Search This Blog

HDFS setfacl and getfacl commands examples

In this article , We will learn setfacl and getfacl commands in HDFS.


1) chmod command  can not provide advanced permissions in HDFS.

The following are some use cases where chmod usage is not possible.



  • Providing less/more permissions to one user in a group.



  •  Providing less/more permissions to a specific user 



2) ACL (Access Control Lists) commands setfacl and getfacl provide advanced permissions in HDFS.


3) ACLs in HDFS are disabled by default, We need to enable them by setting below property tp true.

dfs.namenode.acls.enabled

Check how to enable ACLs in Ambari.

4) setfacl command is used to provide advanced permissions in HDFS. getfacl command is used to check ACLs provided on a directory in HDFS.

Type below commands to see commands usage.

hdfs dfs -setfacl

hdfs dfs -getfacl

The pictures below show commands usage .






5)getfacl commands displays ACLs available on an HDFS directory. -R option will display ACLs of a directory and its all sub-directories and all files.

Example :

hdfs dfs -getfacl /data

The picture below shows usage of getfacl command.





6) -m option in setfacl command modifies permissions for an HDFS directory. We can add/remove new ACL/permission to an existing file.

For example :

/data directory has only read access to group members. setfacl  -m option can provide write permissions to one group  member (hive).

The picture below shows how to use -m option.





7) default keyword defines default ACLs on a directory. if any sub directories are created under that directory in future, sub-directories will get default ACLs automatically.

Example :

hdfs dfs -setfacl -m default:user:sqoop:rwx /data

The picture below shows newly created sub directory under /data directory gets default ACLs automatically.



8) + symbol in ls command output indicates a file has ACL defined on it.

The picture below shows plus symbol on  /data directory as /data directory has ACLs defined on it.



9) -k option in setfacl command  will remove default ACLs.

Example :

hdfs dfs -setfacl -k /data

The picture below shows how to remove default ACLs on /data directory in HDFS.




10) -b option in setfacl command removes all ACLs entries except base (user,group and others) ACLs.

Example :

hdfs dfs -setfacl -b /data

The picture below show how to retain base ACLs using -b option.





11) -x option in setfacl command will remove specified ACLs'

Example :

hdfs dfs -setfacl -x user:hive /data

The picture below shows removing user hive permissions on /data directory.



12) --set in setfacl command  replaces all existing ACLs with new ACLs specified.



Limitations

1) ACLs on snapshot directories are not allowed.

2) Only 32 ACLs entries per file allowed  as of now.

3) ACLs information is maintained in memory by namenode. Large number of ACLs will increase load on the Namenode