Help Center > > User Guide> FusionInsight Manager Operation Guide> Security Management> Security Overview> Rights Mechanism

Rights Mechanism

Updated at: Mar 25, 2021 GMT+08:00

FusionInsight adopts the Lightweight Directory Access Protocol (LDAP) to store data of users and user groups. Information about role definitions is stored in the relational database and the mapping between roles and rights is saved in components.

FusionInsight uses Kerberos for unified authentication.

The verification process of user rights is as follows:

  1. A client (a user terminal or FusionInsight component service) invokes the FusionInsight authentication interface.
  2. FusionInsight uses the login username and password for Kerberos authentication.
  3. If the authentication succeeds, the client sends a request for accessing the server (a FusionInsight component service).
  4. The server finds the user group and role to which the login user belongs.
  5. The server obtains all rights of the user group and the role.
  6. The server determines whether the client has the permission to access the resources it applies for.

Example (RBAC):

There are three files in HDFS, fileA, fileB, and fileC.

  • roleA has read and write permissions for fileA and roleB has the read permission for fileB.
  • groupA is bound to roleA and groupB is bound to roleB.
  • userA belongs to groupA and roleB, and userB belongs to groupB.

When userA successfully logs in to the system and accesses HDFS:

  1. HDFS obtains the role (roleB) to which userA is bound.
  2. HDFS also obtains the role (roleA) to which the user group of userA is bound.
  3. In this case, userA has all the rights of roleA and roleB.
  4. As a result, userA has read and write permissions for fileA, has the read permission on fileB, and has no permission for fileC.

Similarly, when userB successfully logs in to the system and accesses HDFS:

  1. userB only has the rights of roleB.
  2. As a result, userB has the read permission on fileB, and has no permissions for fileA and fileC.

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?

Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel