Data Fabric ACE

# Data Fabric ACE ## Create Volume [ace-volume] ![](https://i.imgur.com/YyTUmG1.png) ![](https://i.imgur.com/fLbzT1p.png) --------------------------------------- ### ACE讀寫控制查看目錄ACE權限 ```shell= [root@maprdemo user]# hadoop mfs -getace -R /user/ace-volume Path: /user/ace-volume readfile: writefile: executefile: readdir: addchild: deletechild: lookupdir: inherit: true mode: rwxrwxrwx ``` 切換使用者`danny`確定可讀可寫。 ```shell= [danny@maprdemo user]$ id uid=5678(danny) gid=5678(danny) groups=5678(danny) [danny@maprdemo user]$ touch ace-volume/danny [danny@maprdemo user]$ ls ace-volume/ danny ``` 切換使用者到`roger`確定可讀可寫。 ```shell= [roger@maprdemo ~]$ id uid=6789(roger) gid=6789(roger) groups=6789(roger) [roger@maprdemo user]$ ls ace-volume/ danny [roger@maprdemo user]$ touch ace-volume/roger [roger@maprdemo user]$ ls ace-volume/ danny roger ``` 賦予`danny`兩個權限`lookdir`與`readdir` ```shell= hadoop mfs -setace -lookupdir 'u:danny' /user/ace-volume hadoop mfs -setace -readdir 'u:danny' /user/ace-volume [root@maprdemo user]# hadoop mfs -getace -R /user/ace-volume Path: /user/ace-volume readfile: writefile: executefile: readdir: addchild: deletechild: lookupdir: u:danny inherit: true mode: --------- Path: /user/ace-volume/danny readfile: writefile: executefile: mode: rw-rw-r-- Path: /user/ace-volume/roger readfile: writefile: executefile: mode: rw-rw-r-- ``` 切換使用者`danny`確認是否可以查看目錄 ```shell= [danny@maprdemo user]$ ls ace-volume/ danny roger ``` 切換使用者`roger`確認是否可以查看目錄 ```shell= [roger@maprdemo user]$ ls ace-volume/ ls: cannot open directory ace-volume/: Permission denied ``` 賦予`danny`可寫入`danny`檔案的權限，但只能讀取`roger`這個檔案 ```shell= hadoop mfs -setace -readfile 'u:danny' /user/ace-volume/danny hadoop mfs -setace -writefile 'u:danny' /user/ace-volume/danny hadoop mfs -setace -readfile 'u:danny' /user/ace-volume/roger [root@maprdemo user]# hadoop mfs -getace -R /user/ace-volume Path: /user/ace-volume readfile: writefile: executefile: readdir: u:danny addchild: deletechild: lookupdir: u:danny inherit: true mode: --------- Path: /user/ace-volume/danny readfile: u:danny writefile: u:danny executefile: mode: rw------- Path: /user/ace-volume/roger readfile: u:danny writefile: executefile: mode: --------- ``` 驗證結果 ```shell= [danny@maprdemo user]$ echo "www.hpe-taiwan-cic.net" >> ace-volume/danny [danny@maprdemo user]$ echo "www.hpe-taiwan-cic.net" >> ace-volume/roger -bash: ace-volume/roger: Permission denied [danny@maprdemo user]$ cat ace-volume/danny danny www.hpe-taiwan-cic.net [danny@maprdemo user]$ cat ace-volume/roger roger [danny@maprdemo user]$ ``` --------------------------------------- ### 賦予新增資料夾權限目前`danny`不能新增資料夾 ```shell= [danny@maprdemo user]$ mkdir ace-volume/test-mk mkdir: cannot create directory ‘ace-volume/test-mk’: Permission denied ``` 賦予`danny`新增資料夾權限 ```shell= hadoop mfs -setace -addchild 'u:danny' /user/ace-volume [root@maprdemo user]# hadoop mfs -getace -R /user/ace-volume Path: /user/ace-volume readfile: writefile: executefile: readdir: u:danny addchild: u:danny deletechild: lookupdir: u:danny inherit: true mode: --------- Path: /user/ace-volume/danny readfile: u:danny writefile: u:danny executefile: mode: rw------- Path: /user/ace-volume/roger readfile: u:danny writefile: executefile: mode: --------- ``` 切換到`danny`成功新增資料夾`test-mk` ```shell= [danny@maprdemo user]$ mkdir ace-volume/test-mk [danny@maprdemo user]$ ls ace-volume/ danny roger test-mk ``` --------------------------------------- ### 賦予刪除資料夾權限嘗試刪除資料夾`test-mk` ```shell= [danny@maprdemo user]$ rm -rf ace-volume/test-mk/ rm: cannot remove ‘ace-volume/test-mk/’: Permission denied ``` 賦予`danny`刪除資料夾權限 ```shell= hadoop mfs -setace -deletechild 'u:danny' /user/ace-volume [root@maprdemo user]# hadoop mfs -getace -R /user/ace-volume [root@maprdemo user]# hadoop mfs -getace -R /user/ace-volume Path: /user/ace-volume readfile: writefile: executefile: readdir: u:danny addchild: u:danny deletechild: u:danny lookupdir: u:danny inherit: true mode: --------- Path: /user/ace-volume/danny readfile: u:danny writefile: u:danny executefile: mode: rw------- Path: /user/ace-volume/roger readfile: u:danny writefile: executefile: mode: --------- Path: /user/ace-volume/test-mk readfile: writefile: executefile: readdir: u:danny addchild: u:danny deletechild: lookupdir: u:danny inherit: true mode: r-x------ ``` 成功刪除`test-mk`資料夾 ```shell= [danny@maprdemo user]$ rm -rf ace-volume/test-mk/ [danny@maprdemo user]$ ls ace-volume/ danny roger ``` --------------------------------------- ### 子目錄與父目錄繼承預設子目錄繼承父目錄ACE 查看`第26行` ```shell= [root@maprdemo user]# mkdir /user/ace-volume/inherit-test/ [root@maprdemo user]# hadoop mfs -getace -R /user/ace-volume Path: /user/ace-volume readfile: writefile: executefile: readdir: u:danny addchild: deletechild: u:danny lookupdir: u:danny inherit: true mode: --------- Path: /user/ace-volume/danny readfile: u:danny writefile: u:danny executefile: mode: rw------- Path: /user/ace-volume/inherit-test readfile: writefile: executefile: readdir: u:danny addchild: deletechild: u:danny lookupdir: u:danny inherit: true mode: --------- Path: /user/ace-volume/roger readfile: u:danny writefile: executefile: mode: --------- Path: /user/ace-volume/root readfile: writefile: executefile: mode: rw-r--r-- ``` 關閉子目錄繼承父目錄ACE 查看`第30-36行`沒有繼承父目錄 ```shell= hadoop mfs -setace -setinherit false /user/ace-volume [root@maprdemo user]# mkdir /user/ace-volume/inherit-test-false [root@maprdemo user]# hadoop mfs -getace -R /user/ace-volume Path: /user/ace-volume readfile: writefile: executefile: readdir: u:danny addchild: deletechild: u:danny lookupdir: u:danny inherit: false mode: --------- Path: /user/ace-volume/danny readfile: u:danny writefile: u:danny executefile: mode: rw------- Path: /user/ace-volume/inherit-test readfile: writefile: executefile: readdir: u:danny addchild: deletechild: u:danny lookupdir: u:danny inherit: true mode: --------- Path: /user/ace-volume/inherit-test-false readfile: writefile: executefile: readdir: addchild: deletechild: lookupdir: inherit: true mode: rwxr-xr-x Path: /user/ace-volume/roger readfile: u:danny writefile: executefile: mode: --------- Path: /user/ace-volume/root readfile: writefile: executefile: mode: rw-r--r-- ``` --------------------------------------- ### 驗證MCS權限 ```shell= maprcli volume create -name create-volume-test -path /user/create-volume-test -readAce 'u:danny' -rootdirperms 777 ``` 取得檔案權限 ```shell= [root@maprdemo user]# hadoop mfs -getace -R /user/create-volume-test/ Path: /user/create-volume-test readfile: writefile: executefile: readdir: addchild: deletechild: lookupdir: inherit: true mode: rwxrwxrwx Path: /user/create-volume-test/11 readfile: writefile: executefile: mode: rw-r--r-- Path: /user/create-volume-test/123 readfile: writefile: executefile: mode: rw-rw-r-- [root@maprdemo user]# ls -al /user/create-volume-test drwxrwxrwx 2 root root 2 1月 18 00:27 . drwxr-xr-x 8 mapr mapr 6 1月 18 00:19 .. -rw-r--r-- 1 root root 0 1月 18 00:25 11 -rw-rw-r-- 1 danny danny 0 1月 18 00:26 123 ``` 切換到`danny` ```shell= [danny@maprdemo create-volume-test]$ echo 'danny' >> 11 -bash: 11: Permission denied [danny@maprdemo create-volume-test]$ echo 'danny' >> 123 [danny@maprdemo create-volume-test]$ cat 123 danny ``` 驗證`danny`無權限 ```shell= [danny@maprdemo create-volume-test]$ touch test touch: cannot touch ‘test’: Permission denied ``` 切換到`root`賦予`danny`權限 ```shell= [root@maprdemo user]# maprcli volume modify -name create-volume-test -writeAce 'u:danny' ``` 驗證`danny`新增檔案權限 ```shell= [danny@maprdemo create-volume-test]$ touch test [danny@maprdemo create-volume-test]$ ls 11 123 test [danny@maprdemo create-volume-test]$ ``` ### Reference: * https://docs.datafabric.hpe.com/62/ReferenceGuide/hadoop-mfs.html maprcli volume create -name create-volume-test -path /user/create-volume-test -readAce 'u:danny' -writeAce 'u:mapr' -rootdirperms 777