[
https://issues.apache.org/jira/browse/HDFS-7582?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chris Nauroth updated HDFS-7582:
--------------------------------
Description:
Current ACL limits are only on the total number of entries.
But there can be a situation where number of default entries for a directory
will be more than half of the maximum entries, i.e. > 16.
In such case, under this parent directory only files can be created which will
have ACLs inherited using parent's default entries.
But when directories are created, total number of entries will be more than the
maximum allowed, because sub-directories copies both inherited ACLs as well as
default entries.
Since currently there is no check while copying ACLs from default ACLs
directory creation succeeds, but any modification (only permission on one entry
also) on the same ACL will fail.
It would be better to enforce the maximum of 32 entries separately per access
and default. This would be consistent with our observations testing ACLs on
other file systems, such as XFS and ext3.
was:
Current ACL limits are only on the total number of entries.
But there can be a situation where number of default entries for a directory
will be more than half of the maximum entries, i.e. > 16.
In such case, under this parent directory only files can be created which will
have ACLs inherited using parent's default entries.
But when directories are created, total number of entries will be more than the
maximum allowed, because sub-directories copies both inherited ACLs as well as
default entries.
Since currently there is no check while copying ACLs from default ACLs
directory creation succeeds, but any modification (only permission on one entry
also) on the same ACL will fail.
So it would be better to restrict the default entries to 16.
Target Version/s: 2.8.0 (was: 3.0.0)
Affects Version/s: 2.4.0
Summary: Enforce maximum number of ACL entries separately per
access and default. (was: Limit the number of default ACL entries to Half of
maximum entries (16))
[~vinayrpet], this is starting to make sense to me now. The spec I've referred
to a lot (the same one you linked in your last comment) shows the maximum
number of entries for a few different file systems. Like you said, it doesn't
specifically say anywhere that the limit is applied separately for access and
default, but in practice, that's the behavior that both you and I have observed.
I had been thrown off by the fact that you found different results than I did
from testing against a local file system. Now I see the reason for that is you
were testing with XFS (max 25 per access and default) and I was testing with
ext3 (max 32 per access and default).
Now considering all of that, I agree with you that HDFS can make a change so
that the limit is enforced separately per access and default. This is
backwards-compatible, because it does not reduce the number of ACL entries that
can be used in existing deployments already. I'm re-targeting this to 2.8.0
and updating the description to show the new plan.
Thank you for the follow-up!
> Enforce maximum number of ACL entries separately per access and default.
> ------------------------------------------------------------------------
>
> Key: HDFS-7582
> URL: https://issues.apache.org/jira/browse/HDFS-7582
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: namenode
> Affects Versions: 2.4.0
> Reporter: Vinayakumar B
> Assignee: Vinayakumar B
> Attachments: HDFS-7582-001.patch
>
>
> Current ACL limits are only on the total number of entries.
> But there can be a situation where number of default entries for a directory
> will be more than half of the maximum entries, i.e. > 16.
> In such case, under this parent directory only files can be created which
> will have ACLs inherited using parent's default entries.
> But when directories are created, total number of entries will be more than
> the maximum allowed, because sub-directories copies both inherited ACLs as
> well as default entries.
> Since currently there is no check while copying ACLs from default ACLs
> directory creation succeeds, but any modification (only permission on one
> entry also) on the same ACL will fail.
> It would be better to enforce the maximum of 32 entries separately per access
> and default. This would be consistent with our observations testing ACLs on
> other file systems, such as XFS and ext3.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
