[
https://issues.apache.org/jira/browse/HDFS-5899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13897387#comment-13897387
]
Chris Nauroth commented on HDFS-5899:
-------------------------------------
Both [~cmccabe] and [~wheat9] have expressed concerns about causing pain for
administrators if we have code that aborts intentionally while loading fsimage
or edits, so I think I need to reconsider this.
Regarding skipping enforcement, my concern is the risk of unintentionally
widening permissions due to interactions with the mask entry. (The full
explanation is in my prior comment.)
Here is a compromise proposal. Let's reject the API calls when
{{dfs.namenode.acls.enabled}} is false, but let's still load *and enforce* all
existing ACLs found in fsimage or edits. I expect that addresses the concerns
about administrative pain, and it addresses my concerns about weakening
enforcement. This does mean that the config flag is not a hard restriction,
but admins who really want to nuke all ACLs can still use the procedure I
described, and I expect this to be a rare occurrence.
It looks like an acceptable compromise to me. Do others agree? If so, then
I'll file a new issue for the change. Thank you, Colin and Haohui.
> Add configuration flag to disable/enable support for ACLs.
> ----------------------------------------------------------
>
> Key: HDFS-5899
> URL: https://issues.apache.org/jira/browse/HDFS-5899
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: namenode
> Affects Versions: HDFS ACLs (HDFS-4685)
> Reporter: Chris Nauroth
> Assignee: Chris Nauroth
> Fix For: HDFS ACLs (HDFS-4685)
>
> Attachments: HDFS-5899.1.patch, HDFS-5899.2.patch
>
>
> Add a new configuration property that allows administrators to toggle support
> for HDFS ACLs on/off. By default, the flag will be off. This is a
> conservative choice, and administrators interested in using ACLs can enable
> it explicitly.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
