Updated on 2022-08-12 GMT+08:00

Enabling and Disabling Permission Verification on Cluster Components

Scenario

When the cluster is deployed in Security Mode or Normal Mode, HDFS and ZooKeeper verify the permission of users who attempt to access the services by default. Users without related permission cannot access resources in HDFS and ZooKeeper. When the cluster is deployed in Normal Mode, HBase and Yarn do not verify the permission of users who attempt to access the services by default. All users can access resources in HBase and Yarn.

Based on actual service requirements, the system administrator can enable permission verification on HBase and Yarn in the cluster in Normal Mode or disable permission verification on HDFS and ZooKeeper.

Impact on the System

After the permission verification is modified, the service configuration will expire. You need to restart the corresponding service for the configuration to take effect.

Procedure

Enable permission verification on HBase.

  1. Log in to FusionInsight Manager.
  2. Choose Cluster > Name of the desired cluster > Services > HBase > Configurations.
  3. Click All Configurations.
  4. Search for parameters hbase.coprocessor.region.classes, hbase.coprocessor.master.classes, and hbase.coprocessor.regionserver.classes.

    Add the coprocessor parameter value org.apache.hadoop.hbase.security.access.AccessController to the end of the values of the preceding parameters, and separate the value from the original coprocessor parameter values by using a comma (,).

  5. Click Save and click OK.

    When Operation succeeded is displayed, click Finish.

Disable permission verification on HBase.

After HBase permission verification is disabled, the existing permission data will be retained. If you want to delete permission information, disable permission verification, enter the HBase shell, and delete table hbase:acl.

  1. Log in to FusionInsight Manager.
  2. Choose Cluster > Name of the desired cluster > Services > HBase > Configurations.
  3. Click All Configurations.
  4. Search for parameters hbase.coprocessor.region.classes, hbase.coprocessor.master.classes, and hbase.coprocessor.regionserver.classes.

    Delete the coprocessor parameter value org.apache.hadoop.hbase.security.access.AccessController.

  5. Click Save and click OK.

    When Operation succeeded is displayed, click Finish.

Disable permission verification on HDFS.

  1. Log in to FusionInsight Manager.
  2. Choose Cluster > Name of the desired cluster > Services > HDFS > Configurations.
  3. Click All Configurations.
  1. Search for parameters dfs.namenode.acls.enabled and dfs.permissions.enabled.

    • dfs.namenode.acls.enabled specifies whether the HDFS ACL is enabled. The default value is true, which indicates that the ACL is enabled. Change the value to false.
    • dfs.permissions.enabled specifies whether the permission check is enabled on HDFS. The default value is true, which indicates that the permission check is enabled. Change the value to false. After the parameters are modified, the directories, owners and groups of files, and permission information in HDFS retain the same.

  2. Click Save Configuration and click OK.

    When Operation succeeded is displayed, click Finish.

Enable permission verification on Yarn.

  1. Log in to FusionInsight Manager.
  2. Choose Cluster > Name of the desired cluster > Services > Yarn > Configurations.
  3. Click All Configurations.
  4. Search for the parameter yarn.acl.enable.

    yarn.acl.enable specifies whether the permission check is enabled on Yarn.

    • In normal mode, the value is set to false by default to disable permission check. To enable permission check, change the value to true.
    • In security mode, the value is set to true by default to enable authentication.

  5. Click Save and click OK.

    When Operation succeeded is displayed, click Finish.

Disable permission verification on ZooKeeper.

  1. Log in to FusionInsight Manager.
  2. Choose Cluster > Name of the desired cluster > Services > ZooKeeper > Configurations.
  3. Click All Configurations.
  4. Search for the parameter skipACL.

    skipACL specifies whether the ZooKeeper permission check is skipped. The default value is no, which indicates that the permission check is used. Change the value to yes.

  5. Click Save and click OK.

    When Operation succeeded is displayed, click Finish.