All Products
Search

This Product

    E-MapReduce:Manage JindoFS permissions

    Document Center

    E-MapReduce:Manage JindoFS permissions

    Last Updated:Mar 26, 2026

    JindoFS supports two permission management methods: Unix-based and Apache Ranger-based. The method you can use depends on your storage mode.

    Storage modeUnix permissionRanger permission
    Block storage modeSupportedSupported
    Cache modeNot supportedSupported
    You cannot switch between block storage mode and cache mode. Choose the permission method that matches your current storage mode before proceeding.

    Enable Unix-based permission management

    Unix permission management applies the rwxrwxrwx model to JindoFS files, including file owner and group assignment. This works the same way as Hadoop Distributed File System (HDFS) permission management and is available only in block storage mode.

    Prerequisites

    Before you begin, make sure you have:

    • An E-MapReduce (EMR) cluster running in block storage mode

    • Access to the EMR console with sufficient permissions to modify SmartData service configurations

    Configure Unix permissions

    1. Log on to the Alibaba Cloud EMR console.

    2. In the top navigation bar, select the region where your cluster resides. Select a resource group if needed.

    3. Click the Cluster Management tab. Find your cluster and click Details in the Actions column.

    4. In the left-side navigation pane, click Cluster Service > SmartData.

    5. Click the Configure tab. In the Service Configuration section, click the namespace tab.

      namespace_smartdata

    6. Click Custom Configuration in the upper-right corner. In the Add Configuration Item dialog box, set the following fields and click OK:

      • Key: jfs.namespaces.<namespace>.permission.method

      • Value: unix

    7. Save the configuration:

      1. In the upper-right corner of the Service Configuration section, click Save.

      2. In the Confirm Changes dialog box, enter a description and turn on Auto-update Configuration.

      3. Click OK.

    8. Restart the Jindo Namespace Service:

      1. Click Actions > Restart Jindo Namespace Service in the upper-right corner.

      2. In the Cluster Activities dialog box, enter a description and click OK. In the confirmation dialog box, click OK.

    After the service restarts, manage JindoFS permissions using standard HDFS commands:

    hadoop fs -chmod 777 jfs://{namespace_name}/dir1/file1
hadoop fs -chown john:staff jfs://{namespace_name}/dir1/file1

    If a user lacks the required permissions, the following error is returned:

    error

    Enable Ranger-based permission management

    Apache Ranger supports complex permission policies, such as path-based wildcards. It is the only method available in cache mode and can also be used in block storage mode.

    Enabling Ranger requires two steps: configure JindoFS to use Ranger as the permission method, then register JindoFS as an HDFS service in the Ranger web UI.

    Prerequisites

    Before you begin, make sure you have:

    • Apache Ranger deployed and configured in the EMR Apache Ranger component

    • The Ranger plug-in activated in JindoFS

    For setup details, see Apache Ranger overview.

    Step 1: Configure Ranger as the permission method in JindoFS

    1. On the namespace tab for the SmartData service, click Custom Configuration.

    2. In the Add Configuration Item dialog box, set the following fields and click OK:

      • Key: jfs.namespaces.<namespace>.permission.method

      • Value: ranger

    3. Save the configuration:

      1. In the upper-right corner of the Service Configuration section, click Save.

      2. In the Confirm Changes dialog box, enter a description and turn on Auto-update Configuration.

      3. Click OK.

    4. Restart the Jindo Namespace Service:

      1. Click Actions > Restart Jindo Namespace Service in the upper-right corner.

      2. In the Cluster Activities dialog box, enter a description and click OK. In the confirmation dialog box, click OK.

    Step 2: Add JindoFS as an HDFS service in Ranger

    1. Log on to the Ranger web UI. For details, see Apache Ranger overview.

    2. On the Ranger web UI, add an HDFS service.

      Ranger UI

    3. Configure the following parameters:

      ParameterDescription
      Service NameEnter the name in the format jfs-{namespace_name}. Example: jfs-test.
      UsernameEnter a custom username.
      PasswordEnter a custom password.
      NameNode URLEnter the URL in the format jfs://{namespace_name}/.
      Authorization EnabledKeep the default value No.
      Authentication TypeKeep the default value Simple.
      dfs.datanode.kerberos.principalLeave blank.
      dfs.namenode.kerberos.principalLeave blank.
      dfs.secondary.namenode.kerberos.principalLeave blank.
      Add New Configurations

    4. Click Add.

    Enable LDAP user group sync in JindoFS

    If Ranger UserSync is configured to sync user groups from an LDAP server, you must also enable LDAP user group sync in JindoFS. Without this, JindoFS cannot resolve LDAP-synchronized user groups and Ranger policies for those groups will not apply.

    Configure LDAP parameters

    1. On the namespace tab for the SmartData service, click Custom Configuration.

    2. In the Add Configuration Item dialog box, configure the following LDAP parameters and click OK. These parameters follow the open-source HDFS configuration format. For reference, see core-default.xml.

      ParameterExample
      hadoop.security.group.mappingorg.apache.hadoop.security.CompositeGroupsMapping
      hadoop.security.group.mapping.providersshell4services,ad4users
      hadoop.security.group.mapping.providers.combinedtrue
      hadoop.security.group.mapping.provider.shell4servicesorg.apache.hadoop.security.ShellBasedUnixGroupsMapping
      hadoop.security.group.mapping.provider.ad4usersorg.apache.hadoop.security.LdapGroupsMapping
      hadoop.security.group.mapping.ldap.urlldap://emr-header-1:10389
      hadoop.security.group.mapping.ldap.search.filter.user(&(objectClass=person)(uid={0}))
      hadoop.security.group.mapping.ldap.search.filter.group(objectClass=groupOfNames)
      hadoop.security.group.mapping.ldap.baseo=emr

    3. Save the configuration:

      1. In the upper-right corner of the Service Configuration section, click Save.

      2. In the Confirm Changes dialog box, enter a description and turn on Auto-update Configuration.

      3. Click OK.

    4. Restart all SmartData components:

      1. Click Actions > Restart All Components in the upper-right corner.

      2. In the Cluster Activities dialog box, enter a description and click OK. In the confirmation dialog box, click OK.

    5. Log on to the emr-header-1 node via SSH and connect Ranger UserSync to the LDAP server. For details, see Integrate Ranger UserSync with an LDAP server.

    What's next