This topic describes how to manage the permissions of JindoFS in block storage mode. You can run UNIX commands or use Ranger to manage permissions.

Background information

To use Ranger to manage permissions, you must first configure permissions in the Apache Ranger component of E-MapReduce (EMR) and activate the Ranger plug-in in JindoFS. Then, you can manage JindoFS permissions in Ranger by using the same method as you manage permissions on other components.JindoFS permissions
In block storage mode, you can run UNIX commands or use Ranger to manage permissions:
  • UNIX allows you to grant the rwxrwxrwx permission on files.
  • Ranger allows you to use wildcards in paths when you configure a permission.

Enable UNIX-based permission management

  1. Go to the SmartData service.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides. Select the resource group as required. By default, all resources of the account appear.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page that appears, find the target cluster and click Details in the Actions column.
    5. In the left-side navigation pane, click Cluster Service and then SmartData.
  2. Go to the namespace tab for the SmartData service.
    1. Click the Configure tab.
    2. Click the namespace tab in the Service Configuration section.
      namespace
  3. Click Custom Configuration. In the Add Configuration Item dialog box, set Key to jfs.namespaces.<namespace>.permission.method and Value to unix and click OK.
  4. Save the configurations.
    1. In the upper-right corner of the Service Configuration section, click Save.
    2. In the Confirm Changes dialog box, specify Description and turn on Auto-update Configuration.
    3. Click OK.
  5. Restart Namespace Service.
    1. Select Restart Jindo Namespace Service from the Actions drop-down list in the upper-right corner.
    2. In the Cluster Activities dialog box, specify Description and click OK.
    After the service is restarted, you can run UNIX commands to manage JindoFS permissions by using the same method as you manage HDFS permissions. You can use the following commands:
    hadoop fs -chmod 777 jfs://{namespace_name}/dir1/file1
    hadoop fs -chown john:staff jfs://{namespace_name}/dir1/file1
    If a user does not have permissions on a file, the following error is returned:error

Enable Ranger-based permission management

  1. Configure Ranger as a permission management method in JindoFS.
    1. On the namespace tab for the SmartData service, click Custom Configuration.
    2. In the Add Configuration Item dialog box, set Key to jfs.namespaces.<namespace>.permission.method and Value to ranger and click OK.
    3. Save the configurations.
      1. In the upper-right corner of the Service Configuration section, click Save.
      2. In the Confirm Changes dialog box, specify Description and turn on Auto-update Configuration.
      3. Click OK.
    4. Restart Namespace Service.
      1. Select Restart Jindo Namespace Service from the Actions drop-down list in the upper-right corner.
      2. In the Cluster Activities dialog box, specify Description and click OK.
  2. Add the HDFS service on the web UI of Ranger and configure the required parameters.
    1. Log on to the Ranger web UI.
      For more information, see Overview.
    2. Add the HDFS service on the web UI of Ranger.
      Ranger UI
    3. Configure the parameters described in the following table.
      Parameter Description
      Service Name Set this parameter in the format of jfs-{namespace_name}.
      Username Customize a username.
      Password Customize a password.
      Namenode URL Set this parameter in the format of jfs://{namespace_name}.
      Authorization Enabled Retain default value No.
      Authentication Type Retain default value Simple.
      dfs.datanode.kerberos.principal Leave this parameter empty.
      dfs.namenode.kerberos.principal
      dfs.secondary.namenode.kerberos.principal
      Add New Configurations
    4. Click Add.

Enable synchronization of user groups from an LDAP server in JindoFS

If you have enabled synchronization of user groups from an LDAP server in Ranger Usersync, you also need to enable this feature in JindoFS. Otherwise, JindoFS cannot obtain the information of user groups synchronized from the LDAP server and cannot verify the permissions of the user groups.

  1. On the namespace tab for the SmartData service, click Custom Configuration.
  2. In the Add Configuration Item dialog box, configure the LDAP parameters listed in the following table and click OK.
    Parameter Example
    hadoop.security.group.mapping org.apache.hadoop.security.CompositeGroupsMapping
    hadoop.security.group.mapping.providers shell4services,ad4users
    hadoop.security.group.mapping.providers.combined true
    hadoop.security.group.mapping.provider.shell4services org.apache.hadoop.security.ShellBasedUnixGroupsMapping
    hadoop.security.group.mapping.provider.ad4users org.apache.hadoop.security.LdapGroupsMapping
    hadoop.security.group.mapping.ldap.url ldap://emr-header-1:10389
    hadoop.security.group.mapping.ldap.search.filter.user (&(objectClass=person)(uid={0}))
    hadoop.security.group.mapping.ldap.search.filter.group (objectClass=groupOfNames)
    hadoop.security.group.mapping.ldap.base o=emr
    Note Configure the parameters based on the configurations in open source HDFS.
  3. Save the configurations.
    1. In the upper-right corner of the Service Configuration section, click Save.
    2. In the Confirm Changes dialog box, specify Description and turn on Auto-update Configuration.
    3. Click OK.
  4. Restart all components of the SmartData service.
    1. Select Restart All Components from the Actions drop-down list in the upper-right corner.
  5. Log on to the emr-header-1 node of the EMR cluster in SSH mode and connect Ranger Usersync to the LDAP server.