User Access Control on HDFS through WebHDFS API

Question

Is it possible to have user access control on file level of HDFS? Currently, everyone can access the data when clicking on the link like http://<domain>/webhdfs/v1/xxx.txt?op=OPEN.

Can I set certain groups of people and they can only access certain files or directories? The purpose is, not letting others access files which don't belong to them.

If this cannot be set on HDFS, is there any suggestion?

Answer 1

When security is off, the authenticated user is the username specified in the user.name query parameter. If the user.name parameter is not set, the server may either set the authenticated user to a default web user, if there is any, or return an error response.

When security is on, authentication is performed by either Hadoop delegation token or Kerberos SPNEGO. If a token is set in the delegation query parameter, the authenticated user is the user encoded in the token. If the delegation parameter is not set, the user is authenticated by Kerberos SPNEGO.

Below are examples using the curl command tool.

Authentication when security is off:

curl -i "http://<HOST>:<PORT>/webhdfs/v1/<PATH>?[user.name=<USER>&]op=..."

Authentication using Kerberos SPNEGO when security is on:

curl -i --negotiate -u : "http://<HOST>:<PORT>/webhdfs/v1/<PATH>?op=..."

Authentication using Hadoop delegation token when security is on:

curl -i "http://<HOST>:<PORT>/webhdfs/v1/<PATH>?delegation=<TOKEN>&op=..."

Ref: https://hadoop.apache.org/docs/r2.9.0/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Authentication