No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


FusionInsight HD 6.5.0 Administrator Guide 02

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Rights Mechanism

Rights Mechanism

FusionInsight adopts the Lightweight Directory Access Protocol (LDAP) to store data of users and user groups. Information about role definitions is stored in the relational database and the mapping between roles and rights is saved in components.

FusionInsight uses Kerberos for unified authentication.

The verification process of user rights is as follows:

  1. A client (a user terminal or FusionInsight component service) invokes the FusionInsight authentication interface.
  2. FusionInsight uses the login username and password for Kerberos authentication.
  3. If the authentication succeeds, the client sends a request for accessing the server (a FusionInsight component service).
  4. The server finds the user group and role to which the login user belongs.
  5. The server obtains all rights of the user group and the role.
  6. The server determines whether the client has the permission to access the resources it applies for.


There are three files in HDFS, fileA, fileB, and fileC.

  • roleA has read and write permissions for fileA and roleB has the read permission for fileB.
  • groupA is bound to roleA and groupB is bound to roleB.
  • userA belongs to groupA and roleB, and userB belongs to groupB.

When userA successfully logs in to the system and accesses HDFS:

  1. HDFS obtains the role (roleB) to which userA is bound.
  2. HDFS also obtains the role (roleA) to which the user group of userA is bound.
  3. In this case, userA has all the rights of roleA and roleB.
  4. As a result, userA has read and write permissions for fileA, has the read permission on fileB, and has no permission for fileC.

Similarly, when userB successfully logs in to the system and accesses HDFS:

  1. userB only has the rights of roleB.
  2. As a result, userB has the read permission on fileB, and has no permissions for fileA and fileC.
Updated: 2019-05-17

Document ID: EDOC1100074522

Views: 6031

Downloads: 12

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next