hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-6962) ACLs inheritance conflict with umaskmode
Date Tue, 19 Jul 2016 00:03:20 GMT

    [ https://issues.apache.org/jira/browse/HDFS-6962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15383330#comment-15383330
] 

Chris Nauroth commented on HDFS-6962:
-------------------------------------

bq. One additional question before responding to your comments. I added getMasked and getUnmasked
with default implementations to FsPermission which is public and stable. Is that ok? The alternative
to this approach is to use instanceof to detect FsCreateModes object with an FsPermission
reference.

Adding new methods to a public/stable class is acceptable according to [Apache Hadoop Compatibility|http://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-common/Compatibility.html]
guidelines.  We took a similar approach when adding the ACL bit.  We added {{FsPermission#getAclBit}}
with a default implementation.  The HDFS-specific {{FsPermissionExtension}} subclass overrides
that method.

bq. I think it is ok. Will it affect our plan to backport the fix to CDH branches based on
2.6.0?

I can't comment definitively on CDH concerns, but I expect that any distro could make the
choice to apply the patch to prior maintenance lines if they come to a different risk assessment
decision.  The ACL code changes infrequently at this point, so I expect it would be trivial
to backport, with low likelihood of complex merge conflicts.

> ACLs inheritance conflict with umaskmode
> ----------------------------------------
>
>                 Key: HDFS-6962
>                 URL: https://issues.apache.org/jira/browse/HDFS-6962
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>         Environment: CentOS release 6.5 (Final)
>            Reporter: LINTE
>            Assignee: John Zhuge
>            Priority: Critical
>              Labels: hadoop, security
>         Attachments: HDFS-6962.001.patch, HDFS-6962.002.patch, HDFS-6962.003.patch, HDFS-6962.004.patch,
HDFS-6962.005.patch, HDFS-6962.006.patch, HDFS-6962.1.patch, disabled_new_client.log, disabled_old_client.log,
enabled_new_client.log, enabled_old_client.log, run
>
>
> In hdfs-site.xml 
> <property>
>     <name>dfs.umaskmode</name>
>     <value>027</value>
> </property>
> 1/ Create a directory as superuser
> bash# hdfs dfs -mkdir  /tmp/ACLS
> 2/ set default ACLs on this directory rwx access for group readwrite and user toto
> bash# hdfs dfs -setfacl -m default:group:readwrite:rwx /tmp/ACLS
> bash# hdfs dfs -setfacl -m default:user:toto:rwx /tmp/ACLS
> 3/ check ACLs /tmp/ACLS/
> bash# hdfs dfs -getfacl /tmp/ACLS/
> # file: /tmp/ACLS
> # owner: hdfs
> # group: hadoop
> user::rwx
> group::r-x
> other::---
> default:user::rwx
> default:user:toto:rwx
> default:group::r-x
> default:group:readwrite:rwx
> default:mask::rwx
> default:other::---
> user::rwx | group::r-x | other::--- matches with the umaskmode defined in hdfs-site.xml,
everything ok !
> default:group:readwrite:rwx allow readwrite group with rwx access for inhéritance.
> default:user:toto:rwx allow toto user with rwx access for inhéritance.
> default:mask::rwx inhéritance mask is rwx, so no mask
> 4/ Create a subdir to test inheritance of ACL
> bash# hdfs dfs -mkdir  /tmp/ACLS/hdfs
> 5/ check ACLs /tmp/ACLS/hdfs
> bash# hdfs dfs -getfacl /tmp/ACLS/hdfs
> # file: /tmp/ACLS/hdfs
> # owner: hdfs
> # group: hadoop
> user::rwx
> user:toto:rwx   #effective:r-x
> group::r-x
> group:readwrite:rwx     #effective:r-x
> mask::r-x
> other::---
> default:user::rwx
> default:user:toto:rwx
> default:group::r-x
> default:group:readwrite:rwx
> default:mask::rwx
> default:other::---
> Here we can see that the readwrite group has rwx ACL bu only r-x is effective because
the mask is r-x (mask::r-x) in spite of default mask for inheritance is set to default:mask::rwx
on /tmp/ACLS/
> 6/ Modifiy hdfs-site.xml et restart namenode
> <property>
>     <name>dfs.umaskmode</name>
>     <value>010</value>
> </property>
> 7/ Create a subdir to test inheritance of ACL with new parameter umaskmode
> bash# hdfs dfs -mkdir  /tmp/ACLS/hdfs2
> 8/ Check ACL on /tmp/ACLS/hdfs2
> bash# hdfs dfs -getfacl /tmp/ACLS/hdfs2
> # file: /tmp/ACLS/hdfs2
> # owner: hdfs
> # group: hadoop
> user::rwx
> user:toto:rwx   #effective:rw-
> group::r-x      #effective:r--
> group:readwrite:rwx     #effective:rw-
> mask::rw-
> other::---
> default:user::rwx
> default:user:toto:rwx
> default:group::r-x
> default:group:readwrite:rwx
> default:mask::rwx
> default:other::---
> So HDFS masks the ACL value (user, group and other  -- exepted the POSIX owner -- ) with
the group mask of dfs.umaskmode properties when creating directory with inherited ACL.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org


Mime
View raw message