hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-6962) ACL inheritance conflicts with umaskmode
Date Mon, 17 Apr 2017 18:35:42 GMT

    [ https://issues.apache.org/jira/browse/HDFS-6962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15971465#comment-15971465
] 

Chris Nauroth commented on HDFS-6962:
-------------------------------------

Yes, agreed with John.

That might then lead to the question of why this wasn't included in branch-2.  I have an earlier
comment where I stated that the compatibility story looks good, but I thought it was a risky
change close the 2.8.0 cutoff:

{quote}
I think what you are proposing for configurability and extending the protocol messages makes
sense as a way to provide deployments with a choice of which behavior to use. However, I'm
reluctant to push it into 2.8.0 now due to the complexity of the changes required to support
it. Considering something like a cross-cluster DistCp, with a mix of old and new versions
in play, it could become very confusing to explain the end results to users. Unless you consider
it urgent for 2.8.0, would you consider targeting it to the 3.x line, as I had done a while
ago?
{quote}

If users are asking for this change in the 2.x line, I think we could probably make it happen.
 At this point, it would have to be tracked in a separate JIRA with a separate release note
targeted to a 2.x release.

However, if there isn't user demand for shipping the change in 2.x, then it's still probably
safer to leave it in 3.x only.

> ACL inheritance conflicts with umaskmode
> ----------------------------------------
>
>                 Key: HDFS-6962
>                 URL: https://issues.apache.org/jira/browse/HDFS-6962
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>         Environment: CentOS release 6.5 (Final)
>            Reporter: LINTE
>            Assignee: John Zhuge
>            Priority: Critical
>              Labels: hadoop, security
>             Fix For: 3.0.0-alpha2
>
>         Attachments: disabled_new_client.log, disabled_old_client.log, enabled_new_client.log,
enabled_old_client.log, HDFS-6962.001.patch, HDFS-6962.002.patch, HDFS-6962.003.patch, HDFS-6962.004.patch,
HDFS-6962.005.patch, HDFS-6962.006.patch, HDFS-6962.007.patch, HDFS-6962.008.patch, HDFS-6962.009.patch,
HDFS-6962.010.patch, HDFS-6962.1.patch, run_compat_tests, run_unit_tests, test_plan.md
>
>
> In hdfs-site.xml 
> <property>
>     <name>dfs.umaskmode</name>
>     <value>027</value>
> </property>
> 1/ Create a directory as superuser
> bash# hdfs dfs -mkdir  /tmp/ACLS
> 2/ set default ACLs on this directory rwx access for group readwrite and user toto
> bash# hdfs dfs -setfacl -m default:group:readwrite:rwx /tmp/ACLS
> bash# hdfs dfs -setfacl -m default:user:toto:rwx /tmp/ACLS
> 3/ check ACLs /tmp/ACLS/
> bash# hdfs dfs -getfacl /tmp/ACLS/
> # file: /tmp/ACLS
> # owner: hdfs
> # group: hadoop
> user::rwx
> group::r-x
> other::---
> default:user::rwx
> default:user:toto:rwx
> default:group::r-x
> default:group:readwrite:rwx
> default:mask::rwx
> default:other::---
> user::rwx | group::r-x | other::--- matches with the umaskmode defined in hdfs-site.xml,
everything ok !
> default:group:readwrite:rwx allow readwrite group with rwx access for inhéritance.
> default:user:toto:rwx allow toto user with rwx access for inhéritance.
> default:mask::rwx inhéritance mask is rwx, so no mask
> 4/ Create a subdir to test inheritance of ACL
> bash# hdfs dfs -mkdir  /tmp/ACLS/hdfs
> 5/ check ACLs /tmp/ACLS/hdfs
> bash# hdfs dfs -getfacl /tmp/ACLS/hdfs
> # file: /tmp/ACLS/hdfs
> # owner: hdfs
> # group: hadoop
> user::rwx
> user:toto:rwx   #effective:r-x
> group::r-x
> group:readwrite:rwx     #effective:r-x
> mask::r-x
> other::---
> default:user::rwx
> default:user:toto:rwx
> default:group::r-x
> default:group:readwrite:rwx
> default:mask::rwx
> default:other::---
> Here we can see that the readwrite group has rwx ACL bu only r-x is effective because
the mask is r-x (mask::r-x) in spite of default mask for inheritance is set to default:mask::rwx
on /tmp/ACLS/
> 6/ Modifiy hdfs-site.xml et restart namenode
> <property>
>     <name>dfs.umaskmode</name>
>     <value>010</value>
> </property>
> 7/ Create a subdir to test inheritance of ACL with new parameter umaskmode
> bash# hdfs dfs -mkdir  /tmp/ACLS/hdfs2
> 8/ Check ACL on /tmp/ACLS/hdfs2
> bash# hdfs dfs -getfacl /tmp/ACLS/hdfs2
> # file: /tmp/ACLS/hdfs2
> # owner: hdfs
> # group: hadoop
> user::rwx
> user:toto:rwx   #effective:rw-
> group::r-x      #effective:r--
> group:readwrite:rwx     #effective:rw-
> mask::rw-
> other::---
> default:user::rwx
> default:user:toto:rwx
> default:group::r-x
> default:group:readwrite:rwx
> default:mask::rwx
> default:other::---
> So HDFS masks the ACL value (user, group and other  -- exepted the POSIX owner -- ) with
the group mask of dfs.umaskmode properties when creating directory with inherited ACL.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org


Mime
View raw message