ACL vs ACE in Mapr Security level architecture

Discussion created by anilmapr on Aug 24, 2016

The design of the MapR security architecture takes into account the main threats to a secure cluster. By default, MapR provides basic authorization functionality and some authentication:

  • Filesystem permissions: MapR-FS is a POSIX-like file system. You can set user permissions as you would on any other Linux system.
  • Cluster, volume, and job queue Access Control Lists (ACLs): You can specify the actions that a given user can perform on each of these cluster elements.
  • Access Control Expressions (ACEs) for natively stored MapR-DB tables. ACEs control which areas of the tables users or groups can access.
  • Username/password login authentication to the MapR Control System (MCS) through Pluggable Access Modules (PAM). You can use any registry that has a PAM module.

ACL:  Acess control lists :


An Access Control List (ACL) is a list of users or groups. Each user or group in the list is paired with a defined set of permissions that limit the actions that the user or group can perform on the object secured by the ACL. In MapR, the objects secured by ACLs are the job queue, volumes, and the cluster itself.

A job queue ACL controls who can submit jobs to a queue, kill jobs, or modify their priority. A volume-level ACL controls which users and groups have access to that volume, and what actions they may perform, such as mirroring the volume, altering the volume properties, dumping or backing up the volume, or deleting the volume.

ACE: Acess Control Expressions:

An Access Control Expression (ACE) is a combination of user, group, and role definitions. A role is a property of a user or group that defines a set of behaviors that the user or group performs regularly. You can use roles to implement your own custom authorization rules. ACEs are used to secure MapR-DB tables that use native storage. See Enabling Table Authorizations with Access Control Expressions.



For More Infromation Security Architecture - MapR 5.0 Documentation -


This is really usefull to deal with the permissions to particular users or groups