MapR 5.0 Documentation : Creating Cluster-Level ACLs

A cluster-level Access Control List (ACL) determines who has access to a cluster and which actions they are allowed to perform. ACLs on a secure MapR cluster are predicated on a locally managed OS registry.

Before you create an ACL that applies to a particular group, you must create that group and assign users to it.

For example, the Red Hat Linux commands for creating a group called developers and adding a user named jsmith on a locally managed OS registry are:

groupadd developers
useradd -g developers jsmith

Creating Cluster-level ACLs

Once users and groups have been defined, an administrator can create a cluster-level ACL in either of two ways:

  • From the MapR Control System (MCS)
  • From the command line

Creating an ACL From the MCS

Click on Permissions under System Settings in the navigation pane.

In the dialog box, add users or groups and select permission levels from the pull-down menu next to each entry.

Each allowed action has a permission code associated with it. The codes are explained below.

Permission Code

Allowed Action


Log in to the MapR Control System, use the API and command-line interface,
read access on cluster and volumes


Start/stop services


Create volumes


Administrative access to cluster ACLs. Grants no other permissions.


Full control over the cluster. This enables all cluster-related administrative options with the exception of changing the cluster ACLs.

Creating an ACL From the Command Line

To create an ACL at the command line, use the acl set command. Include spaces between multiple entries, such as a list of usernames and their associated permission levels (or actions). The syntax is:

maprcli acl set -type volume -name <volume name> [-group <groupname>:<action> -user <username>:<action>]

The acl set command removes previously set permissions if they are not explicitly called out in the command line.

Other ACL commands include:

  • acl edit - to modify permissions in an ACL (use this command instead of acl set to change some permissions while leaving others intact)
  • acl show - to display permissions in an ACL

Example Cluster-level ACL

To create an ACL for a cluster named that allows administration of cluster ACLs to user root and control over all other aspects of the cluster to all users in the developers group, enter this command:

maprcli acl set -type cluster -cluster -user root:a -group developers:fc

Now suppose you want to change the developers group permissions so they can only log in and start or stop services. Use the acl edit command as shown:

maprcli acl edit -type cluster -cluster -group developers:login,ss

Note that only the developers group's permissions change, while the user named root retains control over the cluster's ACL settings.