hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-7389) Named user ACL cannot stop the user from accessing the FS entity.
Date Tue, 11 Nov 2014 21:44:34 GMT

    [ https://issues.apache.org/jira/browse/HDFS-7389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14207138#comment-14207138

Hudson commented on HDFS-7389:

SUCCESS: Integrated in Hadoop-trunk-Commit #6515 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/6515/])
HDFS-7389. Named user ACL cannot stop the user from accessing the FS entity. Contributed by
Vinayakumar B. (cnauroth: rev 163bb55067bde71246b4030a08256ba9a8182dc8)
* hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
* hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
* hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java

> Named user ACL cannot stop the user from accessing the FS entity.
> -----------------------------------------------------------------
>                 Key: HDFS-7389
>                 URL: https://issues.apache.org/jira/browse/HDFS-7389
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: namenode
>    Affects Versions: 2.5.1
>            Reporter: Chunjun Xiao
>            Assignee: Vinayakumar B
>             Fix For: 2.7.0
>         Attachments: HDFS-7389-001.patch, HDFS-7389-002.patch
> In http://hortonworks.com/blog/hdfs-acls-fine-grained-permissions-hdfs-files-hadoop/:
> {quote}
> It’s important to keep in mind the order of evaluation for ACL entries when a user
attempts to access a file system object:
> 1. If the user is the file owner, then the owner permission bits are enforced.
> 2. Else if the user has a named user ACL entry, then those permissions are enforced.
> 3. Else if the user is a member of the file’s group or any named group in an ACL entry,
then the union of permissions for all matching entries are enforced.  (The user may be a member
of multiple groups.)
> 4. If none of the above were applicable, then the other permission bits are enforced.
> {quote}
> Assume we have a user UserA from group GroupA, if we config a directory as following
ACL entries:
> group:GroupA:rwx
> user:UserA:---
> According to the design spec above, userA should have no access permission to the file
object, while actually userA still has rwx access to the dir.

This message was sent by Atlassian JIRA

View raw message