[jira] [Commented] (HDFS-7476) Consolidate ACL-related operations to a single class

Fri, 05 Dec 2014 21:59:32 -0800 

    [ 
https://issues.apache.org/jira/browse/HDFS-7476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14236625#comment-14236625
 ] 

Chris Nauroth commented on HDFS-7476:
-------------------------------------

I think {{TestNameNodeAcl#testGetAclStatusRequiresTraverseOrSuper}} is a valid 
test case.  We set up path /bruce/file, with every component in the path owned 
by bruce.  We start with the standard default permissions: 755 on /bruce and 
644 on /bruce/file.  Then, we set an ACL entry on /bruce stating that user 
diana has read-only access (not execute, which is what traverse requires).  
Then, running as user diana, we try calling {{getAclStatus}} on /bruce/file.  
Since the named user ACL entry for diana gives only read access, we expect 
traversal through /bruce to give access denied.

I found the source of the problem.  Prior to this patch, the {{checkTraverse}} 
was called from {{FSNamesystem}} using all inodes in the path:

{code}
      INodesInPath iip = dir.getINodesInPath(src, true);
      if (isPermissionEnabled) {
        dir.checkPermission(pc, iip, false, null, null, null, null);
      }
{code}

In the v3 patch, we are now calling {{checkTraverse}} using only the last 
resolved inode in the path.

{code}
      INodesInPath iip = fsd.getLastINodeInPath(srcs, true);
      if (fsd.isPermissionEnabled()) {
        fsd.checkTraverse(pc, iip);
      }
{code}

Because of this, we call {{checkTraverse}} with only {{\["file"\]}}, and there 
is nothing in the permissions or ACL entries on that inode that would deny user 
diana.  I was able to get the test passing again by using {{getINodesInPath}} 
for the {{checkTraverse}} call.  I still needed to use {{getLastINodeInPath}} 
for the subsequent logic.  Otherwise, I'd get some failures in 
{{TestAclWithSnapshot}}.  I'm not sure yet if there is a way to consolidate 
down to a single call to just one of the {{FSDirectory}} methods that returns 
{{INodesInPath}}.

> Consolidate ACL-related operations to a single class
> ----------------------------------------------------
>
>                 Key: HDFS-7476
>                 URL: https://issues.apache.org/jira/browse/HDFS-7476
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>            Reporter: Haohui Mai
>            Assignee: Haohui Mai
>         Attachments: HDFS-7476.000.patch, HDFS-7476.001.patch, 
> HDFS-7476.002.patch, HDFS-7476.003.patch
>
>
> This jira proposes to consolidate ACL-related operations scattered in 
> {{FSNamesystem}} and {{FSDirectory}} into a single class.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to