hadoop-hdfs-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Nauroth <cnaur...@hortonworks.com>
Subject Re: Clarification related to ACL with setPermission
Date Tue, 25 Nov 2014 22:13:49 GMT
Hi Vinay,

The behavior you described is correct according to the POSIX ACL model.
The reason for this is that once a file has an ACL, its group permission
bits are then used as the mask entry, which filters the permissions applied
to named user entries, named group entries, and the unnamed group entry.  A
subsequent setPermission doesn't change the group entry.  Instead, it
changes the mask.  Our docs describe this in more detail here:

http://hadoop.apache.org/docs/r2.5.2/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#ACLs_Access_Control_Lists

I know you've seen this doc, but I'm linking it for the benefit of others
reading the thread.  On HDFS-4685, the design doc and its references
provide more rationale for how the mask works.

In your example, running hdfs dfs -setfacl -m group:group2:r-x also has a
side effect of updating the mask entry to the union of permissions on all
named user entries, named group entries, and the unnamed group entry.  This
explains why the operations in your example aren't commutative, and
swapping steps 2 and 3 gives a different result.  You can always override
the automatic mask calculation by providing it explicitly in setfacl
commands, i.e. hdfs dfs -setfacl -m group:group2:r-x,mask::---.

Chris Nauroth
Hortonworks
http://hortonworks.com/


On Tue, Nov 11, 2014 at 10:28 AM, Vinayakumar B <vinayakumarb@apache.org>
wrote:

> Hi,
>
> Here is the scenario.
>
> 1. owner : *user1, *ownerGroup: *group1*
> *2. /dir *have permissions set 700 (rwx------) using setPermission().
> 3. Now another Named group ACL has been set to allow access to another
> group
>      group:*group2:r-x*
> 4. Now, when */dir is *accessed from a user belongs to *group2, *Its
> success.
>
> 5. But, the steps #2 and #3 are inter-changed, i.e. setPermission (700)
> later, then dir is not given access for a user belongs to *group2.*
>
> This is same as linux behaviour. But ideally, access should be given,
> regardless of the order of setting acl and setting permission.
>
> Any thoughts on this?
>
> Regards,
> Vinay
>

-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message