[
https://issues.apache.org/jira/browse/HDFS-4685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14317691#comment-14317691
]
Chris Nauroth commented on HDFS-4685:
-------------------------------------
Actually, there is one more implementation detail to consider. When a file
does have an ACL, then the owning group permissions are stored in an ACL entry,
not the group permission bits. Instead, the group permission bits are used to
the store the ACL mask. The reason for this is that it provides a conservative
solution to the problem of applications that change permissions but are unaware
of ACLs, most notably {{chmod}}. Running something like a {{chmod g-r}}
actually removes read permissions from the mask entry (unbeknownst to
{{chmod}}). This way, the modification is performed for the entire "group
class", which is the unnamed group entry, all named group entries, and all
named user entries.
For a more detailed rationale of this behavior, see the POSIX ACL documentation
that I referenced a lot from the HDFS ACLs design document:
http://users.suse.com/~agruen/acl/linux-acls/online/
The HDFS code that implements this is in the {{AclStorage}} class.
> Implementation of ACLs in HDFS
> ------------------------------
>
> Key: HDFS-4685
> URL: https://issues.apache.org/jira/browse/HDFS-4685
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: hdfs-client, namenode, security
> Affects Versions: 1.1.2
> Reporter: Sachin Jose
> Assignee: Chris Nauroth
> Fix For: 2.4.0
>
> Attachments: HDFS-4685-branch-2.1.patch, HDFS-4685.1.patch,
> HDFS-4685.2.patch, HDFS-4685.3.patch, HDFS-4685.4.patch,
> HDFS-ACLs-Design-1.pdf, HDFS-ACLs-Design-2.pdf, HDFS-ACLs-Design-3.pdf,
> Test-Plan-for-Extended-Acls-1.pdf, Test-Plan-for-Extended-Acls-2.pdf
>
>
> Currenly hdfs doesn't support Extended file ACL. In unix extended ACL can be
> achieved using getfacl and setfacl utilities. Is there anybody working on
> this feature ?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
