Updated on 2025-10-11 GMT+08:00

Granting HDFS Users the Permission to Access HDFS Files

Configuring HDFS Directory Permission

The permission for some HDFS directories is 777 or 750 by default, which brings potential security risks. You are advised to modify the permission on the HDFS directories after the HDFS client is installed to enhance user security.

  1. Install the client. If the client has been installed, skip this step.

    For example, the installation directory is /opt/client. You need to change it to the actual installation directory.

    For details about how to download and install the cluster client, see Installing an MRS Cluster Client.

  2. Log in to the node where the client is installed as the client installation user.
  3. Go to the client installation directory, for example, /opt/client.

    cd /opt/client

  4. Run the following command to configure environment variables:

    source bigdata_env

  5. If Kerberos authentication is enabled for the cluster (in security mode), run the following command to authenticate the user. Skip this step for a cluster in normal mode.

    kinit Component service user

  6. If Kerberos authentication is disabled for the cluster (in normal mode) and the current login user is not omm, run the following command to authenticate the user:

    export HADOOP_USER_NAME=omm

  7. Run the following command to change the permission on the /user directory:

    In the following command, the permission is changed to 1777. That is, 1 is added to the permission, indicating that only the owner or the user with the root permission can delete or rename the files and folders in the directory.

    hdfs dfs -chmod 1777 /user
    You are advised to harden the security for non-temporary directories to ensure system file security. For example:
    • /user: 777
    • /mr-history: 777
    • /mr-history/tmp: 777
    • /mr-history/done: 777
    • /user/mapred: 755

Setting Permissions on HDFS Files and Directories

HDFS allows users to modify the default permissions of files and directories. The default mask provided by the HDFS for creating file and directory permissions is 022. If you have special requirements for the default permissions, you can set configuration items to change the default permissions.

  1. Log in to FusionInsight Manager.

    For details about how to log in to FusionInsight Manager, see Accessing MRS Manager.

  2. Choose Cluster > Services > HDFS > Configurations > All Configurations.
  3. Search for and modify parameters in Table 1 as required.

    Table 1 Parameters

    Parameter

    Description

    Default Value

    fs.permissions.umask-mode

    This umask value (user mask) is used when the user creates files and directories in the HDFS on the clients. This parameter is similar to the file permission mask on Linux.

    • The parameter value can be in octal or in symbolic, for example, 022 (octal, same as u=rwx,g=r-x,o=r-x in symbolic), or u=rwx,g=rwx,o= (symbolic, same as 007 in octal).
    • The octal mask is opposite to the actual permission value. You are advised to use the symbol notation to make the description clearer.

    022

  4. Click Save. Then, confirm the operation impact and click OK.
  5. Then, click Finish.

    Check whether there is any instance whose configuration has expired in the cluster. If yes, restart the instance for the configuration to take effect.