Managing Whole Volume ACEs

You can grant permissions (using ACEs) to users, groups, and roles for the volume data using whole volume ACEs. Whole volume ACEs allow you to define whitelists, to grant access, and blacklists, to deny access, for files and tables within a volume.

Volume administrators and mapr user can set and modify whole volume ACEs. By default, ACEs grant everyone access to read and write to files and tables in the volume at the volume-level; however, inside the volume, to determine access for:

  • Files, the file ACEs or POSIX mode bits are used.
  • Tables, the table ACEs are used.

Supported Access Types

At the volume level, the following access types are supported:

Access Type Description
-readAce Read files, MapR Database binary tables, MapR Database JSON tables, and MapR streams in the volume. By default, this is set to p to grant all users this permission.
-writeAce Write to files, MapR Database binary tables, MapR Database JSON tables, and MapR streams in the volume. By default, this is set to p to grant all users this permission.

ACE Behavior on Snapshots and Mirrors

Volume Snapshots

Volume snapshots reflect the ACEs of the volume at that point in time. Changes in volume ACEs:

  • Are carried over to a new snapshot of the volume.
  • Do not propagate to older snapshots of the volume.

Volume Mirrors

ACEs of a volume are propagated to mirror volumes. After each mirroring operation, mirror volumes reflect the current ACE setting of their source volume. After a mirror volume is promoted to a read-write volume, you can modify the ACEs on the mirror volume from the command line. ACEs on the promoted mirror volume can be different from the source volume.