Hadoop Service Level Authorization
In addition to the HDFS permissions model and MapReduce jobs queues administration, you can specify which users and groups can access the different cluster services. This can be useful to limit access to HDFS and submitting jobs only to a small set of users.
To enable service level authorization, you need to add the following option in the core-site.xml configuration file:
<name>hadoop.security.authorization</name> <value>true</value>
Similarly, to MapReduce queue privileges, service level ACLs are defined in a separate file called hadoop-policy.xml. CDH provides a sample of this file in the /etc/hadoop/conf directory and, by default, it is wide open (all users can access all services).
The difference between Service Level Authorization and HDFS or MapReduce permissions is the order in which these checks are performed. Permissions checks on services' levels are performed before the user starts communicating with HDFS or the MapReduce...
