[
https://issues.apache.org/jira/browse/HDFS-6962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15314624#comment-15314624
]
John Zhuge commented on HDFS-6962:
----------------------------------
Hi [~cnauroth],
In order to maintain backwards compatibility in Hadoop 2.x, could we add a new
NameNode flag {{dfs.namenode.posix.acl.inheritance}}, default false in Hadoop
2.x, default true in Hadoop 3?
Changes to message {{CreateRequestProto}} and {{MkdirsRequestProto}}
* Add optional field {{FsPermissionProto unmasked}} to store unmasked mode
parameter
* The meaning of the existing field {{FsPermissionProto masked}} stays the
same: mode + umask, for both old and new client.
* Please note this approach is slightly different alternative what you
suggested. I am ok either way.
Wrap around {{AclStorage#copyINodeDefaultAcl}}:
{code:java}
public static void copyINodeDefaultAcl(INode child) {
// Current permission is masked
assert child.getFsPermission().equals(child.getMaskedMode());
if (child.getPosixAclInheritance()) {
// Set permission to unmasked
child.setPermission(child.getUnmaskedMode());
}
if (AclStorage.copyINodeDefaultAclInternal(child) == false) {
// No default ACL in parent dir
if (child.getPosixAclInheritance()) {
// Set permission to masked
child.setPermission(child.getMaskedMode());
}
}
}
{code}
Here {{INode#getUnmaskedMode}} returns the unmasked mode sent by DFSClient;
{{INode#getMaskedMode}} returns the masked mode;
{{INode#getPosixAclInheritance}} returns true when from a new client and the
flag is on.
> ACLs inheritance conflict with umaskmode
> ----------------------------------------
>
> Key: HDFS-6962
> URL: https://issues.apache.org/jira/browse/HDFS-6962
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: security
> Affects Versions: 2.4.1
> Environment: CentOS release 6.5 (Final)
> Reporter: LINTE
> Assignee: John Zhuge
> Priority: Critical
> Labels: hadoop, security
> Attachments: HDFS-6962.001.patch, HDFS-6962.1.patch
>
>
> In hdfs-site.xml
> <property>
> <name>dfs.umaskmode</name>
> <value>027</value>
> </property>
> 1/ Create a directory as superuser
> bash# hdfs dfs -mkdir /tmp/ACLS
> 2/ set default ACLs on this directory rwx access for group readwrite and user
> toto
> bash# hdfs dfs -setfacl -m default:group:readwrite:rwx /tmp/ACLS
> bash# hdfs dfs -setfacl -m default:user:toto:rwx /tmp/ACLS
> 3/ check ACLs /tmp/ACLS/
> bash# hdfs dfs -getfacl /tmp/ACLS/
> # file: /tmp/ACLS
> # owner: hdfs
> # group: hadoop
> user::rwx
> group::r-x
> other::---
> default:user::rwx
> default:user:toto:rwx
> default:group::r-x
> default:group:readwrite:rwx
> default:mask::rwx
> default:other::---
> user::rwx | group::r-x | other::--- matches with the umaskmode defined in
> hdfs-site.xml, everything ok !
> default:group:readwrite:rwx allow readwrite group with rwx access for
> inhéritance.
> default:user:toto:rwx allow toto user with rwx access for inhéritance.
> default:mask::rwx inhéritance mask is rwx, so no mask
> 4/ Create a subdir to test inheritance of ACL
> bash# hdfs dfs -mkdir /tmp/ACLS/hdfs
> 5/ check ACLs /tmp/ACLS/hdfs
> bash# hdfs dfs -getfacl /tmp/ACLS/hdfs
> # file: /tmp/ACLS/hdfs
> # owner: hdfs
> # group: hadoop
> user::rwx
> user:toto:rwx #effective:r-x
> group::r-x
> group:readwrite:rwx #effective:r-x
> mask::r-x
> other::---
> default:user::rwx
> default:user:toto:rwx
> default:group::r-x
> default:group:readwrite:rwx
> default:mask::rwx
> default:other::---
> Here we can see that the readwrite group has rwx ACL bu only r-x is effective
> because the mask is r-x (mask::r-x) in spite of default mask for inheritance
> is set to default:mask::rwx on /tmp/ACLS/
> 6/ Modifiy hdfs-site.xml et restart namenode
> <property>
> <name>dfs.umaskmode</name>
> <value>010</value>
> </property>
> 7/ Create a subdir to test inheritance of ACL with new parameter umaskmode
> bash# hdfs dfs -mkdir /tmp/ACLS/hdfs2
> 8/ Check ACL on /tmp/ACLS/hdfs2
> bash# hdfs dfs -getfacl /tmp/ACLS/hdfs2
> # file: /tmp/ACLS/hdfs2
> # owner: hdfs
> # group: hadoop
> user::rwx
> user:toto:rwx #effective:rw-
> group::r-x #effective:r--
> group:readwrite:rwx #effective:rw-
> mask::rw-
> other::---
> default:user::rwx
> default:user:toto:rwx
> default:group::r-x
> default:group:readwrite:rwx
> default:mask::rwx
> default:other::---
> So HDFS masks the ACL value (user, group and other -- exepted the POSIX
> owner -- ) with the group mask of dfs.umaskmode properties when creating
> directory with inherited ACL.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
