Return-Path: X-Original-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id F416317CF4 for ; Thu, 12 Feb 2015 06:29:12 +0000 (UTC) Received: (qmail 90168 invoked by uid 500); 12 Feb 2015 06:29:12 -0000 Delivered-To: apmail-hadoop-hdfs-issues-archive@hadoop.apache.org Received: (qmail 90066 invoked by uid 500); 12 Feb 2015 06:29:12 -0000 Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: hdfs-issues@hadoop.apache.org Delivered-To: mailing list hdfs-issues@hadoop.apache.org Received: (qmail 89816 invoked by uid 99); 12 Feb 2015 06:29:12 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Feb 2015 06:29:12 +0000 Date: Thu, 12 Feb 2015 06:29:12 +0000 (UTC) From: "Chris Nauroth (JIRA)" To: hdfs-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HDFS-4685) Implementation of ACLs in HDFS MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HDFS-4685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14317691#comment-14317691 ] Chris Nauroth commented on HDFS-4685: ------------------------------------- Actually, there is one more implementation detail to consider. When a file does have an ACL, then the owning group permissions are stored in an ACL entry, not the group permission bits. Instead, the group permission bits are used to the store the ACL mask. The reason for this is that it provides a conservative solution to the problem of applications that change permissions but are unaware of ACLs, most notably {{chmod}}. Running something like a {{chmod g-r}} actually removes read permissions from the mask entry (unbeknownst to {{chmod}}). This way, the modification is performed for the entire "group class", which is the unnamed group entry, all named group entries, and all named user entries. For a more detailed rationale of this behavior, see the POSIX ACL documentation that I referenced a lot from the HDFS ACLs design document: http://users.suse.com/~agruen/acl/linux-acls/online/ The HDFS code that implements this is in the {{AclStorage}} class. > Implementation of ACLs in HDFS > ------------------------------ > > Key: HDFS-4685 > URL: https://issues.apache.org/jira/browse/HDFS-4685 > Project: Hadoop HDFS > Issue Type: New Feature > Components: hdfs-client, namenode, security > Affects Versions: 1.1.2 > Reporter: Sachin Jose > Assignee: Chris Nauroth > Fix For: 2.4.0 > > Attachments: HDFS-4685-branch-2.1.patch, HDFS-4685.1.patch, HDFS-4685.2.patch, HDFS-4685.3.patch, HDFS-4685.4.patch, HDFS-ACLs-Design-1.pdf, HDFS-ACLs-Design-2.pdf, HDFS-ACLs-Design-3.pdf, Test-Plan-for-Extended-Acls-1.pdf, Test-Plan-for-Extended-Acls-2.pdf > > > Currenly hdfs doesn't support Extended file ACL. In unix extended ACL can be achieved using getfacl and setfacl utilities. Is there anybody working on this feature ? -- This message was sent by Atlassian JIRA (v6.3.4#6332)