[jira] [Commented] (HDFS-7389) Named user ACL cannot stop the user from accessing the FS entity.

Wed, 12 Nov 2014 03:53:32 -0800 

    [ 
https://issues.apache.org/jira/browse/HDFS-7389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14207959#comment-14207959
 ] 

Hudson commented on HDFS-7389:
------------------------------

SUCCESS: Integrated in Hadoop-Yarn-trunk #741 (See 
[https://builds.apache.org/job/Hadoop-Yarn-trunk/741/])
HDFS-7389. Named user ACL cannot stop the user from accessing the FS entity. 
Contributed by Vinayakumar B. (cnauroth: rev 
163bb55067bde71246b4030a08256ba9a8182dc8)
* hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
* 
hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java
* 
hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java


> Named user ACL cannot stop the user from accessing the FS entity.
> -----------------------------------------------------------------
>
>                 Key: HDFS-7389
>                 URL: https://issues.apache.org/jira/browse/HDFS-7389
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: namenode
>    Affects Versions: 2.5.1
>            Reporter: Chunjun Xiao
>            Assignee: Vinayakumar B
>             Fix For: 2.7.0
>
>         Attachments: HDFS-7389-001.patch, HDFS-7389-002.patch
>
>
> In 
> http://hortonworks.com/blog/hdfs-acls-fine-grained-permissions-hdfs-files-hadoop/:
> {quote}
> It’s important to keep in mind the order of evaluation for ACL entries when a 
> user attempts to access a file system object:
> 1. If the user is the file owner, then the owner permission bits are enforced.
> 2. Else if the user has a named user ACL entry, then those permissions are 
> enforced.
> 3. Else if the user is a member of the file’s group or any named group in an 
> ACL entry, then the union of permissions for all matching entries are 
> enforced.  (The user may be a member of multiple groups.)
> 4. If none of the above were applicable, then the other permission bits are 
> enforced.
> {quote}
> Assume we have a user UserA from group GroupA, if we config a directory as 
> following ACL entries:
> group:GroupA:rwx
> user:UserA:---
> According to the design spec above, userA should have no access permission to 
> the file object, while actually userA still has rwx access to the dir.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to