[
https://issues.apache.org/jira/browse/HDFS-6463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14012013#comment-14012013
]
Chris Nauroth commented on HDFS-6463:
-------------------------------------
Hello, [~atm] and [~szehon]. I reviewed the test case, and it appears to be
asserting incorrect behavior here:
{code}
assertEquals("rwxr-xr-x", permission.toString());
{code}
I'd actually expect to see "rwxrwxr-x". The POSIX ACL model defines the
concept of the "group class" consisting of the traditional group entry, all
named user entries, and all named group entries. By default, the mask entry is
set to the union of permissions for all entries in the group class. The mask
entry is then reported as the group permissions to all APIs/applications that
are unaware of ACLs, such as ls. This is an intentional design choice made by
the POSIX ACL model to deal with the discrepancy that some legacy applications
inevitably have an incomplete view of ACLs. More details on this design choice
are documented here:
http://users.suse.com/~agruen/acl/linux-acls/online/
In this test case, the ACL entries consist of a group entry with read-execute
permissions, a named user entry with read-write permissions, and a named group
entry with read-write permissions. Taking the union of all of those, we have
read-write-execute. The ACL does not explicitly set its own mask entry, so
therefore it uses the union of rwx.
To verify that this is expected behavior, I executed the same test case
manually using Linux setfacl. See below for a transcript. As I expected, the
resulting stat/ls shows 775 for the permissions, not 755 as asserted in this
test case.
I'd like to resolve this as Not a Problem, but let me know if you have any
other questions.
{code}
[cnauroth@ubuntu:pts/0] acltest
> mkdir foo -m 755
[cnauroth@ubuntu:pts/0] acltest
> setfacl --set user::rwx,group::r-x,other::r-x,user:foo:rw-,group:foo:rw- foo
[cnauroth@ubuntu:pts/0] acltest
> stat foo
File: `foo'
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 801h/2049d Inode: 9791 Links: 2
Access: (0775/drwxrwxr-x) Uid: ( 1000/cnauroth) Gid: ( 1000/cnauroth)
Access: 2014-05-28 19:57:23.549889726 -0700
Modify: 2014-05-28 19:57:23.549889726 -0700
Change: 2014-05-28 19:58:57.840704104 -0700
Birth: -
[cnauroth@ubuntu:pts/0] acltest
> getfacl foo
# file: foo
# owner: cnauroth
# group: cnauroth
user::rwx
user:foo:rw-
group::r-x
group:foo:rw-
mask::rwx
other::r-x
[cnauroth@ubuntu:pts/0] acltest
> ls -lrt
drwxrwxr-x+ 2 cnauroth 4.0K May 28 19:57 foo/
{code}
> Incorrect permission can be created after setting ACLs
> ------------------------------------------------------
>
> Key: HDFS-6463
> URL: https://issues.apache.org/jira/browse/HDFS-6463
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: namenode
> Affects Versions: 2.4.0
> Reporter: Aaron T. Myers
> Attachments: HDFS-6463.patch
>
>
> When setting ACLs for a file or directory, it's possible for the resulting
> FsPermission object's group entry to be set incorrectly, in particular it
> will be set to the mask entry. More details in the first comment of this JIRA.
> Thanks to [~szehon] for identifying this issue.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
