hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-5612) NameNode: change all permission checks to enforce ACLs in addition to permissions.
Date Thu, 09 Jan 2014 18:53:51 GMT

    [ https://issues.apache.org/jira/browse/HDFS-5612?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13866906#comment-13866906
] 

Chris Nauroth commented on HDFS-5612:
-------------------------------------

I'm going to put this patch on hold for now.

In a separate patch, I'm exploring the possibility of mapping the ACL owner/mask/other entries
into the owner/group/other permission bits.  (Things like chmod g+w on a file with an ACL
result in setting the mask entry.)  Currently, my approach is to keep all of these entries
in the ACL itself and then add some code to keep their values consistent with the permission
bits.  If instead I use the group permission bits as the only location for the mask entry,
then we get some potential benefits.  There is less impact to existing code (likely no need
to change {{setPermission}} at all, because the existing implementation will just do the right
thing).  There are fewer opportunities for bugs related to keeping the 2 data sources in sync.
 We also could see a minor reduction of memory utilization by storing fewer elements into
the {{AclFeature}}, also resulting in greater likelihood of de-duplication when we do the
Global ACL Set patch.

If we do this, then I expect a bit more complexity in {{FSPermissionChecker}} as a consequence.
 The basic logic would remain the same, but {{checkAcl}} would need to inspect both the permission
bits and the ACL entry list instead of just the ACL entry list.  I want to understand that
complexity trade-off better, so while I explore that, let's put this code review on hold.

> NameNode: change all permission checks to enforce ACLs in addition to permissions.
> ----------------------------------------------------------------------------------
>
>                 Key: HDFS-5612
>                 URL: https://issues.apache.org/jira/browse/HDFS-5612
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: namenode
>    Affects Versions: HDFS ACLs (HDFS-4685)
>            Reporter: Chris Nauroth
>            Assignee: Chris Nauroth
>         Attachments: HDFS-5612.1.patch, HDFS-5612.2.patch
>
>
> All {{NameNode}} code paths that enforce permissions must be updated so that they also
enforce ACLs.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message