hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-7454) Reduce memory footprint for AclEntries in NameNode
Date Fri, 05 Dec 2014 05:38:13 GMT

    [ https://issues.apache.org/jira/browse/HDFS-7454?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14235115#comment-14235115

Chris Nauroth commented on HDFS-7454:

[~vinayrpet], thank you for the patch.  [~wheat9], thank you for taking care of code review
and commit.  I see there was one specific question directed to me, and I apologize for not
being able to reply sooner.

I have one doubt here.. 
whether we really need to append all ACL entries along with permission bits in the exception
By seeing these AclEntries, caller could easily access by impersonating one of the user in
the entries? Right?

File system permissions and ACLs assume strong authentication is in place first.  In a cluster
using Kerberos, I don't expect seeing ACL entries alone would compromise our security.  The
user wouldn't be able to impersonate another user anyway, unless there was some other misconfiguration,
such as allowing the user access to private keytab files.

I'd suggest we either restore the old exception message or just append the '+' indicator if
an ACL is present, like the ls command.  This will let users know that they should consider
ACLs if they are dealing with an unexpected access denied.  We can do it in a follow-up jira.

Thanks again, Vinay!  I'm aiming to review HDFS-7456 tomorrow, and of course finishing out
HDFS-7384 too.

> Reduce memory footprint for AclEntries in NameNode
> --------------------------------------------------
>                 Key: HDFS-7454
>                 URL: https://issues.apache.org/jira/browse/HDFS-7454
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: namenode
>            Reporter: Vinayakumar B
>            Assignee: Vinayakumar B
>             Fix For: 2.7.0
>         Attachments: HDFS-7454-001.patch, HDFS-7454-002.patch, HDFS-7454-003.patch, HDFS-7454-004.patch
> HDFS-5620 indicated a GlobalAclSet containing unique {{AclFeature}} can be de-duplicated
to save the memory in NameNode. However it was not implemented at that time.
> This Jira re-proposes same implementation, along with de-duplication of unique {{AclEntry}}
across all ACLs.
> One simple usecase is:
> A mapreduce user's home directory with the set of default ACLs, under which lot of other
files/directories could be created when jobs is run. Here all the default ACLs of parent directory
will be duplicated till the explicit delete of those ACLs. With de-duplication,only one object
will be in memory for the same Entry across all ACLs of all files/directories.

This message was sent by Atlassian JIRA

View raw message