[120] | 1 | <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> |
---|
| 2 | <html> |
---|
| 3 | <head> |
---|
| 4 | <META http-equiv="Content-Type" content="text/html; charset=UTF-8"> |
---|
| 5 | <meta content="Apache Forrest" name="Generator"> |
---|
| 6 | <meta name="Forrest-version" content="0.8"> |
---|
| 7 | <meta name="Forrest-skin-name" content="pelt"> |
---|
| 8 | <title>Service Level Authorization Guide</title> |
---|
| 9 | <link type="text/css" href="skin/basic.css" rel="stylesheet"> |
---|
| 10 | <link media="screen" type="text/css" href="skin/screen.css" rel="stylesheet"> |
---|
| 11 | <link media="print" type="text/css" href="skin/print.css" rel="stylesheet"> |
---|
| 12 | <link type="text/css" href="skin/profile.css" rel="stylesheet"> |
---|
| 13 | <script src="skin/getBlank.js" language="javascript" type="text/javascript"></script><script src="skin/getMenu.js" language="javascript" type="text/javascript"></script><script src="skin/fontsize.js" language="javascript" type="text/javascript"></script> |
---|
| 14 | <link rel="shortcut icon" href="images/favicon.ico"> |
---|
| 15 | </head> |
---|
| 16 | <body onload="init()"> |
---|
| 17 | <script type="text/javascript">ndeSetTextSize();</script> |
---|
| 18 | <div id="top"> |
---|
| 19 | <!--+ |
---|
| 20 | |breadtrail |
---|
| 21 | +--> |
---|
| 22 | <div class="breadtrail"> |
---|
| 23 | <a href="http://www.apache.org/">Apache</a> > <a href="http://hadoop.apache.org/">Hadoop</a> > <a href="http://hadoop.apache.org/core/">Core</a><script src="skin/breadcrumbs.js" language="JavaScript" type="text/javascript"></script> |
---|
| 24 | </div> |
---|
| 25 | <!--+ |
---|
| 26 | |header |
---|
| 27 | +--> |
---|
| 28 | <div class="header"> |
---|
| 29 | <!--+ |
---|
| 30 | |start group logo |
---|
| 31 | +--> |
---|
| 32 | <div class="grouplogo"> |
---|
| 33 | <a href="http://hadoop.apache.org/"><img class="logoImage" alt="Hadoop" src="images/hadoop-logo.jpg" title="Apache Hadoop"></a> |
---|
| 34 | </div> |
---|
| 35 | <!--+ |
---|
| 36 | |end group logo |
---|
| 37 | +--> |
---|
| 38 | <!--+ |
---|
| 39 | |start Project Logo |
---|
| 40 | +--> |
---|
| 41 | <div class="projectlogo"> |
---|
| 42 | <a href="http://hadoop.apache.org/core/"><img class="logoImage" alt="Hadoop" src="images/core-logo.gif" title="Scalable Computing Platform"></a> |
---|
| 43 | </div> |
---|
| 44 | <!--+ |
---|
| 45 | |end Project Logo |
---|
| 46 | +--> |
---|
| 47 | <!--+ |
---|
| 48 | |start Search |
---|
| 49 | +--> |
---|
| 50 | <div class="searchbox"> |
---|
| 51 | <form action="http://www.google.com/search" method="get" class="roundtopsmall"> |
---|
| 52 | <input value="hadoop.apache.org" name="sitesearch" type="hidden"><input onFocus="getBlank (this, 'Search the site with google');" size="25" name="q" id="query" type="text" value="Search the site with google"> |
---|
| 53 | <input name="Search" value="Search" type="submit"> |
---|
| 54 | </form> |
---|
| 55 | </div> |
---|
| 56 | <!--+ |
---|
| 57 | |end search |
---|
| 58 | +--> |
---|
| 59 | <!--+ |
---|
| 60 | |start Tabs |
---|
| 61 | +--> |
---|
| 62 | <ul id="tabs"> |
---|
| 63 | <li> |
---|
| 64 | <a class="unselected" href="http://hadoop.apache.org/core/">Project</a> |
---|
| 65 | </li> |
---|
| 66 | <li> |
---|
| 67 | <a class="unselected" href="http://wiki.apache.org/hadoop">Wiki</a> |
---|
| 68 | </li> |
---|
| 69 | <li class="current"> |
---|
| 70 | <a class="selected" href="index.html">Hadoop 0.20 Documentation</a> |
---|
| 71 | </li> |
---|
| 72 | </ul> |
---|
| 73 | <!--+ |
---|
| 74 | |end Tabs |
---|
| 75 | +--> |
---|
| 76 | </div> |
---|
| 77 | </div> |
---|
| 78 | <div id="main"> |
---|
| 79 | <div id="publishedStrip"> |
---|
| 80 | <!--+ |
---|
| 81 | |start Subtabs |
---|
| 82 | +--> |
---|
| 83 | <div id="level2tabs"></div> |
---|
| 84 | <!--+ |
---|
| 85 | |end Endtabs |
---|
| 86 | +--> |
---|
| 87 | <script type="text/javascript"><!-- |
---|
| 88 | document.write("Last Published: " + document.lastModified); |
---|
| 89 | // --></script> |
---|
| 90 | </div> |
---|
| 91 | <!--+ |
---|
| 92 | |breadtrail |
---|
| 93 | +--> |
---|
| 94 | <div class="breadtrail"> |
---|
| 95 | |
---|
| 96 | |
---|
| 97 | </div> |
---|
| 98 | <!--+ |
---|
| 99 | |start Menu, mainarea |
---|
| 100 | +--> |
---|
| 101 | <!--+ |
---|
| 102 | |start Menu |
---|
| 103 | +--> |
---|
| 104 | <div id="menu"> |
---|
| 105 | <div onclick="SwitchMenu('menu_1.1', 'skin/')" id="menu_1.1Title" class="menutitle">Getting Started</div> |
---|
| 106 | <div id="menu_1.1" class="menuitemgroup"> |
---|
| 107 | <div class="menuitem"> |
---|
| 108 | <a href="index.html">Overview</a> |
---|
| 109 | </div> |
---|
| 110 | <div class="menuitem"> |
---|
| 111 | <a href="quickstart.html">Quick Start</a> |
---|
| 112 | </div> |
---|
| 113 | <div class="menuitem"> |
---|
| 114 | <a href="cluster_setup.html">Cluster Setup</a> |
---|
| 115 | </div> |
---|
| 116 | <div class="menuitem"> |
---|
| 117 | <a href="mapred_tutorial.html">Map/Reduce Tutorial</a> |
---|
| 118 | </div> |
---|
| 119 | </div> |
---|
| 120 | <div onclick="SwitchMenu('menu_selected_1.2', 'skin/')" id="menu_selected_1.2Title" class="menutitle" style="background-image: url('skin/images/chapter_open.gif');">Programming Guides</div> |
---|
| 121 | <div id="menu_selected_1.2" class="selectedmenuitemgroup" style="display: block;"> |
---|
| 122 | <div class="menuitem"> |
---|
| 123 | <a href="commands_manual.html">Commands</a> |
---|
| 124 | </div> |
---|
| 125 | <div class="menuitem"> |
---|
| 126 | <a href="distcp.html">DistCp</a> |
---|
| 127 | </div> |
---|
| 128 | <div class="menuitem"> |
---|
| 129 | <a href="native_libraries.html">Native Libraries</a> |
---|
| 130 | </div> |
---|
| 131 | <div class="menuitem"> |
---|
| 132 | <a href="streaming.html">Streaming</a> |
---|
| 133 | </div> |
---|
| 134 | <div class="menuitem"> |
---|
| 135 | <a href="fair_scheduler.html">Fair Scheduler</a> |
---|
| 136 | </div> |
---|
| 137 | <div class="menuitem"> |
---|
| 138 | <a href="capacity_scheduler.html">Capacity Scheduler</a> |
---|
| 139 | </div> |
---|
| 140 | <div class="menupage"> |
---|
| 141 | <div class="menupagetitle">Service Level Authorization</div> |
---|
| 142 | </div> |
---|
| 143 | <div class="menuitem"> |
---|
| 144 | <a href="vaidya.html">Vaidya</a> |
---|
| 145 | </div> |
---|
| 146 | <div class="menuitem"> |
---|
| 147 | <a href="hadoop_archives.html">Archives</a> |
---|
| 148 | </div> |
---|
| 149 | </div> |
---|
| 150 | <div onclick="SwitchMenu('menu_1.3', 'skin/')" id="menu_1.3Title" class="menutitle">HDFS</div> |
---|
| 151 | <div id="menu_1.3" class="menuitemgroup"> |
---|
| 152 | <div class="menuitem"> |
---|
| 153 | <a href="hdfs_user_guide.html">User Guide</a> |
---|
| 154 | </div> |
---|
| 155 | <div class="menuitem"> |
---|
| 156 | <a href="hdfs_design.html">Architecture</a> |
---|
| 157 | </div> |
---|
| 158 | <div class="menuitem"> |
---|
| 159 | <a href="hdfs_shell.html">File System Shell Guide</a> |
---|
| 160 | </div> |
---|
| 161 | <div class="menuitem"> |
---|
| 162 | <a href="hdfs_permissions_guide.html">Permissions Guide</a> |
---|
| 163 | </div> |
---|
| 164 | <div class="menuitem"> |
---|
| 165 | <a href="hdfs_quota_admin_guide.html">Quotas Guide</a> |
---|
| 166 | </div> |
---|
| 167 | <div class="menuitem"> |
---|
| 168 | <a href="SLG_user_guide.html">Synthetic Load Generator Guide</a> |
---|
| 169 | </div> |
---|
| 170 | <div class="menuitem"> |
---|
| 171 | <a href="libhdfs.html">C API libhdfs</a> |
---|
| 172 | </div> |
---|
| 173 | </div> |
---|
| 174 | <div onclick="SwitchMenu('menu_1.4', 'skin/')" id="menu_1.4Title" class="menutitle">HOD</div> |
---|
| 175 | <div id="menu_1.4" class="menuitemgroup"> |
---|
| 176 | <div class="menuitem"> |
---|
| 177 | <a href="hod_user_guide.html">User Guide</a> |
---|
| 178 | </div> |
---|
| 179 | <div class="menuitem"> |
---|
| 180 | <a href="hod_admin_guide.html">Admin Guide</a> |
---|
| 181 | </div> |
---|
| 182 | <div class="menuitem"> |
---|
| 183 | <a href="hod_config_guide.html">Config Guide</a> |
---|
| 184 | </div> |
---|
| 185 | </div> |
---|
| 186 | <div onclick="SwitchMenu('menu_1.5', 'skin/')" id="menu_1.5Title" class="menutitle">Miscellaneous</div> |
---|
| 187 | <div id="menu_1.5" class="menuitemgroup"> |
---|
| 188 | <div class="menuitem"> |
---|
| 189 | <a href="api/index.html">API Docs</a> |
---|
| 190 | </div> |
---|
| 191 | <div class="menuitem"> |
---|
| 192 | <a href="jdiff/changes.html">API Changes</a> |
---|
| 193 | </div> |
---|
| 194 | <div class="menuitem"> |
---|
| 195 | <a href="http://wiki.apache.org/hadoop/">Wiki</a> |
---|
| 196 | </div> |
---|
| 197 | <div class="menuitem"> |
---|
| 198 | <a href="http://wiki.apache.org/hadoop/FAQ">FAQ</a> |
---|
| 199 | </div> |
---|
| 200 | <div class="menuitem"> |
---|
| 201 | <a href="releasenotes.html">Release Notes</a> |
---|
| 202 | </div> |
---|
| 203 | <div class="menuitem"> |
---|
| 204 | <a href="changes.html">Change Log</a> |
---|
| 205 | </div> |
---|
| 206 | </div> |
---|
| 207 | <div id="credit"></div> |
---|
| 208 | <div id="roundbottom"> |
---|
| 209 | <img style="display: none" class="corner" height="15" width="15" alt="" src="skin/images/rc-b-l-15-1body-2menu-3menu.png"></div> |
---|
| 210 | <!--+ |
---|
| 211 | |alternative credits |
---|
| 212 | +--> |
---|
| 213 | <div id="credit2"></div> |
---|
| 214 | </div> |
---|
| 215 | <!--+ |
---|
| 216 | |end Menu |
---|
| 217 | +--> |
---|
| 218 | <!--+ |
---|
| 219 | |start content |
---|
| 220 | +--> |
---|
| 221 | <div id="content"> |
---|
| 222 | <div title="Portable Document Format" class="pdflink"> |
---|
| 223 | <a class="dida" href="service_level_auth.pdf"><img alt="PDF -icon" src="skin/images/pdfdoc.gif" class="skin"><br> |
---|
| 224 | PDF</a> |
---|
| 225 | </div> |
---|
| 226 | <h1>Service Level Authorization Guide</h1> |
---|
| 227 | <div id="minitoc-area"> |
---|
| 228 | <ul class="minitoc"> |
---|
| 229 | <li> |
---|
| 230 | <a href="#Purpose">Purpose</a> |
---|
| 231 | </li> |
---|
| 232 | <li> |
---|
| 233 | <a href="#Pre-requisites">Pre-requisites</a> |
---|
| 234 | </li> |
---|
| 235 | <li> |
---|
| 236 | <a href="#Overview">Overview</a> |
---|
| 237 | </li> |
---|
| 238 | <li> |
---|
| 239 | <a href="#Configuration">Configuration</a> |
---|
| 240 | <ul class="minitoc"> |
---|
| 241 | <li> |
---|
| 242 | <a href="#Enable+Service+Level+Authorization">Enable Service Level Authorization</a> |
---|
| 243 | </li> |
---|
| 244 | <li> |
---|
| 245 | <a href="#Hadoop+Services+and+Configuration+Properties">Hadoop Services and Configuration Properties</a> |
---|
| 246 | </li> |
---|
| 247 | <li> |
---|
| 248 | <a href="#Access+Control+Lists">Access Control Lists</a> |
---|
| 249 | </li> |
---|
| 250 | <li> |
---|
| 251 | <a href="#Refreshing+Service+Level+Authorization+Configuration">Refreshing Service Level Authorization Configuration</a> |
---|
| 252 | </li> |
---|
| 253 | <li> |
---|
| 254 | <a href="#Examples">Examples</a> |
---|
| 255 | </li> |
---|
| 256 | </ul> |
---|
| 257 | </li> |
---|
| 258 | </ul> |
---|
| 259 | </div> |
---|
| 260 | |
---|
| 261 | |
---|
| 262 | <a name="N1000D"></a><a name="Purpose"></a> |
---|
| 263 | <h2 class="h3">Purpose</h2> |
---|
| 264 | <div class="section"> |
---|
| 265 | <p>This document describes how to configure and manage <em>Service Level |
---|
| 266 | Authorization</em> for Hadoop.</p> |
---|
| 267 | </div> |
---|
| 268 | |
---|
| 269 | |
---|
| 270 | <a name="N1001A"></a><a name="Pre-requisites"></a> |
---|
| 271 | <h2 class="h3">Pre-requisites</h2> |
---|
| 272 | <div class="section"> |
---|
| 273 | <p>Ensure that Hadoop is installed, configured and setup correctly. More |
---|
| 274 | details:</p> |
---|
| 275 | <ul> |
---|
| 276 | |
---|
| 277 | <li> |
---|
| 278 | |
---|
| 279 | <a href="quickstart.html">Hadoop Quick Start</a> for first-time users. |
---|
| 280 | </li> |
---|
| 281 | |
---|
| 282 | <li> |
---|
| 283 | |
---|
| 284 | <a href="cluster_setup.html">Hadoop Cluster Setup</a> for large, |
---|
| 285 | distributed clusters. |
---|
| 286 | </li> |
---|
| 287 | |
---|
| 288 | </ul> |
---|
| 289 | </div> |
---|
| 290 | |
---|
| 291 | |
---|
| 292 | <a name="N10035"></a><a name="Overview"></a> |
---|
| 293 | <h2 class="h3">Overview</h2> |
---|
| 294 | <div class="section"> |
---|
| 295 | <p>Service Level Authorization is the initial authorization mechanism to |
---|
| 296 | ensure clients connecting to a particular Hadoop <em>service</em> have the |
---|
| 297 | necessary, pre-configured, permissions and are authorized to access the given |
---|
| 298 | service. For e.g. a Map/Reduce cluster can use this mechanism to allow a |
---|
| 299 | configured list of users/groups to submit jobs.</p> |
---|
| 300 | <p>The <span class="codefrag">${HADOOP_CONF_DIR}/hadoop-policy.xml</span> configuration file |
---|
| 301 | is used to define the access control lists for various Hadoop services.</p> |
---|
| 302 | <p>Service Level Authorization is performed much before to other access |
---|
| 303 | control checks such as file-permission checks, access control on job queues |
---|
| 304 | etc.</p> |
---|
| 305 | </div> |
---|
| 306 | |
---|
| 307 | |
---|
| 308 | <a name="N1004B"></a><a name="Configuration"></a> |
---|
| 309 | <h2 class="h3">Configuration</h2> |
---|
| 310 | <div class="section"> |
---|
| 311 | <p>This section describes how to configure service-level authorization |
---|
| 312 | via the configuration file <span class="codefrag">{HADOOP_CONF_DIR}/hadoop-policy.xml</span>. |
---|
| 313 | </p> |
---|
| 314 | <a name="N10057"></a><a name="Enable+Service+Level+Authorization"></a> |
---|
| 315 | <h3 class="h4">Enable Service Level Authorization</h3> |
---|
| 316 | <p>By default, service-level authorization is disabled for Hadoop. To |
---|
| 317 | enable it set the configuration property |
---|
| 318 | <span class="codefrag">hadoop.security.authorization</span> to <strong>true</strong> |
---|
| 319 | in <span class="codefrag">${HADOOP_CONF_DIR}/core-site.xml</span>.</p> |
---|
| 320 | <a name="N1006A"></a><a name="Hadoop+Services+and+Configuration+Properties"></a> |
---|
| 321 | <h3 class="h4">Hadoop Services and Configuration Properties</h3> |
---|
| 322 | <p>This section lists the various Hadoop services and their configuration |
---|
| 323 | knobs:</p> |
---|
| 324 | <table class="ForrestTable" cellspacing="1" cellpadding="4"> |
---|
| 325 | |
---|
| 326 | <tr> |
---|
| 327 | |
---|
| 328 | <th colspan="1" rowspan="1">Property</th> |
---|
| 329 | <th colspan="1" rowspan="1">Service</th> |
---|
| 330 | |
---|
| 331 | </tr> |
---|
| 332 | |
---|
| 333 | <tr> |
---|
| 334 | |
---|
| 335 | <td colspan="1" rowspan="1"><span class="codefrag">security.client.protocol.acl</span></td> |
---|
| 336 | <td colspan="1" rowspan="1">ACL for ClientProtocol, which is used by user code via the |
---|
| 337 | DistributedFileSystem.</td> |
---|
| 338 | |
---|
| 339 | </tr> |
---|
| 340 | |
---|
| 341 | <tr> |
---|
| 342 | |
---|
| 343 | <td colspan="1" rowspan="1"><span class="codefrag">security.client.datanode.protocol.acl</span></td> |
---|
| 344 | <td colspan="1" rowspan="1">ACL for ClientDatanodeProtocol, the client-to-datanode protocol |
---|
| 345 | for block recovery.</td> |
---|
| 346 | |
---|
| 347 | </tr> |
---|
| 348 | |
---|
| 349 | <tr> |
---|
| 350 | |
---|
| 351 | <td colspan="1" rowspan="1"><span class="codefrag">security.datanode.protocol.acl</span></td> |
---|
| 352 | <td colspan="1" rowspan="1">ACL for DatanodeProtocol, which is used by datanodes to |
---|
| 353 | communicate with the namenode.</td> |
---|
| 354 | |
---|
| 355 | </tr> |
---|
| 356 | |
---|
| 357 | <tr> |
---|
| 358 | |
---|
| 359 | <td colspan="1" rowspan="1"><span class="codefrag">security.inter.datanode.protocol.acl</span></td> |
---|
| 360 | <td colspan="1" rowspan="1">ACL for InterDatanodeProtocol, the inter-datanode protocol |
---|
| 361 | for updating generation timestamp.</td> |
---|
| 362 | |
---|
| 363 | </tr> |
---|
| 364 | |
---|
| 365 | <tr> |
---|
| 366 | |
---|
| 367 | <td colspan="1" rowspan="1"><span class="codefrag">security.namenode.protocol.acl</span></td> |
---|
| 368 | <td colspan="1" rowspan="1">ACL for NamenodeProtocol, the protocol used by the secondary |
---|
| 369 | namenode to communicate with the namenode.</td> |
---|
| 370 | |
---|
| 371 | </tr> |
---|
| 372 | |
---|
| 373 | <tr> |
---|
| 374 | |
---|
| 375 | <td colspan="1" rowspan="1"><span class="codefrag">security.inter.tracker.protocol.acl</span></td> |
---|
| 376 | <td colspan="1" rowspan="1">ACL for InterTrackerProtocol, used by the tasktrackers to |
---|
| 377 | communicate with the jobtracker.</td> |
---|
| 378 | |
---|
| 379 | </tr> |
---|
| 380 | |
---|
| 381 | <tr> |
---|
| 382 | |
---|
| 383 | <td colspan="1" rowspan="1"><span class="codefrag">security.job.submission.protocol.acl</span></td> |
---|
| 384 | <td colspan="1" rowspan="1">ACL for JobSubmissionProtocol, used by job clients to |
---|
| 385 | communciate with the jobtracker for job submission, querying job status |
---|
| 386 | etc.</td> |
---|
| 387 | |
---|
| 388 | </tr> |
---|
| 389 | |
---|
| 390 | <tr> |
---|
| 391 | |
---|
| 392 | <td colspan="1" rowspan="1"><span class="codefrag">security.task.umbilical.protocol.acl</span></td> |
---|
| 393 | <td colspan="1" rowspan="1">ACL for TaskUmbilicalProtocol, used by the map and reduce |
---|
| 394 | tasks to communicate with the parent tasktracker.</td> |
---|
| 395 | |
---|
| 396 | </tr> |
---|
| 397 | |
---|
| 398 | <tr> |
---|
| 399 | |
---|
| 400 | <td colspan="1" rowspan="1"><span class="codefrag">security.refresh.policy.protocol.acl</span></td> |
---|
| 401 | <td colspan="1" rowspan="1">ACL for RefreshAuthorizationPolicyProtocol, used by the |
---|
| 402 | dfsadmin and mradmin commands to refresh the security policy in-effect. |
---|
| 403 | </td> |
---|
| 404 | |
---|
| 405 | </tr> |
---|
| 406 | |
---|
| 407 | </table> |
---|
| 408 | <a name="N10102"></a><a name="Access+Control+Lists"></a> |
---|
| 409 | <h3 class="h4">Access Control Lists</h3> |
---|
| 410 | <p> |
---|
| 411 | <span class="codefrag">${HADOOP_CONF_DIR}/hadoop-policy.xml</span> defines an access |
---|
| 412 | control list for each Hadoop service. Every access control list has a |
---|
| 413 | simple format:</p> |
---|
| 414 | <p>The list of users and groups are both comma separated list of names. |
---|
| 415 | The two lists are separated by a space.</p> |
---|
| 416 | <p>Example: <span class="codefrag">user1,user2 group1,group2</span>.</p> |
---|
| 417 | <p>Add a blank at the beginning of the line if only a list of groups |
---|
| 418 | is to be provided, equivalently a comman-separated list of users followed |
---|
| 419 | by a space or nothing implies only a set of given users.</p> |
---|
| 420 | <p>A special value of <strong>*</strong> implies that all users are |
---|
| 421 | allowed to access the service.</p> |
---|
| 422 | <a name="N10120"></a><a name="Refreshing+Service+Level+Authorization+Configuration"></a> |
---|
| 423 | <h3 class="h4">Refreshing Service Level Authorization Configuration</h3> |
---|
| 424 | <p>The service-level authorization configuration for the NameNode and |
---|
| 425 | JobTracker can be changed without restarting either of the Hadoop master |
---|
| 426 | daemons. The cluster administrator can change |
---|
| 427 | <span class="codefrag">${HADOOP_CONF_DIR}/hadoop-policy.xml</span> on the master nodes and |
---|
| 428 | instruct the NameNode and JobTracker to reload their respective |
---|
| 429 | configurations via the <em>-refreshServiceAcl</em> switch to |
---|
| 430 | <em>dfsadmin</em> and <em>mradmin</em> commands respectively.</p> |
---|
| 431 | <p>Refresh the service-level authorization configuration for the |
---|
| 432 | NameNode:</p> |
---|
| 433 | <p> |
---|
| 434 | |
---|
| 435 | <span class="codefrag">$ bin/hadoop dfsadmin -refreshServiceAcl</span> |
---|
| 436 | |
---|
| 437 | </p> |
---|
| 438 | <p>Refresh the service-level authorization configuration for the |
---|
| 439 | JobTracker:</p> |
---|
| 440 | <p> |
---|
| 441 | |
---|
| 442 | <span class="codefrag">$ bin/hadoop mradmin -refreshServiceAcl</span> |
---|
| 443 | |
---|
| 444 | </p> |
---|
| 445 | <p>Of course, one can use the |
---|
| 446 | <span class="codefrag">security.refresh.policy.protocol.acl</span> property in |
---|
| 447 | <span class="codefrag">${HADOOP_CONF_DIR}/hadoop-policy.xml</span> to restrict access to |
---|
| 448 | the ability to refresh the service-level authorization configuration to |
---|
| 449 | certain users/groups.</p> |
---|
| 450 | <a name="N10151"></a><a name="Examples"></a> |
---|
| 451 | <h3 class="h4">Examples</h3> |
---|
| 452 | <p>Allow only users <span class="codefrag">alice</span>, <span class="codefrag">bob</span> and users in the |
---|
| 453 | <span class="codefrag">mapreduce</span> group to submit jobs to the Map/Reduce cluster:</p> |
---|
| 454 | <table class="ForrestTable" cellspacing="1" cellpadding="4"> |
---|
| 455 | |
---|
| 456 | <tr> |
---|
| 457 | <td colspan="1" rowspan="1"> <property></td> |
---|
| 458 | </tr> |
---|
| 459 | |
---|
| 460 | <tr> |
---|
| 461 | <td colspan="1" rowspan="1"> <name>security.job.submission.protocol.acl</name></td> |
---|
| 462 | </tr> |
---|
| 463 | |
---|
| 464 | <tr> |
---|
| 465 | <td colspan="1" rowspan="1"> <value>alice,bob mapreduce</value></td> |
---|
| 466 | </tr> |
---|
| 467 | |
---|
| 468 | <tr> |
---|
| 469 | <td colspan="1" rowspan="1"> </property></td> |
---|
| 470 | </tr> |
---|
| 471 | |
---|
| 472 | </table> |
---|
| 473 | <p></p> |
---|
| 474 | <p>Allow only DataNodes running as the users who belong to the |
---|
| 475 | group <span class="codefrag">datanodes</span> to communicate with the NameNode:</p> |
---|
| 476 | <table class="ForrestTable" cellspacing="1" cellpadding="4"> |
---|
| 477 | |
---|
| 478 | <tr> |
---|
| 479 | <td colspan="1" rowspan="1"> <property></td> |
---|
| 480 | </tr> |
---|
| 481 | |
---|
| 482 | <tr> |
---|
| 483 | <td colspan="1" rowspan="1"> <name>security.datanode.protocol.acl</name></td> |
---|
| 484 | </tr> |
---|
| 485 | |
---|
| 486 | <tr> |
---|
| 487 | <td colspan="1" rowspan="1"> <value> datanodes</value></td> |
---|
| 488 | </tr> |
---|
| 489 | |
---|
| 490 | <tr> |
---|
| 491 | <td colspan="1" rowspan="1"> </property></td> |
---|
| 492 | </tr> |
---|
| 493 | |
---|
| 494 | </table> |
---|
| 495 | <p></p> |
---|
| 496 | <p>Allow any user to talk to the HDFS cluster as a DFSClient:</p> |
---|
| 497 | <table class="ForrestTable" cellspacing="1" cellpadding="4"> |
---|
| 498 | |
---|
| 499 | <tr> |
---|
| 500 | <td colspan="1" rowspan="1"> <property></td> |
---|
| 501 | </tr> |
---|
| 502 | |
---|
| 503 | <tr> |
---|
| 504 | <td colspan="1" rowspan="1"> <name>security.client.protocol.acl</name></td> |
---|
| 505 | </tr> |
---|
| 506 | |
---|
| 507 | <tr> |
---|
| 508 | <td colspan="1" rowspan="1"> <value>*</value></td> |
---|
| 509 | </tr> |
---|
| 510 | |
---|
| 511 | <tr> |
---|
| 512 | <td colspan="1" rowspan="1"> </property></td> |
---|
| 513 | </tr> |
---|
| 514 | |
---|
| 515 | </table> |
---|
| 516 | </div> |
---|
| 517 | |
---|
| 518 | |
---|
| 519 | </div> |
---|
| 520 | <!--+ |
---|
| 521 | |end content |
---|
| 522 | +--> |
---|
| 523 | <div class="clearboth"> </div> |
---|
| 524 | </div> |
---|
| 525 | <div id="footer"> |
---|
| 526 | <!--+ |
---|
| 527 | |start bottomstrip |
---|
| 528 | +--> |
---|
| 529 | <div class="lastmodified"> |
---|
| 530 | <script type="text/javascript"><!-- |
---|
| 531 | document.write("Last Published: " + document.lastModified); |
---|
| 532 | // --></script> |
---|
| 533 | </div> |
---|
| 534 | <div class="copyright"> |
---|
| 535 | Copyright © |
---|
| 536 | 2008 <a href="http://www.apache.org/licenses/">The Apache Software Foundation.</a> |
---|
| 537 | </div> |
---|
| 538 | <!--+ |
---|
| 539 | |end bottomstrip |
---|
| 540 | +--> |
---|
| 541 | </div> |
---|
| 542 | </body> |
---|
| 543 | </html> |
---|