Return-Path: X-Original-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1A95317A45 for ; Fri, 8 May 2015 19:08:04 +0000 (UTC) Received: (qmail 58340 invoked by uid 500); 8 May 2015 19:08:03 -0000 Delivered-To: apmail-hadoop-hdfs-issues-archive@hadoop.apache.org Received: (qmail 58296 invoked by uid 500); 8 May 2015 19:08:03 -0000 Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: hdfs-issues@hadoop.apache.org Delivered-To: mailing list hdfs-issues@hadoop.apache.org Received: (qmail 58214 invoked by uid 99); 8 May 2015 19:08:03 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 May 2015 19:08:03 +0000 Date: Fri, 8 May 2015 19:08:03 +0000 (UTC) From: "Chris Nauroth (JIRA)" To: hdfs-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HDFS-7582) Limit the number of default ACL entries to Half of maximum entries (16) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HDFS-7582?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Chris Nauroth updated HDFS-7582: -------------------------------- Target Version/s: 3.0.0 (was: 2.8.0) Labels: (was: BB2015-05-TBR) Hi [~vinayrpet]. Sorry for the long delay replying to this. If we were to make any change that would restrict the number of ACL entries to a smaller number than what we allow now, then it would be a backwards-incompatible change. It's possible that existing deployments are already dependent on being able to create an ACL that uses the current limit. Therefore, I would have to -1 any such change made on the 2.x line. Do you still want to consider changing this for 3.x? We'd have the flexibility to make a backwards-incompatible change there. If we did that, then I'd still want to make sure that we can load an existing fsimage/edits that took advantage of today's limits. I'd want us to have a JUnit test to verify that, so that people upgrading from 2.x to 3.x won't fail to load the metadata or silently lose some of their ACL entries. bq. In My test of POSIX ACLs, the limit of 25 were separately applied on ACCESS and DEFAULT entries, so totally there could be 50 entries. I'd have to retest, but I think this is different from the behavior I observed. It would be great if we could find a definitive source that defines the limit, but I haven't found it yet. > Limit the number of default ACL entries to Half of maximum entries (16) > ----------------------------------------------------------------------- > > Key: HDFS-7582 > URL: https://issues.apache.org/jira/browse/HDFS-7582 > Project: Hadoop HDFS > Issue Type: Bug > Components: namenode > Reporter: Vinayakumar B > Assignee: Vinayakumar B > Attachments: HDFS-7582-001.patch > > > Current ACL limits are only on the total number of entries. > But there can be a situation where number of default entries for a directory will be more than half of the maximum entries, i.e. > 16. > In such case, under this parent directory only files can be created which will have ACLs inherited using parent's default entries. > But when directories are created, total number of entries will be more than the maximum allowed, because sub-directories copies both inherited ACLs as well as default entries. > Since currently there is no check while copying ACLs from default ACLs directory creation succeeds, but any modification (only permission on one entry also) on the same ACL will fail. > So it would be better to restrict the default entries to 16. -- This message was sent by Atlassian JIRA (v6.3.4#6332)