Stephen O'Donnell created HDFS-14359:
----------------------------------------
Summary: Inherited ACL permissions masked when parent directory
does not exist (mkdir -p)
Key: HDFS-14359
URL: https://issues.apache.org/jira/browse/HDFS-14359
Project: Hadoop HDFS
Issue Type: Bug
Affects Versions: 3.3.0
Reporter: Stephen O'Donnell
Assignee: Stephen O'Donnell
There appears to be an issue with ACL inheritance if you 'mkdir' a directory
such that the parent directories need to be created (ie mkdir -p).
If you have a folder /tmp2/testacls as:
{code}
hadoop fs -mkdir /tmp2
hadoop fs -mkdir /tmp2/testacls
hadoop fs -setfacl -m default:user:hive:rwx /tmp2/testacls
hadoop fs -setfacl -m default:user:flume:rwx /tmp2/testacls
hadoop fs -setfacl -m user:hive:rwx /tmp2/testacls
hadoop fs -setfacl -m user:flume:rwx /tmp2/testacls
hadoop fs -getfacl -R /tmp2/testacls
# file: /tmp2/testacls
# owner: kafka
# group: supergroup
user::rwx
user:flume:rwx
user:hive:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:flume:rwx
default:user:hive:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
{code}
Then create a sub-directory in it, the ACLs are as expected:
{code}
hadoop fs -mkdir /tmp2/testacls/dir_from_mkdir
# file: /tmp2/testacls/dir_from_mkdir
# owner: sodonnell
# group: supergroup
user::rwx
user:flume:rwx
user:hive:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:flume:rwx
default:user:hive:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
{code}
However if you mkdir -p a directory, the situation is not the same:
{code}
hadoop fs -mkdir -p /tmp2/testacls/dir_with_subdirs/sub1/sub2
# file: /tmp2/testacls/dir_with_subdirs
# owner: sodonnell
# group: supergroup
user::rwx
user:flume:rwx #effective:r-x
user:hive:rwx #effective:r-x
group::r-x
mask::r-x
other::r-x
default:user::rwx
default:user:flume:rwx
default:user:hive:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
# file: /tmp2/testacls/dir_with_subdirs/sub1
# owner: sodonnell
# group: supergroup
user::rwx
user:flume:rwx #effective:r-x
user:hive:rwx #effective:r-x
group::r-x
mask::r-x
other::r-x
default:user::rwx
default:user:flume:rwx
default:user:hive:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
# file: /tmp2/testacls/dir_with_subdirs/sub1/sub2
# owner: sodonnell
# group: supergroup
user::rwx
user:flume:rwx
user:hive:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:flume:rwx
default:user:hive:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
{code}
Notice the the leaf folder "sub2" is correct, but the two ancestor folders have
their permissions masked. I believe this is a regression from the fix for
HDFS-6962 with dfs.namenode.posix.acl.inheritance.enabled set to true, as the
code has changed significantly from the earlier 2.6 / 2.8 branch.
I will submit a patch for this.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
