The ProxyUser command lets a service account or scheduler submit jobs and access data in OSS-HDFS on behalf of other users, without sharing their credentials. This is conceptually similar to Unix sudo: the proxy user acts with delegated authority, and access is restricted by which users or groups can be impersonated and from which hosts requests originate.
A workflow scheduler that needs to read and write OSS-HDFS data as the end user who submitted a job — not as the scheduler's own service account — is a typical example. Configure the scheduler as a proxy user so OSS-HDFS enforces per-user access controls while the scheduler handles job execution.
How it works
Proxy user access is controlled by three axes:
Proxy user identity: the account that acts on behalf of others (for example, a scheduler or ETL service account)
Allowed users or groups: the accounts that can be impersonated (specified with
-usersor-groups, mutually exclusive)Allowed hosts: the hosts from which impersonation requests are accepted
Use the jindo admin CLI to add, list, and delete proxy users.
Prerequisites
Before you begin, ensure that you have:
A Hadoop environment, Hadoop cluster, or Hadoop client. See Step 2: Create a Hadoop runtime environment
OSS-HDFS enabled for your bucket. See Enable OSS-HDFS and grant access permissions
JindoSDK 4.5.0 or later installed and configured. See Connect non-EMR clusters to OSS-HDFS
Set up the environment
Step 1: Connect to your ECS instance
Connect to the ECS instance where JindoSDK is installed. See Connect to an ECS instance.
Step 2: Go to the JindoSDK bin directory
cd jindosdk-x.x.x/bin/Replace x.x.x with your JindoSDK version number.Step 3: Create the configuration file
Create a file named jindosdk.cfg in the bin directory with the following content:
[common]
logger.dir = /tmp/jindo/
logger.sync = false
logger.consolelogger = false
logger.level = 0
logger.verbose = 0
logger.cleaner.enable = true
hadoopConf.enable = false
[jindosdk]
# Replace with your actual region endpoint
fs.oss.endpoint = cn-hangzhou.oss-dls.aliyuncs.com
# AccessKey credentials for OSS-HDFS access
fs.oss.accessKeyId = <your-AccessKey-ID>
fs.oss.accessKeySecret = <your-AccessKey-secret>Replace the placeholders with your actual values:
| Placeholder | Description | Example |
|---|---|---|
<your-AccessKey-ID> | Your Alibaba Cloud AccessKey ID | LTAI5tXxx |
<your-AccessKey-secret> | Your Alibaba Cloud AccessKey secret | xXxXxXxx |
cn-hangzhou.oss-dls.aliyuncs.com | OSS-HDFS endpoint for your region | cn-shanghai.oss-dls.aliyuncs.com |
Step 4: Set the configuration directory
Set the JINDOSDK_CONF_DIR environment variable to the absolute path of the directory containing jindosdk.cfg:
export JINDOSDK_CONF_DIR=<absolute-path-to-config-dir>Add a proxy user
./jindo admin -addProxyUser \
[-dlsUri <uri>] \
[-proxyUser <proxyUser>] \
[-users <user1,user2,...>]|[-groups <group1,group2,...>] \
[-hosts <host1,host2,...>]-users and -groups are mutually exclusive. Specify one or the other in a single command, not both.
Example: Designate user1 as a proxy user, authorized to impersonate any user in group1 or group2 when requests come from host1 or host2:
./jindo admin -addProxyUser \
-dlsUri oss://examplebucket.cn-shanghai.oss-dls.aliyuncs.com \
-proxyUser user1 \
-groups group1,group2 \
-hosts host1,host2List proxy users
./jindo admin -listProxyUsers \
[-dlsUri <dlsUri>] \
[-maxKeys <maxKeys>] \
[-marker <marker>]| Option | Required | Description |
|---|---|---|
-dlsUri | No | The OSS-HDFS path to query |
-maxKeys | No | Maximum number of proxy users to return |
-marker | No | Filter results to proxy users whose names contain this string |
Example: List up to 10 proxy users whose names contain test:
./jindo admin -listProxyUsers \
-dlsUri oss://examplebucket.cn-shanghai.oss-dls.aliyuncs.com \
-maxKeys 10 \
-marker testDelete a proxy user
./jindo admin -deleteProxyUser \
[-dlsUri <uri>] \
[-proxyUser <proxyUser>]After deletion, the specified account can no longer act as a proxy user for any other user.
Example: Delete user1 as a proxy user:
./jindo admin -deleteProxyUser \
-dlsUri oss://examplebucket.cn-shanghai.oss-dls.aliyuncs.com \
-proxyUser user1