[jira] [Updated] (HDFS-5612) NameNode: change all permission checks to enforce ACLs in addition to permissions.

Thu, 26 Dec 2013 14:12:00 -0800 

     [ 
https://issues.apache.org/jira/browse/HDFS-5612?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Chris Nauroth updated HDFS-5612:
--------------------------------

    Attachment: HDFS-5612.1.patch

This patch implements the logic for enforcing permissions defined in ACLs.  
This is a new code path in {{FSPermissionChecker}} to check permissions based 
on either {{FsPermission}} bits (existing logic, unchanged) or an {{AclEntry}} 
list, if defined on the inode.  While I was in here, I also fixed a very minor 
bug that I noticed.  The permission enforcement can run against permissions 
defined on a snapshot inode, but the string in the exception created by 
{{FSPermissionChecker#toAccessControlString}} wasn't using the snapshot inode.  
This wouldn't break any permission enforcement logic, but it could potentially 
make the exception messages confusing.

I've added new tests in {{TestFSPermissionChecker}}.  I manually validated the 
behavior asserted by these tests against Linux setfacl.  The tests cover the 
new code path at nearly 100%.  Additionally, I ran a sampling of other HDFS 
tests related to existing permissions logic, and I didn't see any failures.  
(We do have a problem with {{TestOfflineEditsViewer}} and 
{{TestOfflineImageViewer}} on the HDFS-4685 branch right now, but it's a known 
problem and it's unrelated.)

The test has some helper methods that are duplicated from my HDFS-5673 patch.  
After HDFS-5673 gets +1'd and I commit it, I plan to come back here and 
refactor those helper methods to a shared {{AclTestHelpers}} class.


> NameNode: change all permission checks to enforce ACLs in addition to 
> permissions.
> ----------------------------------------------------------------------------------
>
>                 Key: HDFS-5612
>                 URL: https://issues.apache.org/jira/browse/HDFS-5612
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: namenode
>    Affects Versions: HDFS ACLs (HDFS-4685)
>            Reporter: Chris Nauroth
>            Assignee: Chris Nauroth
>         Attachments: HDFS-5612.1.patch
>
>
> All {{NameNode}} code paths that enforce permissions must be updated so that 
> they also enforce ACLs.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to