Home Explore Help
Register Sign In
apache
/
hadoop
mirror of https://github.com/apache/hadoop.git
2
0
Fork 1
Files Issues 0 Wiki
Tree: 0cc08f6da4
Branches Tags
hadoop
/
hadoop-common-project
/
hadoop-common
/
src
/
site
/
apt
/
ServiceLevelAuth.apt.vm

ServiceLevelAuth.apt.vm 8.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191 
  1. ~~ Licensed under the Apache License, Version 2.0 (the "License");
    2. 

  2. ~~ you may not use this file except in compliance with the License.
    3. 

  3. ~~ You may obtain a copy of the License at
    4. 

  4. ~~
    5. 

  5. ~~   http://www.apache.org/licenses/LICENSE-2.0
    6. 

  6. ~~
    7. 

  7. ~~ Unless required by applicable law or agreed to in writing, software
    8. 

  8. ~~ distributed under the License is distributed on an "AS IS" BASIS,
    9. 

  9. ~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    10. 

  10. ~~ See the License for the specific language governing permissions and
    11. 

  11. ~~ limitations under the License. See accompanying LICENSE file.
    12. 

  12. 

  13.   ---
    14. 

  14.   Service Level Authorization Guide
    15. 

  15.   ---
    16. 

  16.   ---
    17. 

  17.   ${maven.build.timestamp}
    18. 

  18. 

  19. Service Level Authorization Guide
    20. 

  20. 

  21. %{toc|section=1|fromDepth=0}
    22. 

  22. 

  23. * Purpose
    24. 

  24. 

  25.    This document describes how to configure and manage Service Level
    26. 

  26.    Authorization for Hadoop.
    27. 

  27. 

  28. * Prerequisites
    29. 

  29. 

  30.    Make sure Hadoop is installed, configured and setup correctly. For more
    31. 

  31.    information see:
    32. 

  32. 

  33.      * {{{./SingleCluster.html}Single Node Setup}} for first-time users.
    34. 

  34. 

  35.      * {{{./ClusterSetup.html}Cluster Setup}} for large, distributed clusters.
    36. 

  36. 

  37. * Overview
    38. 

  38. 

  39.    Service Level Authorization is the initial authorization mechanism to
    40. 

  40.    ensure clients connecting to a particular Hadoop service have the
    41. 

  41.    necessary, pre-configured, permissions and are authorized to access the
    42. 

  42.    given service. For example, a MapReduce cluster can use this mechanism
    43. 

  43.    to allow a configured list of users/groups to submit jobs.
    44. 

  44. 

  45.    The <<<${HADOOP_CONF_DIR}/hadoop-policy.xml>>> configuration file is used to
    46. 

  46.    define the access control lists for various Hadoop services.
    47. 

  47. 

  48.    Service Level Authorization is performed much before to other access
    49. 

  49.    control checks such as file-permission checks, access control on job
    50. 

  50.    queues etc.
    51. 

  51. 

  52. * Configuration
    53. 

  53. 

  54.    This section describes how to configure service-level authorization via
    55. 

  55.    the configuration file <<<${HADOOP_CONF_DIR}/hadoop-policy.xml>>>.
    56. 

  56. 

  57. ** Enable Service Level Authorization
    58. 

  58. 

  59.    By default, service-level authorization is disabled for Hadoop. To
    60. 

  60.    enable it set the configuration property hadoop.security.authorization
    61. 

  61.    to true in <<<${HADOOP_CONF_DIR}/core-site.xml>>>.
    62. 

  62. 

  63. ** Hadoop Services and Configuration Properties
    64. 

  64. 

  65.    This section lists the various Hadoop services and their configuration
    66. 

  66.    knobs:
    67. 

  67. 

  68. *-------------------------------------+--------------------------------------+
    69. 

  69. || Property                           || Service
    70. 

  70. *-------------------------------------+--------------------------------------+
    71. 

  71. security.client.protocol.acl          | ACL for ClientProtocol, which is used by user code via the DistributedFileSystem.
    72. 

  72. *-------------------------------------+--------------------------------------+
    73. 

  73. security.client.datanode.protocol.acl | ACL for ClientDatanodeProtocol, the client-to-datanode protocol for block recovery.
    74. 

  74. *-------------------------------------+--------------------------------------+
    75. 

  75. security.datanode.protocol.acl        | ACL for DatanodeProtocol, which is used by datanodes to communicate with the namenode.
    76. 

  76. *-------------------------------------+--------------------------------------+
    77. 

  77. security.inter.datanode.protocol.acl  | ACL for InterDatanodeProtocol, the inter-datanode protocol for updating generation timestamp.
    78. 

  78. *-------------------------------------+--------------------------------------+
    79. 

  79. security.namenode.protocol.acl        | ACL for NamenodeProtocol, the protocol used by the secondary namenode to communicate with the namenode.
    80. 

  80. *-------------------------------------+--------------------------------------+
    81. 

  81. security.inter.tracker.protocol.acl   | ACL for InterTrackerProtocol, used by the tasktrackers to communicate with the jobtracker.
    82. 

  82. *-------------------------------------+--------------------------------------+
    83. 

  83. security.job.submission.protocol.acl  | ACL for JobSubmissionProtocol, used by job clients to communciate with the jobtracker for job submission, querying job status etc.
    84. 

  84. *-------------------------------------+--------------------------------------+
    85. 

  85. security.task.umbilical.protocol.acl  | ACL for TaskUmbilicalProtocol, used by the map and reduce tasks to communicate with the parent tasktracker.
    86. 

  86. *-------------------------------------+--------------------------------------+
    87. 

  87. security.refresh.policy.protocol.acl  | ACL for RefreshAuthorizationPolicyProtocol, used by the dfsadmin and mradmin commands to refresh the security policy in-effect.
    88. 

  88. *-------------------------------------+--------------------------------------+
    89. 

  89. security.ha.service.protocol.acl      | ACL for HAService protocol used by HAAdmin to manage the active and stand-by states of namenode.
    90. 

  90. *-------------------------------------+--------------------------------------+
    91. 

  91. 

  92. ** Access Control Lists
    93. 

  93. 

  94.    <<<${HADOOP_CONF_DIR}/hadoop-policy.xml>>> defines an access control list for
    95. 

  95.    each Hadoop service. Every access control list has a simple format:
    96. 

  96. 

  97.    The list of users and groups are both comma separated list of names.
    98. 

  98.    The two lists are separated by a space.
    99. 

  99. 

  100.    Example: <<<user1,user2 group1,group2>>>.
    101. 

  101. 

  102.    Add a blank at the beginning of the line if only a list of groups is to
    103. 

  103.    be provided, equivalently a comma-separated list of users followed by
    104. 

  104.    a space or nothing implies only a set of given users.
    105. 

  105. 

  106.    A special value of <<<*>>> implies that all users are allowed to access the
    107. 

  107.    service. 
    108. 

  108.    
    109. 

  109.    If access control list is not defined for a service, the value of
    110. 

  110.    <<<security.service.authorization.default.acl>>> is applied. If 
    111. 

  111.    <<<security.service.authorization.default.acl>>> is not defined, <<<*>>>  is applied.
    112. 

  112. 

  113.  ** Blocked Access Control Lists
    114. 

  114. 

  115.    In some cases, it is required to specify blocked access control list for a service. This specifies
    116. 

  116.    the list of users and groups who are not authorized to access the service. The format of
    117. 

  117.    the blocked access control list is same as that of access control list. The blocked access
    118. 

  118.    control list can be specified via <<<${HADOOP_CONF_DIR}/hadoop-policy.xml>>>. The property name
    119. 

  119.    is derived by suffixing with ".blocked".
    120. 

  120. 

  121.    Example: The property name of blocked access control list for <<<security.client.protocol.acl>>
    122. 

  122.    will be <<<security.client.protocol.acl.blocked>>>
    123. 

  123. 

  124.    For a service, it is possible to specify both an access control list and a blocked control
    125. 

  125.    list. A user is authorized to access the service if the user is in the access control and not in
    126. 

  126.    the blocked access control list.
    127. 

  127. 

  128.    If blocked access control list is not defined for a service, the value of
    129. 

  129.    <<<security.service.authorization.default.acl.blocked>>> is applied. If
    130. 

  130.    <<<security.service.authorization.default.acl.blocked>>> is not defined,
    131. 

  131.    empty blocked access control list is applied.
    132. 

  132. 

  133. 

  134. ** Refreshing Service Level Authorization Configuration
    135. 

  135. 

  136.    The service-level authorization configuration for the NameNode and
    137. 

  137.    JobTracker can be changed without restarting either of the Hadoop
    138. 

  138.    master daemons. The cluster administrator can change
    139. 

  139.    <<<${HADOOP_CONF_DIR}/hadoop-policy.xml>>> on the master nodes and instruct
    140. 

  140.    the NameNode and JobTracker to reload their respective configurations
    141. 

  141.    via the <<<-refreshServiceAcl>>> switch to <<<dfsadmin>>> and <<<mradmin>>> commands
    142. 

  142.    respectively.
    143. 

  143. 

  144.    Refresh the service-level authorization configuration for the NameNode:
    145. 

  145. 

  146. ----
    147. 

  147.    $ bin/hadoop dfsadmin -refreshServiceAcl
    148. 

  148. ----
    149. 

  149. 

  150.    Refresh the service-level authorization configuration for the
    151. 

  151.    JobTracker:
    152. 

  152. 

  153. ----
    154. 

  154.    $ bin/hadoop mradmin -refreshServiceAcl
    155. 

  155. ----
    156. 

  156. 

  157.    Of course, one can use the <<<security.refresh.policy.protocol.acl>>>
    158. 

  158.    property in <<<${HADOOP_CONF_DIR}/hadoop-policy.xml>>> to restrict access to
    159. 

  159.    the ability to refresh the service-level authorization configuration to
    160. 

  160.    certain users/groups.
    161. 

  161. 

  162. ** Examples
    163. 

  163. 

  164.    Allow only users <<<alice>>>, <<<bob>>> and users in the <<<mapreduce>>> group to submit
    165. 

  165.    jobs to the MapReduce cluster:
    166. 

  166. 

  167. ----
    168. 

  168. <property>
    169. 

  169.      <name>security.job.submission.protocol.acl</name>
    170. 

  170.      <value>alice,bob mapreduce</value>
    171. 

  171. </property>
    172. 

  172. ----
    173. 

  173. 

  174.    Allow only DataNodes running as the users who belong to the group
    175. 

  175.    datanodes to communicate with the NameNode:
    176. 

  176. 

  177. ----
    178. 

  178. <property>
    179. 

  179.      <name>security.datanode.protocol.acl</name>
    180. 

  180.      <value>datanodes</value>
    181. 

  181. </property>
    182. 

  182. ----
    183. 

  183. 

  184.    Allow any user to talk to the HDFS cluster as a DFSClient:
    185. 

  185. 

  186. ----
    187. 

  187. <property>
    188. 

  188.      <name>security.client.protocol.acl</name>
    189. 

  189.      <value>*</value>
    190. 

  190. </property>
    191. 

  191. ----
    192.