Return-Path: X-Original-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C98F617671 for ; Tue, 11 Nov 2014 21:34:36 +0000 (UTC) Received: (qmail 4105 invoked by uid 500); 11 Nov 2014 21:34:36 -0000 Delivered-To: apmail-hadoop-hdfs-issues-archive@hadoop.apache.org Received: (qmail 3920 invoked by uid 500); 11 Nov 2014 21:34:36 -0000 Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: hdfs-issues@hadoop.apache.org Delivered-To: mailing list hdfs-issues@hadoop.apache.org Received: (qmail 3827 invoked by uid 99); 11 Nov 2014 21:34:36 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 11 Nov 2014 21:34:36 +0000 Date: Tue, 11 Nov 2014 21:34:36 +0000 (UTC) From: "Chris Nauroth (JIRA)" To: hdfs-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HDFS-7389) Named user ACL cannot stop the user from accessing the FS entity. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HDFS-7389?page=3Dcom.atlassian= .jira.plugin.system.issuetabpanels:all-tabpanel ] Chris Nauroth updated HDFS-7389: -------------------------------- Resolution: Fixed Fix Version/s: 2.7.0 Status: Resolved (was: Patch Available) I have committed this to trunk and branch-2. Chunjun, thank you for report= ing the bug. Vinay, thank you for providing the patch. > Named user ACL cannot stop the user from accessing the FS entity. > ----------------------------------------------------------------- > > Key: HDFS-7389 > URL: https://issues.apache.org/jira/browse/HDFS-7389 > Project: Hadoop HDFS > Issue Type: Bug > Components: namenode > Affects Versions: 2.5.1 > Reporter: Chunjun Xiao > Assignee: Vinayakumar B > Fix For: 2.7.0 > > Attachments: HDFS-7389-001.patch, HDFS-7389-002.patch > > > In http://hortonworks.com/blog/hdfs-acls-fine-grained-permissions-hdfs-fi= les-hadoop/: > {quote} > It=E2=80=99s important to keep in mind the order of evaluation for ACL en= tries when a user attempts to access a file system object: > 1. If the user is the file owner, then the owner permission bits are enfo= rced. > 2. Else if the user has a named user ACL entry, then those permissions ar= e enforced. > 3. Else if the user is a member of the file=E2=80=99s group or any named = group in an ACL entry, then the union of permissions for all matching entri= es are enforced. (The user may be a member of multiple groups.) > 4. If none of the above were applicable, then the other permission bits a= re enforced. > {quote} > Assume we have a user UserA from group GroupA, if we config a directory a= s following ACL entries: > group:GroupA:rwx > user:UserA:--- > According to the design spec above, userA should have no access permissio= n to the file object, while actually userA still has rwx access to the dir. -- This message was sent by Atlassian JIRA (v6.3.4#6332)