format of the blocked access control list is same as that of access control list.

There is 2 main ACL command, details as below:

[hdfs@host1 ~]$ hadoop fs -help getfacl

-getfacl [-R] <path> :

  Displays the Access Control Lists (ACLs) of files and directories. If a

  directory has a default ACL, then getfacl also displays the default ACL.

  -R      List the ACLs of all files and directories recursively.

  <path>  File or directory to list.

[hdfs@host1 ~]$ hadoop fs -help setfacl

-setfacl [-R] [{-b|-k} {-m|-x <acl_spec>} <path>]|[--set <acl_spec> <path>] :

  Sets Access Control Lists (ACLs) of files and directories.

  Options:

  -b          Remove all but the base ACL entries. The entries for user, group

              and others are retained for compatibility with permission bits.

  -k          Remove the default ACL.

  -R          Apply operations to all files and directories recursively.

  -m          Modify ACL. New entries are added to the ACL, and existing entries

              are retained.

  -x          Remove specified ACL entries. Other ACL entries are retained.

  --set       Fully replace the ACL, discarding all existing entries. The

              <acl_spec> must include entries for user, group, and others for

              compatibility with permission bits.

  <acl_spec>  Comma separated list of ACL entries.

  <path>      File or directory to modify.

ACL on FILE: x not applicable for file

[hasnain@host1 ~]$ hadoop fs -setfacl -m user:cdh:rw- /user/hasnain/load/deckofcards.txt

[hasnain@host1 ~]$ hadoop fs -getfacl /user/hasnain/load/deckofcards.txt

# file: /user/hasnain/load/deckofcards.txt

# owner: hasnain

# group: hasnain

user::rw-

user:cdh:rw-

group::r--

mask::rw-

other::r--

ACL for Directory: ACL for user directory created

[hasnain@host1 ~]$ hadoop fs -ls -R /user/hasnain

drwxr-xr-x   - hasnain hasnain          0 2020-04-13 18:46 /user/hasnain/load

-rw-rw-r--+  3 hasnain hasnain        693 2020-04-13 18:46 /user/hasnain/load/deckofcards.txt

-rw-r--r--   3 hasnain hasnain  726663168 2020-04-13 18:46 /user/hasnain/load/largedeck.txt

[hasnain@host1 ~]$ hadoop fs -getfacl /user/hasnain/load

# file: /user/hasnain/load

# owner: hasnain

# group: hasnain

user::rwx

group::r-x

other::r-x

[hasnain@host1 ~]$ hadoop fs -setfacl -m user:cdh:rwx /user/hasnain/load

[hasnain@host1 ~]$ hadoop fs -getfacl /user/hasnain/load

# file: /user/hasnain/load

# owner: hasnain

# group: hasnain

user::rwx

user:cdh:rwx

group::r-x

mask::rwx

other::r-x

[hasnain@host1 ~]$ hadoop fs -ls -R /user/hasnain

drwxrwxr-x+  - hasnain hasnain          0 2020-04-13 18:46 /user/hasnain/load

-rw-rw-r--+  3 hasnain hasnain        693 2020-04-13 18:46 /user/hasnain/load/deckofcards.txt

-rw-r--r--   3 hasnain hasnain  726663168 2020-04-13 18:46 /user/hasnain/load/largedeck.txt

-- The “+” sign at the end of permissions of the file also verifies the ACL set on the directory.

Verify:

[hasnain@host1 ~]$ sudo -su cdh

[cdh@host1 hasnain]$ hadoop fs -mkdir /user/hasnain/load/acl_test

[cdh@host1 hasnain]$ hadoop fs -ls -R /user/hasnain

drwxrwxr-x+  - hasnain hasnain          0 2020-04-13 20:39 /user/hasnain/load

drwxr-xr-x   - cdh     hasnain          0 2020-04-13 20:39 /user/hasnain/load/acl_test

-rw-rw-r--+  3 hasnain hasnain        693 2020-04-13 18:46 /user/hasnain/load/deckofcards.txt

-rw-r--r--   3 hasnain hasnain  726663168 2020-04-13 18:46 /user/hasnain/load/largedeck.txt

[cdh@host1 hasnain]$ hadoop fs -getfacl -R /user/hasnain/load

# file: /user/hasnain/load

# owner: hasnain

# group: hasnain

user::rwx

user:cdh:rwx

group::r-x

mask::rwx

other::r-x

# file: /user/hasnain/load/acl_test

# owner: cdh

# group: hasnain

user::rwx

group::r-x

other::r-x

# file: /user/hasnain/load/deckofcards.txt

# owner: hasnain

# group: hasnain

user::rw-

user:cdh:rw-

group::r--

mask::rw-

other::r--

# file: /user/hasnain/load/largedeck.txt

# owner: hasnain

# group: hasnain

user::rw-

group::r--

other::r--

-set default acl

[cdh@host1 hasnain]$ hadoop fs -setfacl -m -R default:other::r-- /user/hasnain/load/acl_test

[cdh@host1 hasnain]$ hadoop fs -getfacl -R /user/hasnain/load/acl_test

# file: /user/hasnain/load/acl_test

# owner: cdh

# group: hasnain

user::rwx

group::r-x

other::r-x

default:user::rwx

default:group::r-x

default:other::r--

-- Above will take effect on new directory (others will have r only) - (for old directory others will have r-x)

[cdh@host1 hasnain]$ hadoop fs -mkdir /user/hasnain/load/acl_test/sub_dir

[cdh@host1 hasnain]$ hadoop fs -getfacl -R /user/hasnain/load/acl_test

# file: /user/hasnain/load/acl_test

# owner: cdh

# group: hasnain

user::rwx

group::r-x

other::r-x

default:user::rwx

default:group::r-x

default:other::r--

# file: /user/hasnain/load/acl_test/sub_dir

# owner: cdh

# group: hasnain

user::rwx

group::r-x

other::r--

default:user::rwx

default:group::r-x

default:other::r--

-- override the acl

--set       Fully replace the ACL, discarding all existing entries. The

              <acl_spec> must include entries for user, group, and others for

              compatibility with permission bits.

[cdh@host1 hasnain]$ hadoop fs -setfacl --set user::rwx,group::r--,other::r-- /user/hasnain/load/acl_test

[cdh@host1 hasnain]$ hadoop fs -getfacl -R /user/hasnain/load/acl_test

# file: /user/hasnain/load/acl_test

# owner: cdh

# group: hasnain

user::rwx

group::r--

other::r--

default:user::rwx

default:group::r-x

default:other::r--

# file: /user/hasnain/load/acl_test/sub_dir

# owner: cdh

# group: hasnain

user::rwx

group::r-x

other::r--

default:user::rwx

default:group::r-x

default:other::r--

-x          Remove specified ACL entries. Other ACL entries are retained.

[cdh@host1 hasnain]$ hadoop fs -setfacl -m -R user:hasnain:rw- /user/hasnain/load/acl_test

[cdh@host1 hasnain]$ hadoop fs -getfacl -R /user/hasnain/load/acl_test

# file: /user/hasnain/load/acl_test

# owner: cdh

# group: hasnain

user::rwx

user:hasnain:rw-

group::r--

mask::rw-

other::r--

default:user::rwx

default:group::r-x

default:other::r--

# file: /user/hasnain/load/acl_test/sub_dir

# owner: cdh

# group: hasnain

user::rwx

user:hasnain:rw-

group::r-x

mask::rwx

other::r--

default:user::rwx

default:group::r-x

default:other::r--

[cdh@host1 hasnain]$ hadoop fs -setfacl -x user:hasnain /user/hasnain/load/acl_test

[cdh@host1 hasnain]$ hadoop fs -getfacl -R /user/hasnain/load/acl_test

# file: /user/hasnain/load/acl_test

# owner: cdh

# group: hasnain

user::rwx

group::r--

mask::r--

other::r--

default:user::rwx

default:group::r-x

default:other::r--

# file: /user/hasnain/load/acl_test/sub_dir

# owner: cdh

# group: hasnain

user::rwx

user:hasnain:rw-

group::r-x

mask::rwx

other::r--

default:user::rwx

default:group::r-x

default:other::r--

 -b          Remove all but the base ACL entries. The entries for user, group

              and others are retained for compatibility with permission bits.

[cdh@host1 hasnain]$ hadoop fs -setfacl -b -R /user/hasnain/load/acl_test

[cdh@host1 hasnain]$ hadoop fs -getfacl -R /user/hasnain/load/acl_test

# file: /user/hasnain/load/acl_test

# owner: cdh

# group: hasnain

user::rwx

group::r--

other::r--

# file: /user/hasnain/load/acl_test/sub_dir

# owner: cdh

# group: hasnain

user::rwx

group::r-x

other::r--

-k          Remove the default ACL.

[hasnain@host1 ~]$ hadoop fs -setfacl -m default:other::r-- /user/hasnain/load

[hasnain@host1 ~]$ hadoop fs -getfacl /user/hasnain/load

# file: /user/hasnain/load

# owner: hasnain

# group: hasnain

user::rwx

user:cdh:rwx

group::r-x

mask::rwx

other::r-x

default:user::rwx

default:group::r-x

default:other::r--

[hasnain@host1 ~]$ hadoop fs -setfacl -k /user/hasnain/load

[hasnain@host1 ~]$ hadoop fs -getfacl /user/hasnain/load

# file: /user/hasnain/load

# owner: hasnain

# group: hasnain

user::rwx

user:cdh:rwx

group::r-x

mask::rwx

other::r-x

---Blocking Access to a Sub-Tree for a Specific User

hdfs dfs -setfacl -m user:diana:--- /monthly-sales-data

It is important to keep in mind the order of evaluation for ACL entries when a user attempts to access a file system object:

·        If the user is the file owner, the Owner Permission Bits are enforced.

·        Else, if the user has a named user ACL entry, those permissions are enforced.

·        Else, if the user is a member of the file’s group or any named group in an ACL entry, then the union of permissions for all matching entries are enforced. (The user may be a member of multiple groups.)

·        If none of the above are applicable, the Other Permission Bits are enforced.

To Learn more HDFS command find here.