![]() Additionally, some operations depend on a check of the owner of a path.Īll operations require traversal access. An operation may perform permission checks at multiple components of the path, not only the final component. Permission ChecksĮach HDFS operation demands that the user has specific permissions (some combination of READ, WRITE and EXECUTE), granted through file ownership, group membership or the other permissions. Once a username has been determined as described above, the list of groups is determined by a group mapping service, configured by the property. There is no provision within HDFS for creating user identities, establishing groups, or processing user credentials. Regardless of the mode of operation, the user identity mechanism is extrinsic to HDFS itself. For example, a principal will act as the simple username todd on HDFS. When mapping a Kerberos principal to an HDFS username, all components except for the primary are dropped. For example, in a Kerberized environment, a user may use the kinit utility to obtain a Kerberos ticket-granting-ticket (TGT) and use klist to determine their current principal. In Kerberized operation, the identity of a client process is determined by its Kerberos credentials. On Unix-like systems, the user name is the equivalent of `whoami`. In this mode of operation, the identity of a client process is determined by the host operating system. User IdentityĪs of Hadoop 0.22, Hadoop supports two different modes of operation to determine the user’s identity, specified by the property: If a permissions check fails, the client operation fails. Otherwise the other permissions of foo are tested.Else if the group of foo matches any of member of the groups list, then the group permissions are tested.If the user name matches the owner of foo, then the owner permissions are tested.Whenever HDFS must do a permissions check for a file or directory foo accessed by a client process, ACLs are discussed in greater detail later in this document.Įach client process that accesses HDFS has a two-part identity composed of the user name, and groups list. ![]() HDFS also provides optional support for POSIX ACLs (Access Control Lists) to augment file permissions with finer-grained rules for specific named users or named groups. When a file or directory is created, its owner is the user identity of the client process, and its group is the group of the parent directory (the BSD rule). In general, Unix customs for representing and displaying modes will be used, including the use of octal numbers in this description. Collectively, the permissions of a file or directory are its mode. Setting the sticky bit for a file has no effect. The sticky bit can be set on directories, preventing anyone except the superuser, directory owner or file owner from deleting or moving the files within the directory. For directories, there are no setuid or setgid bits directory as a simplification. In contrast to the POSIX model, there are no setuid or setgid bits for files as there is no notion of executable files. For directories, the r permission is required to list the contents of the directory, the w permission is required to create or delete files or directories, and the x permission is required to access a child of the directory. ![]() For files, the r permission is required to read the file, and the w permission is required to write or append to the file. The file or directory has separate permissions for the user that is the owner, for other users that are members of the group, and for all other users. Each file and directory is associated with an owner and a group. The Hadoop Distributed File System (HDFS) implements a permissions model for files and directories that shares much of the POSIX model.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |