File and Directory ACEs

Describes how to set permissions for files and directories.

File ACE allows you to define access (whitelist and blacklist) to files and directories for a combination of users, groups, and roles. If ACEs are not set, POSIX mode bits for the file or directory will be used to grant or deny access to the file or directory.

When ACEs are set, by default, the corresponding POSIX mode bits are also set/reset to match the permissions granted through ACEs. For more information, see Setting/Modifying File and Directory ACEs. By default, if:

  • Both ACEs and POSIX mode bits are available, access is granted (only) if access is allowed through ACEs or POSIX mode bits.
  • No ACEs are available, POSIX mode bits will be used to grant access.
  • Neither ACEs nor POSIX mode bits are available, access will be denied.

The owner of the file or directory (and mapr and root users) can set, modify, and remove ACEs for that file or directory using hadoop mfs commands.

File ACEs

You can set and modify permissions to read, write, and execute files using the hadoop mfs command or the Java API. Specifically, the following access types are supported.

Access Type Description
Command-Line Java API (Enum)
-readfile READFILE Read a file.
-writefile WRITEFILE Write to a file.
-executefile EXECUTEFILE Execute a file.

For more information, see hadoop mfs and Java API.

Directory ACEs

You can set the same ACEs on directories as for files. In addition, directory ACEs support permissions to list, add child, delete child, and lookup directories using hadoop mfs command. Specifically, the following access types are supported.

Access Type Description
Command-Line Java API (Enum)
-readfile READFILE Read a file.
-writefile WRITEFILE Write to a file.
-executefile EXECUTEFILE Execute a file.
-readdir READDIR List the contents of a directory. This access is required to write and/or execute files in the directory.
-lookupdir LOOKUPDIR Lookup a file in a directory. This access is required to find, read, write, and/or execute files in the directory.
-addchild ADDCHILD Add a file or subdirectory.
-deletechild DELETECHILD Delete a file or subdirectory.

Although you can set both file and directory ACEs on directories, only the directory ACEs are used for determining access to the directory. The file ACE on the directory is used as the default ACE setting for new files under that directory.

By default, when you set ACEs on a parent directory:

  • Permissions for existing files and subdirectories under that parent remain unchanged.
  • New files under that parent will inherit the file ACEs and corresponding POSIX mode bits of the parent directory, if available. Otherwise, new files will get the default ACE, the empty string (""), which indicates that no one has permissions to read, write, or execute the file and POSIX mode bits are set on the file in the traditional way.
  • New subdirectories under that parent will inherit both the directory and files ACEs and corresponding POSIX mode bits from the parent directory.
Note: When accessing files and directories, the ACEs on files have no effect on accessing the parent directory.