hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HDFS-7389) Named user ACL cannot stop the user from accessing the FS entity.
Date Tue, 11 Nov 2014 21:34:36 GMT

     [ https://issues.apache.org/jira/browse/HDFS-7389?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Chris Nauroth updated HDFS-7389:
       Resolution: Fixed
    Fix Version/s: 2.7.0
           Status: Resolved  (was: Patch Available)

I have committed this to trunk and branch-2.  Chunjun, thank you for reporting the bug.  Vinay,
thank you for providing the patch.

> Named user ACL cannot stop the user from accessing the FS entity.
> -----------------------------------------------------------------
>                 Key: HDFS-7389
>                 URL: https://issues.apache.org/jira/browse/HDFS-7389
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: namenode
>    Affects Versions: 2.5.1
>            Reporter: Chunjun Xiao
>            Assignee: Vinayakumar B
>             Fix For: 2.7.0
>         Attachments: HDFS-7389-001.patch, HDFS-7389-002.patch
> In http://hortonworks.com/blog/hdfs-acls-fine-grained-permissions-hdfs-files-hadoop/:
> {quote}
> It’s important to keep in mind the order of evaluation for ACL entries when a user
attempts to access a file system object:
> 1. If the user is the file owner, then the owner permission bits are enforced.
> 2. Else if the user has a named user ACL entry, then those permissions are enforced.
> 3. Else if the user is a member of the file’s group or any named group in an ACL entry,
then the union of permissions for all matching entries are enforced.  (The user may be a member
of multiple groups.)
> 4. If none of the above were applicable, then the other permission bits are enforced.
> {quote}
> Assume we have a user UserA from group GroupA, if we config a directory as following
ACL entries:
> group:GroupA:rwx
> user:UserA:---
> According to the design spec above, userA should have no access permission to the file
object, while actually userA still has rwx access to the dir.

This message was sent by Atlassian JIRA

View raw message