• MapReduce Service

mrs
  1. Help Center
  2. MapReduce Service
  3. User Guide
  4. Management of Clusters with Kerberos Authentication Enabled
  5. Users and Permissions of Clusters with Kerberos Authentication Enabled

Users and Permissions of Clusters with Kerberos Authentication Enabled

Overview

  • MRS Cluster Users

    Indicate the security accounts of MRS Manager, including usernames and passwords. These accounts are used to access resources in MRS clusters. Each MRS cluster in which Kerberos authentication is enabled can have multiple users.

  • MRS Cluster Roles

    Before using resources in an MRS cluster, users must obtain the access permission. The access permission is defined by MRS cluster objects. A cluster role is a set of one or more permissions. For example, the permission to access a directory in HDFS needs to be configured in the specified directory and saved in a role.

MRS Manager provides the user permission management function for MRS clusters, facilitating permission and user management.

  • Permission management: adopts the role-based access control (RBAC) mode. In this mode, permissions are granted by role, forming a permission set. After one or more roles are allocated to a user, the user can obtain the permissions of the roles.
  • User management: uses MRS Manager to uniformly manage users, adopts the Kerberos protocol for user identity verification, and employs Lightweight Directory Access Protocol (LDAP) to store user information.

Permission Management

Permissions provided by MRS clusters include the O&M permissions of MRS Manager and components (such as HDFS, HBase, Hive, and Yarn). In actual application, permissions must be assigned to each user based on service scenarios. To facilitate permission management, MRS Manager introduces the role function to allow administrators to select and assign specified permissions. Permissions are centrally viewed and managed in permission sets, enhancing user experience.

A role is a logical entity that contains one or more permissions. Permissions are assigned to roles, and users can be granted the permissions by obtaining the roles.

A role can have multiple permissions, and a user can be bound to multiple roles.

  • Role 1: is assigned operation permissions A and B. After role 1 is allocated to users a and b, users a and b can obtain operation permissions A and B.
  • Role 2: is assigned operation permission C. After role 2 is allocated to users c and d, users c and d can obtain operation permission C.
  • Role 3: is assigned operation permissions D and F. After role 3 is allocated to user a, user a can obtain operation permissions D and F.

For example, if an MRS user is bound to the administrator role, the user is an administrator of the MRS cluster.

Table 1 lists the roles that are created by default on MRS Manager.

Table 1 Default roles and description

Default Role

Description

default

Tenant role

Manager_administrator

Manager administrator: This role has the permission to manage MRS Manager.

Manager_auditor

Manager auditor: This role has the permission to view and manage auditing information.

Manager_operator

Manager operator: This role has all permissions except tenant, configuration, and cluster management permissions.

Manager_viewer

Manager viewer: This role has the permission to view the information about systems, services, hosts, alarms, and auditing logs.

System_administrator

System administrator: This role has the permissions of Manager administrators and all service administrators.

Manager_tenant

Manager tenant viewer: This role has the permission to view information on the Tenant page on MRS Manager.

When creating a role on MRS Manager, you can perform permission management for MRS Manager and components, as described in Table 2.

Table 2 Manager and component permission management

Permission

Description

Manager

Manager access and login permission.

HBase

HBase administrator permission and permission for accessing HBase tables and column families.

HDFS

HDFS directory and file permission.

Hive

  • Hive Admin Privilege

    Hive administrator permission.

  • Hive Read Write Privileges

    Hive data table management permission, which is the operation permission to set and manage the data of created tables.

Hue

Storage policy administrator rights.

Yarn

  • Cluster Admin Operations

    Yarn administrator permission.

  • Scheduler Queue

    Queue resource management permission.

User Management

MRS clusters that support Kerberos authentication use the Kerberos protocol and LDAP for user management.

  • Kerberos verifies the identity of a user when the user logs in to MRS Manager or uses a component client. Identity verification is not required for clusters with Kerberos authentication disabled.
  • LDAP is used to store user information, including user records, user group information, and permission information.

MRS clusters can automatically update Kerberos and LDAP user data when users are created or modified on MRS Manager. They can also automatically perform user identity verification and authentication and obtain user information when a user logs in to MRS Manager or uses a component client. This ensures the security of user management and simplifies the user management tasks. MRS Manager also provides the user group function for managing one or more users by type:

  • A user group is a set of users. Users in the system can exist independently or in a user group.
  • After a user is added to a user group to which roles are allocated, the role permission of the user group is assigned to the user.

The following table lists the user groups that are created by default on MRS Manager.

Table 3 Default user groups and description

User Group

Description

hadoop

Users added to this user group have the permission to submit tasks to all Yarn queues.

hbase

Common user group. Users added to this user group will not have any additional permission.

hive

Users added to this user group can use Hive.

supergroup

Users added to this user group can have the administrator rights of HBase, HDFS, and Yarn and can use Hive.

flume

Common user group. Users added to this user group will not have any additional permission.

kafka

Kafka common user group. A user added to this user group can access a topic only when a user in the kafkaadmin group grants the read and write permission of the topic to the user.

kafkasuperuser

Users added to this user group have the read and write permission of all topics.

kafkaadmin

Kafka administrator group. Users added to this user group have the rights to create, delete, authorize, read, and write all topics.

storm

Users added to this user group can submit topologies and manage their own topologies.

stormadmin

Users added to this user group can have the storm administrator rights and can submit topologies and manage all topologies.

User admin is created by default for MRS clusters with Kerberos authentication enabled and is used by administrators to maintain the clusters.

Process Overview

In practice, administrators must understand the service scenarios of MRS clusters and plan user permissions. Then, create roles and assign permissions to the roles on MRS Manager to meet service requirements. Administrators can create user groups on MRS Manager to manage users in one or more service scenarios of the same type.

NOTE:

If a role has the permission of HDFS, HBase, Hive, or Yarn, the role can use the corresponding functions of the component. To use MRS Manager, the corresponding Manager permission must be added to the role.

Figure 1 Process of creating a user