hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chunjun Xiao (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-7389) Named user ACL cannot stop the user from accessing the FS entity.
Date Tue, 11 Nov 2014 08:04:34 GMT

    [ https://issues.apache.org/jira/browse/HDFS-7389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14206105#comment-14206105

Chunjun Xiao commented on HDFS-7389:

Hi [~vinayrpet],
I think there's a bug in your patch:
         } else if (type == AclEntryType.GROUP) {
           // Use group entry (unnamed or named) with mask from permission bits
@@ -340,6 +341,7 @@ private void checkAccessAcl(INode inode, int snapshotId, FsAction access,
             foundMatch = true;
+            break;
You shouldn't change the logic for the group; just changing the user logic is enough. Otherwise,
if a user USR1 belongs to several groups (e.g., GRP1 & GRP2, with ACL  entries: group:GRP1:----,
group:GRP2:rwx), the user will be denied from accessing, but he/she SHOULD have.

> Named user ACL cannot stop the user from accessing the FS entity.
> -----------------------------------------------------------------
>                 Key: HDFS-7389
>                 URL: https://issues.apache.org/jira/browse/HDFS-7389
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: namenode
>    Affects Versions: 2.5.1
>            Reporter: Chunjun Xiao
>            Assignee: Vinayakumar B
>         Attachments: HDFS-7389-001.patch
> In http://hortonworks.com/blog/hdfs-acls-fine-grained-permissions-hdfs-files-hadoop/:
> {quote}
> It’s important to keep in mind the order of evaluation for ACL entries when a user
attempts to access a file system object:
> 1. If the user is the file owner, then the owner permission bits are enforced.
> 2. Else if the user has a named user ACL entry, then those permissions are enforced.
> 3. Else if the user is a member of the file’s group or any named group in an ACL entry,
then the union of permissions for all matching entries are enforced.  (The user may be a member
of multiple groups.)
> 4. If none of the above were applicable, then the other permission bits are enforced.
> {quote}
> Assume we have a user UserA from group GroupA, if we config a directory as following
ACL entries:
> group:GroupA:rwx
> user:UserA:---
> According to the design spec above, userA should have no access permission to the file
object, while actually userA still has rwx access to the dir.

This message was sent by Atlassian JIRA

View raw message