Return-Path: X-Original-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E324410ECD for ; Tue, 11 Feb 2014 21:55:23 +0000 (UTC) Received: (qmail 2945 invoked by uid 500); 11 Feb 2014 21:55:21 -0000 Delivered-To: apmail-hadoop-hdfs-issues-archive@hadoop.apache.org Received: (qmail 2857 invoked by uid 500); 11 Feb 2014 21:55:20 -0000 Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: hdfs-issues@hadoop.apache.org Delivered-To: mailing list hdfs-issues@hadoop.apache.org Received: (qmail 2836 invoked by uid 99); 11 Feb 2014 21:55:20 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 11 Feb 2014 21:55:19 +0000 Date: Tue, 11 Feb 2014 21:55:19 +0000 (UTC) From: "Haohui Mai (JIRA)" To: hdfs-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HDFS-5923) Do not persist the ACL bit in the FsPermission MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HDFS-5923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13898370#comment-13898370 ] Haohui Mai commented on HDFS-5923: ---------------------------------- The v0 patch takes a more aggressive approach, which removes the ACL bit completely. The rationale is the following: # Some applications might assume that {{FsPermission}} stay within the range of 0~0777. Changing {{FsPermission}} might lead to unexpected issues. # There are not many users care about whether the file has ACL except for ls. Since ls is not in the critical path, ls can make a separate {{getAclStatus()}} call to calculate the ACL bit. > Do not persist the ACL bit in the FsPermission > ---------------------------------------------- > > Key: HDFS-5923 > URL: https://issues.apache.org/jira/browse/HDFS-5923 > Project: Hadoop HDFS > Issue Type: Sub-task > Components: hdfs-client, namenode, security > Reporter: Haohui Mai > Assignee: Haohui Mai > Attachments: HDFS-5923.000.patch > > > The current implementation persists and ACL bit in FSImage and editlogs. Moreover, the security decisions also depend on whether the bit is set. > The problem here is that we have to maintain the implicit invariant, which is the ACL bit is set if and only if the the inode has AclFeature. The invariant has to be maintained everywhere otherwise it can lead to a security vulnerability. In the worst case, an attacker can toggle the bit and bypass the ACL checks. > The jira proposes to treat the ACL bit as a transient bit. The bit should not be persisted onto the disk, neither it should affect any security decisions. -- This message was sent by Atlassian JIRA (v6.1.5#6160)