You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-dev@hadoop.apache.org by "LINTE (JIRA)" <ji...@apache.org> on 2014/08/28 18:32:08 UTC

[jira] [Created] (HDFS-6962) ACLs inheritance conflict with umaskmode

LINTE created HDFS-6962:
---------------------------

             Summary: ACLs inheritance conflict with umaskmode
                 Key: HDFS-6962
                 URL: https://issues.apache.org/jira/browse/HDFS-6962
             Project: Hadoop HDFS
          Issue Type: Bug
          Components: security
    Affects Versions: 2.4.1
         Environment: CentOS release 6.5 (Final)
            Reporter: LINTE


In hdfs-site.xml 
<property>
    <name>dfs.umaskmode</name>
    <value>027</value>
</property>

1/ Create a directory as superuser
bash# hdfs dfs -mkdir  /tmp/ACLS

2/ set default ACLs on this directory rwx access for group readwrite and user toto
bash# hdfs dfs -setfacl -m default:group:readwrite:rwx /tmp/ACLS
bash# hdfs dfs -setfacl -m default:user:toto:rwx /tmp/ACLS

3/ check ACLs /tmp/ACLS/
bash# hdfs dfs -getfacl /tmp/ACLS/
# file: /tmp/ACLS
# owner: hdfs
# group: hadoop
user::rwx
group::r-x
other::---
default:user::rwx
default:user:toto:rwx
default:group::r-x
default:group:readwrite:rwx
default:mask::rwx
default:other::---

user::rwx | group::r-x | other::--- matches with the umaskmode defined in hdfs-site.xml, everything ok !

default:group:readwrite:rwx allow readwrite group with rwx access for inhéritance.
default:user:toto:rwx allow toto user with rwx access for inhéritance.

default:mask::rwx inhéritance mask is rwx, so no mask

4/ Create a subdir to test inheritance of ACL
bash# hdfs dfs -mkdir  /tmp/ACLS/hdfs

5/ check ACLs /tmp/ACLS/hdfs
bash# hdfs dfs -getfacl /tmp/ACLS/hdfs
# file: /tmp/ACLS/hdfs
# owner: hdfs
# group: hadoop
user::rwx
user:toto:rwx   #effective:r-x
group::r-x
group:readwrite:rwx     #effective:r-x
mask::r-x
other::---
default:user::rwx
default:user:toto:rwx
default:group::r-x
default:group:readwrite:rwx
default:mask::rwx
default:other::---

Here we can see that the readwrite group has rwx ACL bu only r-x is effective because the mask is r-x (mask::r-x) in spite of default mask for inheritance is set to default:mask::rwx on /tmp/ACLS/

6/ Modifiy hdfs-site.xml et restart namenode
<property>
    <name>dfs.umaskmode</name>
    <value>010</value>
</property>

7/ Create a subdir to test inheritance of ACL with new parameter umaskmode
bash# hdfs dfs -mkdir  /tmp/ACLS/hdfs2

8/ Check ACL on /tmp/ACLS/hdfs2
bash# hdfs dfs -getfacl /tmp/ACLS/hdfs2
# file: /tmp/ACLS/hdfs2
# owner: hdfs
# group: hadoop
user::rwx
user:toto:rwx   #effective:rw-
group::r-x      #effective:r--
group:readwrite:rwx     #effective:rw-
mask::rw-
other::---
default:user::rwx
default:user:toto:rwx
default:group::r-x
default:group:readwrite:rwx
default:mask::rwx
default:other::---

So HDFS masks the ACL value (user, group and other  -- exepted the POSIX owner -- ) with the group mask of dfs.umaskmode properties when creating directory with inherited ACL.






--
This message was sent by Atlassian JIRA
(v6.2#6252)