hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-7476) Consolidate ACL-related operations to a single class
Date Sat, 06 Dec 2014 05:59:12 GMT

    [ https://issues.apache.org/jira/browse/HDFS-7476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14236625#comment-14236625

Chris Nauroth commented on HDFS-7476:

I think {{TestNameNodeAcl#testGetAclStatusRequiresTraverseOrSuper}} is a valid test case.
 We set up path /bruce/file, with every component in the path owned by bruce.  We start with
the standard default permissions: 755 on /bruce and 644 on /bruce/file.  Then, we set an ACL
entry on /bruce stating that user diana has read-only access (not execute, which is what traverse
requires).  Then, running as user diana, we try calling {{getAclStatus}} on /bruce/file. 
Since the named user ACL entry for diana gives only read access, we expect traversal through
/bruce to give access denied.

I found the source of the problem.  Prior to this patch, the {{checkTraverse}} was called
from {{FSNamesystem}} using all inodes in the path:

      INodesInPath iip = dir.getINodesInPath(src, true);
      if (isPermissionEnabled) {
        dir.checkPermission(pc, iip, false, null, null, null, null);

In the v3 patch, we are now calling {{checkTraverse}} using only the last resolved inode in
the path.

      INodesInPath iip = fsd.getLastINodeInPath(srcs, true);
      if (fsd.isPermissionEnabled()) {
        fsd.checkTraverse(pc, iip);

Because of this, we call {{checkTraverse}} with only {{\["file"\]}}, and there is nothing
in the permissions or ACL entries on that inode that would deny user diana.  I was able to
get the test passing again by using {{getINodesInPath}} for the {{checkTraverse}} call.  I
still needed to use {{getLastINodeInPath}} for the subsequent logic.  Otherwise, I'd get some
failures in {{TestAclWithSnapshot}}.  I'm not sure yet if there is a way to consolidate down
to a single call to just one of the {{FSDirectory}} methods that returns {{INodesInPath}}.

> Consolidate ACL-related operations to a single class
> ----------------------------------------------------
>                 Key: HDFS-7476
>                 URL: https://issues.apache.org/jira/browse/HDFS-7476
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>            Reporter: Haohui Mai
>            Assignee: Haohui Mai
>         Attachments: HDFS-7476.000.patch, HDFS-7476.001.patch, HDFS-7476.002.patch, HDFS-7476.003.patch
> This jira proposes to consolidate ACL-related operations scattered in {{FSNamesystem}}
and {{FSDirectory}} into a single class.

This message was sent by Atlassian JIRA

View raw message