[jira] [Commented] (HDFS-5612) NameNode: change all permission checks to enforce ACLs in addition to permissions.

Thu, 09 Jan 2014 10:54:46 -0800 

    [ 
https://issues.apache.org/jira/browse/HDFS-5612?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13866906#comment-13866906
 ] 

Chris Nauroth commented on HDFS-5612:
-------------------------------------

I'm going to put this patch on hold for now.

In a separate patch, I'm exploring the possibility of mapping the ACL 
owner/mask/other entries into the owner/group/other permission bits.  (Things 
like chmod g+w on a file with an ACL result in setting the mask entry.)  
Currently, my approach is to keep all of these entries in the ACL itself and 
then add some code to keep their values consistent with the permission bits.  
If instead I use the group permission bits as the only location for the mask 
entry, then we get some potential benefits.  There is less impact to existing 
code (likely no need to change {{setPermission}} at all, because the existing 
implementation will just do the right thing).  There are fewer opportunities 
for bugs related to keeping the 2 data sources in sync.  We also could see a 
minor reduction of memory utilization by storing fewer elements into the 
{{AclFeature}}, also resulting in greater likelihood of de-duplication when we 
do the Global ACL Set patch.

If we do this, then I expect a bit more complexity in {{FSPermissionChecker}} 
as a consequence.  The basic logic would remain the same, but {{checkAcl}} 
would need to inspect both the permission bits and the ACL entry list instead 
of just the ACL entry list.  I want to understand that complexity trade-off 
better, so while I explore that, let's put this code review on hold.

> NameNode: change all permission checks to enforce ACLs in addition to 
> permissions.
> ----------------------------------------------------------------------------------
>
>                 Key: HDFS-5612
>                 URL: https://issues.apache.org/jira/browse/HDFS-5612
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: namenode
>    Affects Versions: HDFS ACLs (HDFS-4685)
>            Reporter: Chris Nauroth
>            Assignee: Chris Nauroth
>         Attachments: HDFS-5612.1.patch, HDFS-5612.2.patch
>
>
> All {{NameNode}} code paths that enforce permissions must be updated so that 
> they also enforce ACLs.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to