Managing Whole Volume ACEs
You can grant permissions (using ACEs) to users, groups, and roles for the volume data using whole volume ACEs. Whole volume ACEs allow you to define whitelists, to grant access, and blacklists, to deny access, for files and tables within a volume.
Volume administrators and mapr user can set and modify whole volume ACEs. By default, ACEs grant everyone access to read and write to files and tables in the volume at the volume-level; however, inside the volume, to determine access for:
- Files, the file ACEs or POSIX mode bits are used.
- Tables, the table ACEs are used.
Supported Access Types
At the volume level, the following access types are supported:
Access Type | Description |
---|---|
-readAce | Read files, MapR-DB binary tables, MapR-DB JSON tables, and MapR streams in the
volume. By default, this is set to p to grant all users this
permission. |
-writeAce | Write to files, MapR-DB binary tables, MapR-DB JSON tables, and MapR streams in
the volume. By default, this is set to p to grant all users this
permission. |
ACE Behavior on Snapshots and Mirrors
Volume Snapshots
Volume snapshots reflect the ACEs of the volume at that point in time. Changes in volume ACEs:
- Are carried over to a new snapshot of the volume.
- Do not propagate to older snapshots of the volume.
Volume Mirrors
ACEs of a volume are propagated to mirror volumes. After each mirroring operation, mirror volumes reflect the current ACE setting of their source volume. After a mirror volume is promoted to a read-write volume, you can modify the ACEs on the mirror volume from the command line. ACEs on the promoted mirror volume can be different from the source volume.