hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lokesh Jain (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HDFS-13038) User with no permission on file is able to run getfacl for that file
Date Fri, 19 Jan 2018 18:28:01 GMT

     [ https://issues.apache.org/jira/browse/HDFS-13038?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Lokesh Jain updated HDFS-13038:
-------------------------------
    Attachment: HDFS-13038.001.patch

> User with no permission on file is able to run getfacl for that file
> --------------------------------------------------------------------
>
>                 Key: HDFS-13038
>                 URL: https://issues.apache.org/jira/browse/HDFS-13038
>             Project: Hadoop HDFS
>          Issue Type: Bug
>            Reporter: Lokesh Jain
>            Assignee: Lokesh Jain
>            Priority: Major
>         Attachments: HDFS-13038.001.patch
>
>
> Currently any user with EXECUTE permission can run getfacl on a file or directory. This
Jira adds a check for READ access of user on the inode path. 
> {code:java}
> [root@host ~]$ hdfs dfs -copyFromLocal /etc/a.txt /tmp
> [root@host ~]$ hdfs dfs -setfacl -m user:abc:--- /tmp/a.txt
> {code}
> Since user abc does not have read permission on the file 'cat' command throws Permission
Denied error but getfacl executes normally.
> {code:java}
> [abc@host ~]$ hdfs dfs -cat /tmp/a.txt
> cat: Permission denied: user=abc, access=READ, inode="/tmp/a.txt":abc:hdfs:-rw-r--r--

> [abc@host ~]$ hdfs dfs -getfacl /tmp/a.txt 
> # file: /tmp/a.txt 
> # owner:root 
> # group: hdfs 
> user::rw- 
> user:abc:--- 
> group::r-- 
> mask::r-- 
> other::r--
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org


Mime
View raw message