aims
This document describes how to configure and manage hadoop authorized service levels
premise
Be sure to install hadoop, configuration and settings are correct. For more information, please see:
-
The first user to a single node installation
Overview
Service-level authorization is the initial authorization mechanisms to ensure that the customer is connected to a specific hadoop services necessary, pre-configured and have permission to authorize access to specific services. For example, MapReduce cluster can use this mechanism allows the user to configure a list or group to submit the task.
$HADOOP_CONF_DIR/hadoop-policy.xml
Access to the configuration file used to define various services hadoop control list.
Before other access control checks, such as checking file permissions, access to the job queue control, level of service authorized.
Configuration
This section describes how through a configuration file $HADOOP_CONF_DIR/hadoop-policy.xm
to configure service level authorization.
Enabling service level authorization
By default, hadoop service level authorization is shut down, in order to turn on him. Requires $HADOOP_CONF_DIR/core-site.xml
the hadoop.security.authorization
property is set to true.
hadoop services and configuration properties
Here are a variety of services and their hadoop configuration:
ACL (access control lists, access control list)
Attributes | service |
---|---|
security.client.protocol.acl | ACL client protocol for user code on a distributed file system |
security.client.datanode.protocol.acl | ClientDatanodeProtocol the ACL, reply to block client -DataNode agreement |
security.datanode.protocol.acl | DatanodeProtocol of an ACL, and the DataNode communication between NameNode |
security.inter.datanode.protocol.acl | InterDatanodeProtocol the ACL, updating internal DataNode agreement generated timestamp |
security.namenode.protocol.acl | NamenodeProtocol of an ACL, communication with the NameNode Secondary NameNode |
security.job.client.protocol.acl | JobSubmissionProtocol the ACL, for job submission, job status inquiries, etc., for the client to communicate with ResourceManager |
security.job.task.protocol.acl | TaskUmbilicalProtocol the ACL, map and reduce tasks for communication with the NodeManager |
security.refresh.policy.protocol.acl | RefreshAuthorizationPolicyProtocol of an ACL, dfsadmin and rmadmin command refreshes the security policy is in effect |
security.ha.service.protocol.acl | ACL HA service agreement for managing HAAdmin active and standby state NameNode |
Access Control Lists
$HADOOP_CONF_DIR/hadoop-policy.xml
Hadoop service defines each access control list. Each access control list has a simple format:
user and groups are comma-separated list of names. Between the two lists separated by a space.
such as:user1,user2 group1,group2
If only a list, add a space at the beginning of the line, the equivalent of a comma-separated list of users after the space or no means only a given set of users.
Specified value *
means that all users can access the service.
If the access control list service is not defined, security.service.authorization.default.acl
the values will take effect. If security.service.authorization.default.acl
not set, *
it will take effect.
- In some cases blocked the access control list, you need to specify the blocking of access control list as a service. A list of the designated user or group will not have access to the service. The same format as blocking the access control list of formats and access control lists. Blocking the access control list can
$HADOOP_CONF_DIR/hadoop-policy.xml
be specified. The property name is obtained by the suffix ".blocked".
Example: block access control list propertysecurity.client.protocol.acl
will besecurity.client.protocol.acl.blocked
.
For a service, you may specify access control lists and blocked access control lists. If the user is in the access control list, while not blocking access control list, you can access the service.
If the blocking service access control list is not defined,security.service.authorization.default.acl.blocked
the values will take effect. Ifsecurity.service.authorization.default.acl.blocked
undefined, blocking the access control list will be empty.
Refresh Service Level Authorization Configuration
Service level authorization and configuration NameNode ResourceManager can be changed without restarting any hadoop primary process. Cluster administrators can change on the master node $HADOOP_CONF_DIR/hadoop-policy.xml
through switch dfsadmin
and rmadmin
the -refreshServiceAcl
notification NameNode and ResourceManager to load their configuration commands.
NameNode refresh service level authorization configuration:$ bin/hdfs dfsadmin -refreshServiceAcl
ResourceManager pleasant service level authorization configuration:$ bin/yarn rmadmin -refreshServiceAcl
Of course, you can also use $HADOOP_CONF_DIR/hadoop-policy.xml
the security.refresh.policy.protocol.acl
property to limit access to certain users or groups to refresh the service level authorization configuration.
- Use the ip address, host name and IP address ranges to the list of services access control can be based on client IP address control. You can also use the specified ip address, host name and ip address range set of machines to restrict access to services. Each service's Properties command from the corresponding acl name. If acl attribute name is the
security.client.protocol.acl
attribute name host list would besecurity.client.protocol.hosts
.
Host list if a service is not defined, usesecurity.service.authorization.default.hosts
value, if thesecurity.service.authorization.default.hosts
value is not set, will be used*
.
Specify the host block list are possible. Only these machines can not access the host list. No further obstruction to allow access to the list of services. By property name suffix.blocked
get. Example: attribute name list of blocked hostssecurity.client.protocol.hosts
will besecurity.client.protocol.hosts.blocked
.
NOTE If a blocking list of services is not defined, usesecurity.service.authorization.default.hosts.blocked
value, ifsecurity.service.authorization.default.hosts.blocked
the value is also not set, blocking the host list is empty.
example
Only allows users to 'alice' and 'bob' and can be submitted to the task MapReduce cluster users 'mapreduce' group
<property>
<name>security.job.client.protocol.acl</name>
<value>alice,bob mapreduce</value>
</property>
DataNode only be operated, and the group belonging to the DataNode user can communicate with NameNode
<property>
<name>security.datanode.protocol.acl</name>
<value>datanodes</value>
</property
It allows all users to access a DFS client HDFS clusters
<property>
<name>security.client.protocol.acl</name>
<value>*</value>
</property>
'); } else { var loadJs=function(d,a){var c=document.getElementsByTagName("head")[0]||document.head||document.documentElement;var b=document.createElement("script");b.setAttribute("type","text/javascript");b.setAttribute("charset","UTF-8");b.setAttribute("src",d);if(typeof a==="function"){if(window.attachEvent){b.onreadystatechange=function(){var e=b.readyState;if(e==="loaded"||e==="complete"){b.onreadystatechange=null;a()}}}else{b.onload=a}}c.appendChild(b)};loadJs("https://changyan.sohu.com/upload/changyan.js",function(){window.changyan.api.config({appid:appid,conf:conf})}); } })();
Original: Big Box 14.hadoop-2.7.2 official website document translation - service levels Licensing Guide