Return-Path: 
 <hdfs-issues-return-105352-apmail-hadoop-hdfs-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 9C6A0177C8
	for <apmail-hadoop-hdfs-issues-archive@minotaur.apache.org>;
 Thu,  8 Jan 2015 10:21:35 +0000 (UTC)
Received: (qmail 11273 invoked by uid 500); 8 Jan 2015 10:21:36 -0000
Delivered-To: apmail-hadoop-hdfs-issues-archive@hadoop.apache.org
Received: (qmail 11217 invoked by uid 500); 8 Jan 2015 10:21:36 -0000
Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:hdfs-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:hdfs-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:hdfs-issues@hadoop.apache.org>
List-Id: <hdfs-issues.hadoop.apache.org>
Reply-To: hdfs-issues@hadoop.apache.org
Delivered-To: mailing list hdfs-issues@hadoop.apache.org
Received: (qmail 11205 invoked by uid 99); 8 Jan 2015 10:21:36 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 08 Jan 2015 10:21:36 +0000
Date: Thu, 8 Jan 2015 10:21:36 +0000 (UTC)
From: "Vinayakumar B (JIRA)" <jira@apache.org>
To: hdfs-issues@hadoop.apache.org
Message-ID: <JIRA.12764840.1420433518000.36824.1420712496553@Atlassian.JIRA>
In-Reply-To: <JIRA.12764840.1420433518000@Atlassian.JIRA>
References: <JIRA.12764840.1420433518000@Atlassian.JIRA>
 <JIRA.12764840.1420433518023@arcas>
Subject: [jira] [Commented] (HDFS-7582) Limit the number of default ACL
 entries to Half of maximum entries (16)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/HDFS-7582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14269141#comment-14269141 ] 

Vinayakumar B commented on HDFS-7582:
-------------------------------------

Hi [~cnauroth], Thanks for checking.
I have also verified again, but my results shows different behaviour in this context. Also there is a chance that this could be distribution specific. I have verified in CentOS distribution.

In My test of POSIX ACLs, the limit of 25 were separately applied on ACCESS and DEFAULT entries, so totally there could be 50 entries.
So when the child directory created, it also will have max of 50 entries, 25 ACCESS and 25 DEFAULT. So there is no violation here.

But in HDFS ACLs, the limit is applied is on whole. This has to match the POSIX behaviour.
There are 2 possibilities to handle current case.
1. Apply the EXISTING limit (32) separately on ACCESS and DEFAULT. This will increase the NN Memory.
2. Restrict only DEFAULT entries to 16, and whole to 32. This could have backward compatibility issue if already existing default entries are more than 16, of course thats not correct, still i t wont throw any error while creating the child and inheriting the ACLs.

Any thoughts?

FYR,
{noformat}[vinay@server2 ~]$ getfacl testAcl/
# file: testAcl/
# owner: vinay
# group: vinay
user::rwx
user:root:rwx
user:bin:rwx
user:daemon:rwx
user:adm:rwx
user:lp:rwx
user:sync:rwx
user:shutdown:rwx
user:halt:rwx
user:mail:rwx
user:operator:rwx
user:games:rwx
user:ftp:rwx
user:ntp:rwx
user:avahi:rwx
user:dbus:rwx
user:nobody:rwx
user:usbmuxd:rwx
user:abrt:rwx
user:colord:rwx
user:unbound:rwx
user:polkitd:rwx
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:user:bin:rwx
default:user:daemon:rwx
default:user:adm:rwx
default:user:lp:rwx
default:user:sync:rwx
default:user:shutdown:rwx
default:user:halt:rwx
default:user:mail:rwx
default:user:operator:rwx
default:user:games:rwx
default:user:ftp:rwx
default:user:ntp:rwx
default:user:avahi:rwx
default:user:dbus:rwx
default:user:nobody:rwx
default:user:usbmuxd:rwx
default:user:abrt:rwx
default:user:colord:rwx
default:user:unbound:rwx
default:user:polkitd:rwx
default:group::rwx
default:mask::rwx
default:other::r-x{noformat}

> Limit the number of default ACL entries to Half of maximum entries (16)
> -----------------------------------------------------------------------
>
>                 Key: HDFS-7582
>                 URL: https://issues.apache.org/jira/browse/HDFS-7582
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: namenode
>            Reporter: Vinayakumar B
>            Assignee: Vinayakumar B
>         Attachments: HDFS-7582-001.patch
>
>
> Current ACL limits are only on the total number of entries.
> But there can be a situation where number of default entries for a directory will be more than half of the maximum entries, i.e. > 16.
> In such case, under this parent directory only files can be created which will have ACLs inherited using parent's default entries.
> But when directories are created, total number of entries will be more than the maximum allowed, because sub-directories copies both inherited ACLs as well as default entries.
> Since currently there is no check while copying ACLs from default ACLs directory creation succeeds, but any modification (only permission on one entry also) on the same ACL will fail.
> So it would be better to restrict the default entries to 16.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)