# Privileges ## Privileges This documentation describes how privileges work in the Alluxio system. ## Privilege model Privileges are associated with groups. A user has a privilege if the user is a member of a group which has been granted that privilege. See the documentation for details about setting up users and groups. ## Enabling privilege checking Privileges are disabled by default - to enable them set `alluxio.security.privileges.enabled=true`. Privilege checking is done on the master, so this property needs to be in the master configuration when the master starts. Privilege checking relies on being able to authenticate clients, so it is also required that `alluxio.security.authentication.type` be set to something besides `NOSASL`. ## Superuser privileges Members of the supergroup (superusers) automatically have all privileges. The supergroup is defined by the `alluxio.security.authorization.permission.supergroup` property. ## Managing privileges The `bin/alluxio privileges` shell command allows superusers to examine and modify group privileges. ### Listing privileges List privileges for all groups. This functionality is only available to superusers. ``` $ bin/alluxio privileges list ``` List privileges for a specific group. Members of a group may list its privileges even if they are not superusers. ``` $ bin/alluxio privileges list -group ``` List privileges for a specific user. Users may list their own privileges even if they are not superusers. This command will return the privileges granted to the user individually, as well as any privileges they are granted through a group they are a part of. ``` $ bin/alluxio privileges list -user ``` ### Granting privileges Superusers can grant privileges to a group with the `grant` subcommand. ``` $ bin/alluxio privileges grant -group -privileges [privilege ...] ``` ### Revoking privileges Superusers can revoke privileges from a group with the `revoke` subcommand. Note that the privileges of supergroup is unmodifiable. ``` $ bin/alluxio privileges revoke -group -privileges [privilege ...] ``` ## List of Alluxio Privileges ### FREE The FREE privilege allows users to free files from Alluxio memory. This can be [Alluxio Filesystem API](/ee-da-en/da-2.8/client-apis/fs-api.md). ### PIN The PIN privilege allows users to pin or unpin files or directories in Alluxio or through the [Alluxio Filesystem API](/ee-da-en/da-2.8/client-apis/fs-api.md). ### REPLICATION The REPLICATION privilege allows users to modify file replication levels and create new files with minimum replication set. This can be done either through [Alluxio Filesystem API](/ee-da-en/da-2.8/client-apis/fs-api.md). ### TTL The TTL privilege allows users to modify the time to live (TTL) values of files and directories. This can be done either through the [Alluxio Filesystem API](/ee-da-en/da-2.8/client-apis/fs-api.md). ## Troubleshooting privilege denied exceptions You may encounter an exception complaining ``` User does not have privilege ``` Check what privileges the problematic user has. ``` $ bin/alluxio privileges list -user ``` To have a privilege, the user must either be in the supergroup or be in a group that has been granted the privilege. Check the name of the Alluxio supergroup. ``` $ bin/alluxio getConf alluxio.security.authorization.permission.supergroup ``` Use the `groups` command to see what groups the user is in. This command should be run from the Alluxio master machine in case the master has a different group mapping from the client. ``` $ groups ``` List the privileges for groups the user is in. ``` $ bin/alluxio privileges list -group ``` To resolve the issue, either grant the missing privilege to one of the user's supergroup. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://documentation.alluxio.io/ee-da-en/da-2.8/operations/privileges.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.