Help Center/ MapReduce Service/ User Guide/ MRS Cluster O&M/ MRS Cluster Security Configuration/ MRS Cluster Security Hardening/ Enabling and Disabling Permission Verification on MRS Cluster Components
Updated on 2024-10-25 GMT+08:00
View PDF
Share

Enabling and Disabling Permission Verification on MRS Cluster Components

Scenario

HDFS and ZooKeeper verify the permission of users who attempt to access the services in both security and normal clusters by default. Users without related permission cannot access resources in HDFS and ZooKeeper. When the cluster is deployed in normal mode, YARN does not verify the permission of users who attempt to access the services by default. All users can access YARN resources.

Based on actual service requirements, administrators can enable YARN permission verification or disable permission verification on HDFS and ZooKeeper in normal clusters.

This topic is available for MRS 3.x or later.

Impact on the System

After the enabling and disabling operations, the service configuration will expire. You need to restart the corresponding service for the configuration to take effect.

Disabling Permission Verification on HDFS

  1. Log in to FusionInsight Manager.
  2. Click Cluster, click the name of the desired cluster, choose Services > HDFS, and click Configurations.
  3. Click All Configurations.
  4. Search for parameters dfs.namenode.acls.enabled and dfs.permissions.enabled.

    • dfs.namenode.acls.enabled indicates whether to enable HDFS ACL. The default value is true, indicating that the ACL is enabled. Change the value to false.
    • dfs.permissions.enabled indicates whether to enable permission check for HDFS. The default value is true, indicating that permission check is enabled. Change the value to false. After the modification, the owner, owner group, and permission of the directories and files in HDFS remain unchanged.

  5. Click Save, click OK, and wait for message "Operation successful" to display.

Enabling Permission Verification on YARN

  1. Log in to FusionInsight Manager.
  2. Click Cluster, click the name of the desired cluster, choose Services > Yarn, and click Configurations.
  3. Click All Configurations.
  4. Search for parameter yarn.acl.enable.

    yarn.acl.enable indicates whether to enable the permission check for YARN.

    • In normal clusters, the value is set to false by default to disable permission check. To enable permission check, change the value to true.
    • In security clusters, the value is set to true by default to enable authentication.
    Figure 1 Setting the yarn.acl.enable parameter

  5. Click Save, click OK, and wait for message "Operation successful" to display.

Disabling Permission Verification on ZooKeeper

  1. Log in to FusionInsight Manager.
  2. Click Cluster, click the name of the desired cluster, choose Services > ZooKeeper, and click Configurations.
  3. Click All Configurations.
  4. Search for parameter skipACL.

    skipACL indicates whether to skip the ZooKeeper permission check. The default value is no, indicating that permission check is enabled. Change the value to yes.

    Figure 2 Setting the skipACL parameter

  5. Click Save, click OK, and wait for message "Operation successful" to display.