forked from docs/doc-exports
Yang, Tong
2195db241c
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com> Reviewed-by: Rechenburg, Matthias <matthias.rechenburg@t-systems.com> Co-authored-by: Yang, Tong <yangtong2@huawei.com> Co-committed-by: Yang, Tong <yangtong2@huawei.com>
34 lines
12 KiB
HTML
34 lines
12 KiB
HTML
<a name="admin_guide_000247"></a><a name="admin_guide_000247"></a>
|
|
|
|
<h1 class="topictitle1">Enabling and Disabling Permission Verification on Cluster Components</h1>
|
|
<div id="body1529658735918"><div class="section" id="admin_guide_000247__s4abbfd84213948cab228e268e9714418"><h4 class="sectiontitle">Scenario</h4><p id="admin_guide_000247__p107222042182515">HDFS and ZooKeeper verify the permission of users who attempt to access the services in both security and normal clusters by default. Users without related permission cannot access resources in HDFS and ZooKeeper. When the cluster is deployed in normal mode, HBase and YARN do not verify the permission of users who attempt to access the services by default. All users can access resources in HBase and YARN.</p>
|
|
<p id="admin_guide_000247__en-us_topic_0046736679_p64170449">Based on actual service requirements, administrators can enable permission verification on HBase and YARN or disable permission verification on HDFS and ZooKeeper in normal clusters.</p>
|
|
</div>
|
|
<div class="section" id="admin_guide_000247__section173019171144"><h4 class="sectiontitle">Impact on the System</h4><p id="admin_guide_000247__p1443302019141">After the enabling and disabling operations, the service configuration will expire. You need to restart the corresponding service for the configuration to take effect.</p>
|
|
</div>
|
|
<div class="section" id="admin_guide_000247__section19117340182616"><h4 class="sectiontitle">Enabling Permission Verification on HBase</h4><ol id="admin_guide_000247__ol36789480165941"><li id="admin_guide_000247__li17004581165917"><span>Log in to <span id="admin_guide_000247__text67509419010">MRS</span> Manager.</span></li><li id="admin_guide_000247__li18823503165917"><span>Click <strong id="admin_guide_000247__b73833848911420">Cluster</strong>, click the name of the desired cluster, choose <strong id="admin_guide_000247__b30732634911420">Services</strong> > <strong id="admin_guide_000247__b80292827211420">Ranger</strong>, and click <strong id="admin_guide_000247__b7535357211420">Configurations</strong>.</span></li><li id="admin_guide_000247__li35193806165917"><span>Click <strong id="admin_guide_000247__b166802827611420">All Configurations</strong>.</span></li><li id="admin_guide_000247__li32126036165917"><span>Search for parameters <strong id="admin_guide_000247__b62481742123817">hbase.coprocessor.region.classes</strong>, <strong id="admin_guide_000247__b153135514381">hbase.coprocessor.master.classes</strong>, and <strong id="admin_guide_000247__b67535273917">hbase.coprocessor.regionserver.classes</strong>.</span><p><p class="litext" id="admin_guide_000247__p48308802165917">Add the coprocessor parameter <strong id="admin_guide_000247__b274144903918">org.apache.hadoop.hbase.security.access.AccessController</strong> to the end of the values of the preceding parameters, and use a comma (,) to separate the values from those of the original coprocessors. </p>
|
|
</p></li><li id="admin_guide_000247__li44048572165917"><span>Click <strong id="admin_guide_000247__b71485645411420">Save</strong>, click <strong id="admin_guide_000247__b12361211420">OK</strong>, and wait for message "Operation successful" to display.</span></li></ol>
|
|
</div>
|
|
<div class="section" id="admin_guide_000247__section16202759152618"><h4 class="sectiontitle">Disabling Permission Verification on HBase</h4><div class="note" id="admin_guide_000247__note57090068165917"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p class="text" id="admin_guide_000247__p65995664165917">After HBase permission verification is disabled, the existing permission data will be retained. If you want to delete permission information, disable permission verification, enter the HBase shell, and delete table <strong id="admin_guide_000247__b1128014913520">hbase:acl</strong>.</p>
|
|
</div></div>
|
|
<ol id="admin_guide_000247__ol440799317022"><li id="admin_guide_000247__li193052147273"><span>Log in to <span id="admin_guide_000247__text147277913231">MRS</span> Manager.</span></li><li id="admin_guide_000247__li6462426144016"><span>Click <strong id="admin_guide_000247__b159326063611">Cluster</strong>, click the name of the desired cluster, choose <strong id="admin_guide_000247__b29326053614">Services</strong> > <strong id="admin_guide_000247__b179335083610">HBase</strong>, and click <strong id="admin_guide_000247__b199347063618">Configurations</strong>.</span></li><li id="admin_guide_000247__li33372327165917"><span>Click <strong id="admin_guide_000247__b10770155369">All Configurations</strong>.</span></li><li id="admin_guide_000247__li18803987165917"><span>Search for parameters <strong id="admin_guide_000247__b21101386365">hbase.coprocessor.region.classes</strong>, <strong id="admin_guide_000247__b11111784365">hbase.coprocessor.master.classes</strong>, and <strong id="admin_guide_000247__b12111385363">hbase.coprocessor.regionserver.classes</strong>.</span><p><p class="litext" id="admin_guide_000247__p31915493165917">Delete the coprocessor parameter <strong id="admin_guide_000247__b190332623617">org.apache.hadoop.hbase.security.access.AccessController</strong>.</p>
|
|
</p></li><li id="admin_guide_000247__li1986711412151"><span>Click <strong id="admin_guide_000247__b153015580111420">Save</strong>, click <strong id="admin_guide_000247__b152833991311420">OK</strong>, and wait for message "Operation successful" to display.</span></li></ol>
|
|
</div>
|
|
<div class="section" id="admin_guide_000247__section19976103120279"><h4 class="sectiontitle">Disabling Permission Verification on HDFS</h4><ol id="admin_guide_000247__ol3706857317045"><li id="admin_guide_000247__li155991824143618"><span>Log in to <span id="admin_guide_000247__text163197112237">MRS</span> Manager.</span></li><li id="admin_guide_000247__li45571232194018"><span>Click <strong id="admin_guide_000247__b4758195983818">Cluster</strong>, click the name of the desired cluster, choose <strong id="admin_guide_000247__b1375913594382">Services</strong> > <strong id="admin_guide_000247__b8759115919383">HDFS</strong>, and click <strong id="admin_guide_000247__b10760195973811">Configurations</strong>.</span></li><li id="admin_guide_000247__li40527111165917"><span>Click <strong id="admin_guide_000247__b499592884012">All Configurations</strong>.</span></li><li id="admin_guide_000247__li13059293165917"><span>Search for parameters <strong id="admin_guide_000247__b6936121184114">dfs.namenode.acls.enabled</strong> and <strong id="admin_guide_000247__b10151654118">dfs.permissions.enabled</strong>.</span><p><ul class="subitemlist" id="admin_guide_000247__ul16364113165917"><li id="admin_guide_000247__li29199683165917"><strong id="admin_guide_000247__b210189442611420">dfs.namenode.acls.enabled</strong> indicates whether to enable HDFS ACL. The default value is <strong id="admin_guide_000247__b77765831211420">true</strong>, indicating that the ACL is enabled. Change the value to <strong id="admin_guide_000247__b62484538311420">false</strong>.</li><li id="admin_guide_000247__li61470558165917"><strong id="admin_guide_000247__b203406124511420">dfs.permissions.enabled</strong> indicates whether to enable permission check for HDFS. The default value is <strong id="admin_guide_000247__b128289441811420">true</strong>, indicating that permission check is enabled. Change the value to <strong id="admin_guide_000247__b1934561311420">false</strong>. After the modification, the owner, owner group, and permission of the directories and files in HDFS remain unchanged.</li></ul>
|
|
</p></li><li id="admin_guide_000247__li91775396548"><span>Click <strong id="admin_guide_000247__b4178153914548">Save</strong>, click <strong id="admin_guide_000247__b2178239195412">OK</strong>, and wait for message "Operation successful" to display.</span></li></ol>
|
|
</div>
|
|
<div class="section" id="admin_guide_000247__section2017614439367"><h4 class="sectiontitle">Enabling Permission Verification on YARN</h4><ol id="admin_guide_000247__ol4465047517117"><li id="admin_guide_000247__li13381102894710"><span>Log in to <span id="admin_guide_000247__text15837412132312">MRS</span> Manager.</span></li><li id="admin_guide_000247__li17848941104019"><span>Click <strong id="admin_guide_000247__b125533925615">Cluster</strong>, click the name of the desired cluster, choose <strong id="admin_guide_000247__b17554996567">Services</strong> > <strong id="admin_guide_000247__b175551393564">Yarn</strong>, and click <strong id="admin_guide_000247__b1055520995612">Configurations</strong>.</span></li><li id="admin_guide_000247__li5386628154712"><span>Click <strong id="admin_guide_000247__b952872216562">All Configurations</strong>.</span></li><li id="admin_guide_000247__li18253911165917"><span>Search for parameter <strong id="admin_guide_000247__b7263640105618">yarn.acl.enable</strong>.</span><p><p class="litext" id="admin_guide_000247__p2846748710537"><strong id="admin_guide_000247__b208624574564">yarn.acl.enable</strong> indicates whether to enable the permission check for YARN.</p>
|
|
<ul id="admin_guide_000247__ul3873008810557"><li class="litext" id="admin_guide_000247__li4465300110557">In normal clusters, the value is set to <strong id="admin_guide_000247__b10138104275817">false</strong> by default to disable permission check. To enable permission check, change the value to <strong id="admin_guide_000247__b5140552165810">true</strong>.</li><li class="litext" id="admin_guide_000247__li3815272410557">In security clusters, the value is set to <strong id="admin_guide_000247__b6868112712597">true</strong> by default to enable authentication.</li></ul>
|
|
</p></li><li id="admin_guide_000247__li73376091618"><span>Click <strong id="admin_guide_000247__b174016487111420">Save</strong>, click <strong id="admin_guide_000247__b198729888811420">OK</strong>, and wait for message "Operation successful" to display.</span></li></ol>
|
|
</div>
|
|
<div class="section" id="admin_guide_000247__section923934017477"><h4 class="sectiontitle">Disabling Permission Verification on ZooKeeper</h4><ol id="admin_guide_000247__ol2997736517127"><li id="admin_guide_000247__li28301444164720"><span>Log in to <span id="admin_guide_000247__text20611151415231">MRS</span> Manager.</span></li><li id="admin_guide_000247__li1589975016402"><span>Click <strong id="admin_guide_000247__b117501557441">Cluster</strong>, click the name of the desired cluster, choose <strong id="admin_guide_000247__b475113571643">Services</strong> > <strong id="admin_guide_000247__b1075135714419">ZooKeeper</strong>, and click <strong id="admin_guide_000247__b1075213571540">Configurations</strong>.</span></li><li id="admin_guide_000247__li48361244124716"><span>Click <strong id="admin_guide_000247__b1270311254">All Configurations</strong>.</span></li><li id="admin_guide_000247__li64440807165917"><span>Search for parameter <strong id="admin_guide_000247__b953323216516">skipACL</strong>.</span><p><p class="litext" id="admin_guide_000247__p22073170165917"><strong id="admin_guide_000247__b60631110111420">skipACL</strong> indicates whether to skip the ZooKeeper permission check. The default value is <strong id="admin_guide_000247__b37808666811420">no</strong>, indicating that permission check is enabled. Change the value to <strong id="admin_guide_000247__b6134282011420">yes</strong>.</p>
|
|
</p></li><li id="admin_guide_000247__li1417335420543"><span>Click <strong id="admin_guide_000247__b21741354185414">Save</strong>, click <strong id="admin_guide_000247__b6174165417548">OK</strong>, and wait for message "Operation successful" to display.</span></li></ol>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="admin_guide_000243.html">Account Security Settings</a></div>
|
|
</div>
|
|
</div>
|
|
|