[
https://issues.apache.org/jira/browse/HDFS-14359?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16790808#comment-16790808
]
Stephen O'Donnell commented on HDFS-14359:
------------------------------------------
If I re-create the scenario in the test manually, we can see the group ACL
retains the r-x permission, but the top level directory permissions become 770:
{code}
# file: /p1
# owner: sodonnell
# group: supergroup
user::rwx
group::r-x
other::---
default:user::rwx
default:user:foo:rwx
default:group::r-x
default:mask::rwx
default:other::---
# file: /p1/dir1
# owner: sodonnell
# group: supergroup
user::rwx
user:foo:rwx
group::r-x ====> As expected
mask::rwx
other::---
default:user::rwx
default:user:foo:rwx
default:group::r-x
default:mask::rwx
default:other::---
# file: /p1/dir1/subdir1
# owner: sodonnell
# group: supergroup
user::rwx
user:foo:rwx
group::r-x =====> As expected
mask::rwx
other::---
default:user::rwx
default:user:foo:rwx
default:group::r-x
default:mask::rwx
default:other::---
$ hadoop fs -ls -R /p1
drwxrwx---+ - sodonnell supergroup 0 2019-03-12 16:58 /p1/dir1
===> 750 has become 770 in both cases
drwxrwx---+ - sodonnell supergroup 0 2019-03-12 16:58 /p1/dir1/subdir1
{code}
Validating this on a CDH 5 cluster, which is based on 2.6, the behaviour is the
same, in that for ACLs to be inherited, the group permissions always become
"rwx" for group.
However, it seems to be the ACL for "group::r-x" which enforce the permissions,
so when a directory has ACLs, the top level directory permissions cannot really
be trusted and are are overridden by the ACLs below them.
Further, changing the permissions at the top level effectively masks the acls:
{code}
$ hadoop fs -chmod 750 /p1/dir1
$ hadoop fs -getfacl -R /p1/dir1
# file: /p1/dir1
# owner: sodonnell
# group: supergroup
user::rwx
user:foo:rwx #effective:r-x ====> Before the chmod, this was rwx.
group::r-x
mask::r-x
other::---
default:user::rwx
default:user:foo:rwx
default:group::r-x
default:mask::rwx
default:other::---
{code}
> Inherited ACL permissions masked when parent directory does not exist (mkdir
> -p)
> --------------------------------------------------------------------------------
>
> Key: HDFS-14359
> URL: https://issues.apache.org/jira/browse/HDFS-14359
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 3.3.0
> Reporter: Stephen O'Donnell
> Assignee: Stephen O'Donnell
> Priority: Major
> Attachments: HDFS-14359.001.patch, HDFS-14359.002.patch
>
>
> There appears to be an issue with ACL inheritance if you 'mkdir' a directory
> such that the parent directories need to be created (ie mkdir -p).
> If you have a folder /tmp2/testacls as:
> {code}
> hadoop fs -mkdir /tmp2
> hadoop fs -mkdir /tmp2/testacls
> hadoop fs -setfacl -m default:user:hive:rwx /tmp2/testacls
> hadoop fs -setfacl -m default:user:flume:rwx /tmp2/testacls
> hadoop fs -setfacl -m user:hive:rwx /tmp2/testacls
> hadoop fs -setfacl -m user:flume:rwx /tmp2/testacls
> hadoop fs -getfacl -R /tmp2/testacls
> # file: /tmp2/testacls
> # owner: kafka
> # group: supergroup
> user::rwx
> user:flume:rwx
> user:hive:rwx
> group::r-x
> mask::rwx
> other::r-x
> default:user::rwx
> default:user:flume:rwx
> default:user:hive:rwx
> default:group::r-x
> default:mask::rwx
> default:other::r-x
> {code}
> Then create a sub-directory in it, the ACLs are as expected:
> {code}
> hadoop fs -mkdir /tmp2/testacls/dir_from_mkdir
> # file: /tmp2/testacls/dir_from_mkdir
> # owner: sodonnell
> # group: supergroup
> user::rwx
> user:flume:rwx
> user:hive:rwx
> group::r-x
> mask::rwx
> other::r-x
> default:user::rwx
> default:user:flume:rwx
> default:user:hive:rwx
> default:group::r-x
> default:mask::rwx
> default:other::r-x
> {code}
> However if you mkdir -p a directory, the situation is not the same:
> {code}
> hadoop fs -mkdir -p /tmp2/testacls/dir_with_subdirs/sub1/sub2
> # file: /tmp2/testacls/dir_with_subdirs
> # owner: sodonnell
> # group: supergroup
> user::rwx
> user:flume:rwx #effective:r-x
> user:hive:rwx #effective:r-x
> group::r-x
> mask::r-x
> other::r-x
> default:user::rwx
> default:user:flume:rwx
> default:user:hive:rwx
> default:group::r-x
> default:mask::rwx
> default:other::r-x
> # file: /tmp2/testacls/dir_with_subdirs/sub1
> # owner: sodonnell
> # group: supergroup
> user::rwx
> user:flume:rwx #effective:r-x
> user:hive:rwx #effective:r-x
> group::r-x
> mask::r-x
> other::r-x
> default:user::rwx
> default:user:flume:rwx
> default:user:hive:rwx
> default:group::r-x
> default:mask::rwx
> default:other::r-x
> # file: /tmp2/testacls/dir_with_subdirs/sub1/sub2
> # owner: sodonnell
> # group: supergroup
> user::rwx
> user:flume:rwx
> user:hive:rwx
> group::r-x
> mask::rwx
> other::r-x
> default:user::rwx
> default:user:flume:rwx
> default:user:hive:rwx
> default:group::r-x
> default:mask::rwx
> default:other::r-x
> {code}
> Notice the the leaf folder "sub2" is correct, but the two ancestor folders
> have their permissions masked. I believe this is a regression from the fix
> for HDFS-6962 with dfs.namenode.posix.acl.inheritance.enabled set to true, as
> the code has changed significantly from the earlier 2.6 / 2.8 branch.
> I will submit a patch for this.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
