This topic describes how to manage the permissions of JindoFS in block storage mode or in cache mode. You cannot switch between the block storage mode and cache mode.

Background information

Permission management based on the storage mode:
  • In block storage mode, you can run UNIX commands or use Ranger to manage permissions:
    • UNIX allows you to grant the rwxrwxrwx permission on files and configure owners and groups of files.
    • Ranger allows you to perform complex or advanced operations. For example, use wildcards in paths.
  • In cache mode, you can use only Ranger to manage permissions.

    You can perform complex or advanced operations. For example, use wildcards in paths.

JindoFS permissions

Enable UNIX-based permission management

  1. Go to the SmartData service.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides. Select the resource group as required. By default, all resources of the account appear.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page that appears, find the target cluster and click Details in the Actions column.
    5. In the left-side navigation pane, click Cluster Service and then SmartData.
  2. Go to the namespace tab for the SmartData service.
    1. Click the Configure tab.
    2. Click the namespace tab in the Service Configuration section.
      namespace_smartdata
  3. Click Custom Configuration in the upper-right corner. In the Add Configuration Item dialog box, set Key to jfs.namespaces.<namespace>.permission.method and Value to unix, and click OK.
  4. Save the configurations.
    1. In the upper-right corner of the Service Configuration section, click Save.
    2. In the Confirm Changes dialog box, specify Description and turn on Auto-update Configuration.
    3. Click OK.
  5. Restart Namespace Service.
    1. Choose Actions > Restart Jindo Namespace Service in the upper-right corner.
    2. In the Cluster Activities dialog box, specify Description and click OK.
    After the service is restarted, you can run UNIX commands to manage JindoFS permissions by using the same method as you manage HDFS permissions. You can use the following commands:
    hadoop fs -chmod 777 jfs://{namespace_name}/dir1/file1
    hadoop fs -chown john:staff jfs://{namespace_name}/dir1/file1
    If a user does not have permissions on a file, the error shown in the following figure is returned.error

Enable Ranger-based permission management

Before you can use Ranger to manage permissions, you must first configure permissions in the Apache Ranger component of EMR and activate the Ranger plug-in in JindoFS. Then, you can manage JindoFS permissions in Ranger by using the same method as you manage permissions on other components.

  1. Configure Ranger as a permission management method in JindoFS.
    1. On the namespace tab for the SmartData service, click Custom Configuration.
    2. In the Add Configuration Item dialog box, set Key to jfs.namespaces.<namespace>.permission.method and Value to ranger, and click OK.
    3. Save the configurations.
      1. In the upper-right corner of the Service Configuration section, click Save.
      2. In the Confirm Changes dialog box, specify Description and turn on Auto-update Configuration.
      3. Click OK.
    4. Restart Namespace Service.
      1. Choose Actions > Restart Jindo Namespace Service in the upper-right corner.
      2. In the Cluster Activities dialog box, specify Description and click OK.
  2. Add the HDFS service on the web UI of Ranger and configure related parameters.
    1. Log on to the Ranger web UI.
      For more information, see Overview.
    2. Add the HDFS service on the web UI of Ranger.
      Ranger UI
    3. Configure the parameters that are described in the following table.
      Parameter Description
      Service Name Set this parameter in the format of jfs-{namespace_name}.

      Example: jfs-test.

      Username Customize a username.
      Password Customize a password.
      Namenode URL Set this parameter in the format of jfs://{namespace_name}/.
      Authorization Enabled Retain the default value No.
      Authentication Type Retain the default value Simple.
      dfs.datanode.kerberos.principal Leave this parameter empty.
      dfs.namenode.kerberos.principal
      dfs.secondary.namenode.kerberos.principal
      Add New Configurations
    4. Click Add.

Enable synchronization of user groups from an LDAP server in JindoFS

If you have enabled synchronization of user groups from an LDAP server in Ranger Usersync, you must also enable this feature in JindoFS. Otherwise, JindoFS cannot obtain the information about user groups that are synchronized from the LDAP server and cannot verify the permissions of the user groups.

  1. On the namespace tab for the SmartData service, click Custom Configuration.
  2. In the Add Configuration Item dialog box, configure the LDAP parameters described in the following table and click OK.
    Note Configure the parameters based on the configurations in open source HDFS. For more information, see core-default.xml.
    Parameter Example
    hadoop.security.group.mapping org.apache.hadoop.security.CompositeGroupsMapping
    hadoop.security.group.mapping.providers shell4services,ad4users
    hadoop.security.group.mapping.providers.combined true
    hadoop.security.group.mapping.provider.shell4services org.apache.hadoop.security.ShellBasedUnixGroupsMapping
    hadoop.security.group.mapping.provider.ad4users org.apache.hadoop.security.LdapGroupsMapping
    hadoop.security.group.mapping.ldap.url ldap://emr-header-1:10389
    hadoop.security.group.mapping.ldap.search.filter.user (&(objectClass=person)(uid={0}))
    hadoop.security.group.mapping.ldap.search.filter.group (objectClass=groupOfNames)
    hadoop.security.group.mapping.ldap.base o=emr
  3. Save the configurations.
    1. In the upper-right corner of the Service Configuration section, click Save.
    2. In the Confirm Changes dialog box, specify Description and turn on Auto-update Configuration.
    3. Click OK.
  4. Restart all components of the SmartData service.
    1. Choose Actions > Restart All Components in the upper-right corner.
    2. In the Cluster Activities dialog box, specify Description and click OK.
  5. Log on to the emr-header-1 node of the EMR cluster in SSH mode and connect Ranger Usersync to the LDAP server.