[jira] [Created] (HDFS-14359) Inherited ACL permissions masked when parent directory does not exist (mkdir -p)

[Stephen O'Donnell (JIRA)]

Stephen O'Donnell created HDFS-14359:
----------------------------------------

             Summary: Inherited ACL permissions masked when parent directory 
does not exist (mkdir -p)
                 Key: HDFS-14359
                 URL: https://issues.apache.org/jira/browse/HDFS-14359
             Project: Hadoop HDFS
          Issue Type: Bug
    Affects Versions: 3.3.0
            Reporter: Stephen O'Donnell
            Assignee: Stephen O'Donnell


There appears to be an issue with ACL inheritance if you 'mkdir' a directory 
such that the parent directories need to be created (ie mkdir -p).

If you have a folder /tmp2/testacls as:

{code}
hadoop fs -mkdir /tmp2
hadoop fs -mkdir /tmp2/testacls
hadoop fs -setfacl -m default:user:hive:rwx /tmp2/testacls
hadoop fs -setfacl -m default:user:flume:rwx /tmp2/testacls
hadoop fs -setfacl -m user:hive:rwx /tmp2/testacls
hadoop fs -setfacl -m user:flume:rwx /tmp2/testacls

hadoop fs -getfacl -R /tmp2/testacls
# file: /tmp2/testacls
# owner: kafka
# group: supergroup
user::rwx
user:flume:rwx
user:hive:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:flume:rwx
default:user:hive:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
{code}

Then create a sub-directory in it, the ACLs are as expected:

{code}
hadoop fs -mkdir /tmp2/testacls/dir_from_mkdir

# file: /tmp2/testacls/dir_from_mkdir
# owner: sodonnell
# group: supergroup
user::rwx
user:flume:rwx
user:hive:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:flume:rwx
default:user:hive:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
{code}

However if you mkdir -p a directory, the situation is not the same:

{code}
hadoop fs -mkdir -p /tmp2/testacls/dir_with_subdirs/sub1/sub2

# file: /tmp2/testacls/dir_with_subdirs
# owner: sodonnell
# group: supergroup
user::rwx
user:flume:rwx  #effective:r-x
user:hive:rwx   #effective:r-x
group::r-x
mask::r-x
other::r-x
default:user::rwx
default:user:flume:rwx
default:user:hive:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

# file: /tmp2/testacls/dir_with_subdirs/sub1
# owner: sodonnell
# group: supergroup
user::rwx
user:flume:rwx  #effective:r-x
user:hive:rwx   #effective:r-x
group::r-x
mask::r-x
other::r-x
default:user::rwx
default:user:flume:rwx
default:user:hive:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

# file: /tmp2/testacls/dir_with_subdirs/sub1/sub2
# owner: sodonnell
# group: supergroup
user::rwx
user:flume:rwx
user:hive:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:flume:rwx
default:user:hive:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
{code}

Notice the the leaf folder "sub2" is correct, but the two ancestor folders have 
their permissions masked. I believe this is a regression from the fix for 
HDFS-6962 with dfs.namenode.posix.acl.inheritance.enabled set to true, as the 
code has changed significantly from the earlier 2.6 / 2.8 branch.

I will submit a patch for this.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org