hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Zhuge (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HDFS-6962) ACL inheritance conflicts with umaskmode
Date Fri, 09 Jun 2017 15:35:19 GMT

     [ https://issues.apache.org/jira/browse/HDFS-6962?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

John Zhuge updated HDFS-6962:
-----------------------------
    Release Note: 
<!-- markdown -->
The original implementation of HDFS ACLs applied the client's umask to the permissions when
inheriting a default ACL defined on a parent directory.  This behavior is a deviation from
the POSIX ACL
specification, which states that the umask has no influence when a default ACL propagates
from parent
to child.  HDFS now offers the capability to ignore the umask in this case for improved compliance
with
POSIX.  This change is considered backward-incompatible, so the new behavior is off by default
and
must be explicitly configured by setting dfs.namenode.posix.acl.inheritance.enabled to true
in
hdfs-site.xml.  Please see the HDFS Permissions Guide for further details.

  was:The original implementation of HDFS ACLs applied the client's umask to the permissions
when inheriting a default ACL defined on a parent directory.  This behavior is a deviation
from the POSIX ACL specification, which states that the umask has no influence when a default
ACL propagates from parent to child.  HDFS now offers the capability to ignore the umask in
this case for improved compliance with POSIX.  This change is considered backward-incompatible,
so the new behavior is off by default and must be explicitly configured by setting dfs.namenode.posix.acl.inheritance.enabled
to true in hdfs-site.xml.  Please see the HDFS Permissions Guide for further details.


> ACL inheritance conflicts with umaskmode
> ----------------------------------------
>
>                 Key: HDFS-6962
>                 URL: https://issues.apache.org/jira/browse/HDFS-6962
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>         Environment: CentOS release 6.5 (Final)
>            Reporter: LINTE
>            Assignee: John Zhuge
>            Priority: Critical
>              Labels: hadoop, security
>             Fix For: 3.0.0-alpha2
>
>         Attachments: disabled_new_client.log, disabled_old_client.log, enabled_new_client.log,
enabled_old_client.log, HDFS-6962.001.patch, HDFS-6962.002.patch, HDFS-6962.003.patch, HDFS-6962.004.patch,
HDFS-6962.005.patch, HDFS-6962.006.patch, HDFS-6962.007.patch, HDFS-6962.008.patch, HDFS-6962.009.patch,
HDFS-6962.010.patch, HDFS-6962.1.patch, run_compat_tests, run_unit_tests, test_plan.md
>
>
> In hdfs-site.xml 
> <property>
>     <name>dfs.umaskmode</name>
>     <value>027</value>
> </property>
> 1/ Create a directory as superuser
> bash# hdfs dfs -mkdir  /tmp/ACLS
> 2/ set default ACLs on this directory rwx access for group readwrite and user toto
> bash# hdfs dfs -setfacl -m default:group:readwrite:rwx /tmp/ACLS
> bash# hdfs dfs -setfacl -m default:user:toto:rwx /tmp/ACLS
> 3/ check ACLs /tmp/ACLS/
> bash# hdfs dfs -getfacl /tmp/ACLS/
> # file: /tmp/ACLS
> # owner: hdfs
> # group: hadoop
> user::rwx
> group::r-x
> other::---
> default:user::rwx
> default:user:toto:rwx
> default:group::r-x
> default:group:readwrite:rwx
> default:mask::rwx
> default:other::---
> user::rwx | group::r-x | other::--- matches with the umaskmode defined in hdfs-site.xml,
everything ok !
> default:group:readwrite:rwx allow readwrite group with rwx access for inhéritance.
> default:user:toto:rwx allow toto user with rwx access for inhéritance.
> default:mask::rwx inhéritance mask is rwx, so no mask
> 4/ Create a subdir to test inheritance of ACL
> bash# hdfs dfs -mkdir  /tmp/ACLS/hdfs
> 5/ check ACLs /tmp/ACLS/hdfs
> bash# hdfs dfs -getfacl /tmp/ACLS/hdfs
> # file: /tmp/ACLS/hdfs
> # owner: hdfs
> # group: hadoop
> user::rwx
> user:toto:rwx   #effective:r-x
> group::r-x
> group:readwrite:rwx     #effective:r-x
> mask::r-x
> other::---
> default:user::rwx
> default:user:toto:rwx
> default:group::r-x
> default:group:readwrite:rwx
> default:mask::rwx
> default:other::---
> Here we can see that the readwrite group has rwx ACL bu only r-x is effective because
the mask is r-x (mask::r-x) in spite of default mask for inheritance is set to default:mask::rwx
on /tmp/ACLS/
> 6/ Modifiy hdfs-site.xml et restart namenode
> <property>
>     <name>dfs.umaskmode</name>
>     <value>010</value>
> </property>
> 7/ Create a subdir to test inheritance of ACL with new parameter umaskmode
> bash# hdfs dfs -mkdir  /tmp/ACLS/hdfs2
> 8/ Check ACL on /tmp/ACLS/hdfs2
> bash# hdfs dfs -getfacl /tmp/ACLS/hdfs2
> # file: /tmp/ACLS/hdfs2
> # owner: hdfs
> # group: hadoop
> user::rwx
> user:toto:rwx   #effective:rw-
> group::r-x      #effective:r--
> group:readwrite:rwx     #effective:rw-
> mask::rw-
> other::---
> default:user::rwx
> default:user:toto:rwx
> default:group::r-x
> default:group:readwrite:rwx
> default:mask::rwx
> default:other::---
> So HDFS masks the ACL value (user, group and other  -- exepted the POSIX owner -- ) with
the group mask of dfs.umaskmode properties when creating directory with inherited ACL.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org


Mime
View raw message