Examples are provided in this topic to demonstrate the relationship between Hadoop users/groups and the users/groups that are assigned permission to access the bucket using ECS User ACLs and Custom Group ACLs.
When a bucket is created, ECS automatically assigns ACLs to the bucket owner and to the default group, which is the group assignment for the bucket when accessed using HDFS. A bucket must always have an owner, however, a bucket does not require an assigned default group. Users and groups other than the bucket owner, that is, Custom Groups, can be assigned ACLs on the bucket. ACLs assigned in this way translate to permissions for Hadoop users.
Table 1. Example bucket permissions for file system access in a simple Hadoop clusterThe table lists the example bucket permissions for file system access
Hadoop users and groups
Bucket permissions
Bucket/file system access
Bucket access using Group ACL
Users (service)
hdfs. mapred, yarn, hive, pig
Users (applications)
sally, fred
Groups
hdfs (hdfs)
hadoop (hdfs, mapred, yarn, hive, pig)
users (sally, fred)
Supergroup
hdfs
Bucket owner
hdfs
Default Group
Default
Custom Group ACL
hadoop, users, hive, spark (Full Control)
User ACL
hdfs (owner)
Custom Group ACLs must be set on the bucket in the ECS Portal assign Full Control on the bucket/root file system to the
hadoop,users,
hive, and
spark groups. This example assumes that
hdfs is the superuser - the user that started the namenode.
Bucket created by s3 user - crosshead access
Users (service)
hdfs. mapred, yarn, hive, pig
Users (applications)
sally, fred
Groups
hdfs (hdfs)
hadoop (hdfs, mapred, yarn, hive, pig)
users (sally, fred)
Supergroup
hdfs
Bucket owner
s3user
Default Group
hadoop
(Group File Permissions: Read, Write
Group Directory Permissions: Read, Write, Execute)
Custom Group ACL
hadoop (default)
User ACL
s3user (owner), sally, fred
Where you want objects written by an S3 user to be accessible as files from HDFS, a default group must be defined (hadoop) so that Hadoop users and services have permissions on the files due to group membership. The default group automatically has Custom Group ACLs on the bucket/file system. The following example shows that
hadoop has been set default group and the root file system permissions are 777:
drwxrwxrwx+ - s3user hadoop 0 2018-03-09 12:28 / You can give users access either by adding User ACLs or by adding Custom Group ACLs for the group to which the users belong.
Table 2. Example bucket permissions for file system access in a Kerberized Hadoop clusterThe table lists the example for bucket permissions for file system access
Custom Group ACLs set on the bucket in the Portal enable the
hadoop and
users group to have permissions on the bucket/root file system. User information from the Hadoop cluster must be available to ECS so that it can provide secure access to the bucket. This information is provided using bucket metadata and an example metadata file is provided in
Secure bucket metadata.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\