This topic describes how to manage the permissions of JindoFS in block storage mode. You can run UNIX commands or use Ranger to manage permissions.

Background information

UNIX allows you to grant the rwxrwxrwx permission on files and configure owners and groups of files. JindoFS authenticates a user based on the configurations. Ranger allows you to configure complex permissions. For example, you can use wildcards in paths when you configure a permission. To use Ranger to manage permissions, you must first configure permissions in the Apache Ranger component of EMR and activate the Ranger plug-in in JindoFS. Then, you can manage JindoFS permissions in Ranger by using the same method as you manage permissions on other components.

JindoFS permissions

Enable UNIX-based permission management

  1. Go to the SmartData service.
    1. Log on to the Alibaba Cloud E-MapReduce console.
    2. In the top navigation bar, select the region where your cluster resides. Select the resource group as required. By default, all resources of the account appear.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page that appears, find the target cluster and click Details in the Actions column.
    5. In the left-side navigation pane, click Cluster Service and then SmartData.
  2. Configure bigboot parameters.
    1. Click the Configure tab.
    2. Click the bigboot tab in the Service Configuration section.
      bigboot
  3. Click Custom Configuration. In the Add Configuration Item dialog box, set Key to jfs.namespaces.<namespace>.permission.method and Value to unix and click OK.
  4. Save the configurations.
    1. In the upper-right corner of the Service Configuration section, click Save.
    2. In the Confirm Changes dialog box, specify Description and turn on Auto-update Configuration.
    3. Click OK.
  5. Select Restart Jindo Namespace Service from the Actions drop-down list in the upper-right corner.
    After the service is restarted, you can run UNIX commands to manage JindoFS permissions by using the same method as you manage HDFS permissions. You can use the following commands:
    hadoop fs -chmod 777 jfs://{namespace_name}/dir1/file1
    hadoop fs -chown john:staff jfs://{namespace_name}/dir1/file1

    If a user does not have permissions on a file, the following error is returned:

    error

Enable Ranger-based permission management

  1. Configure Ranger as a permission management method in JindoFS.
    1. On the bigboot tab for the SmartData service, click Custom Configuration.
    2. In the Add Configuration Item dialog box, set Key to jfs.namespaces.<namespace>.permission.method and Value to ranger and click OK.
    3. Save the configurations.
      1. In the upper-right corner of the Service Configuration section, click Save.
      2. In the Confirm Changes dialog box, specify Description and turn on Auto-update Configuration.
      3. Click OK.
    4. Select Restart Jindo Namespace Service from the Actions drop-down list in the upper-right corner.
  2. Add the HDFS service on the web UI of Ranger and configure required parameters.
    1. Log on to the Ranger web UI.
      For more information, see Overview.
    2. Add the HDFS service on the web UI of Ranger.
      Ranger UI
    3. Configure required parameters.
      Parameter Description
      Service Name Set this parameter in the format of jfs-{namespace_name}.
      Username Customize a username.
      Password Customize a password.
      Namenode URL Set this parameter in the format of jfs://{namespace_name}.
      Authorization Enabled Retain the default value No.
      Authentication Type Retain the default value Simple.
      dfs.datanode.kerberos.principal Leave these parameters empty.
      dfs.namenode.kerberos.principal
      dfs.secondary.namenode.kerberos.principal
      Add New Configurations Leave this parameter empty.
    4. Click Add.

Enable synchronization of user groups from an LDAP server in JindoFS

If you have enabled synchronization of user groups from an LDAP server in Ranger Usersync, you also need to enable this feature in JindoFS. Otherwise, JindoFS cannot obtain the information of user groups synchronized from the LDAP server and cannot verify the permissions of the user groups.

  1. On the bigboot tab for the SmartData service, click Custom Configuration.
  2. In the Add Configuration Item dialog box, configure the LDAP parameters listed in the following table and click OK.
    Parameter Example
    hadoop.security.group.mapping org.apache.hadoop.security.CompositeGroupsMapping
    hadoop.security.group.mapping.providers shell4services,ad4users
    hadoop.security.group.mapping.providers.combined true
    hadoop.security.group.mapping.provider.shell4services org.apache.hadoop.security.ShellBasedUnixGroupsMapping
    hadoop.security.group.mapping.provider.ad4users org.apache.hadoop.security.LdapGroupsMapping
    hadoop.security.group.mapping.ldap.url ldap://emr-header-1:10389
    hadoop.security.group.mapping.ldap.search.filter.user (&(objectClass=person)(uid={0}))
    hadoop.security.group.mapping.ldap.search.filter.group (objectClass=groupOfNames)
    hadoop.security.group.mapping.ldap.base o=emr
    Note Configure the parameters based on the configurations in open source HDFS.
  3. Save the configurations.
    1. In the upper-right corner of the Service Configuration section, click Save.
    2. In the Confirm Changes dialog box, specify Description and turn on Auto-update Configuration.
    3. Click OK.
  4. Select Restart All Components from the Actions drop-down list in the upper-right corner.
  5. Log on to the emr-header-1 node of the EMR cluster in SSH mode and connect Ranger Usersync to the LDAP server.