[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file

Tue, 29 Jul 2014 09:40:13 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14077954#comment-14077954
 ] 

Chris Nauroth commented on HDFS-6570:
-------------------------------------

Hi, [~jdere].  The expected behavior is to get an {{AccessControlException}} 
thrown from the "Fails here" line.  The test creates directory /p1 and gives 
bruce read access.  Then, it creates sub-directory /p1/p2 and gives bruce full 
read-write-execute access.  Traversing an HDFS directory to access its children 
requires execute permission, not read permission.  (This is consistent with 
POSIX.)  Bruce doesn't have execute access on /p1, so HDFS halts traversal 
there and throws an {{AccessControlException}}.  The presence of a 
read-write-execute ACL entry on a child inode does not override the requirement 
for execute permission on the parent.

> add api that enables checking if a user has certain permissions on a file
> -------------------------------------------------------------------------
>
>                 Key: HDFS-6570
>                 URL: https://issues.apache.org/jira/browse/HDFS-6570
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: hdfs-client, namenode, webhdfs
>            Reporter: Thejas M Nair
>            Assignee: Jitendra Nath Pandey
>         Attachments: HDFS-6570-prototype.1.patch, HDFS-6570.2.patch, 
> HDFS-6570.3.patch, HDFS-6570.4.patch, HDFS-6570.5.patch
>
>
> For some of the authorization modes in Hive, the servers in Hive check if a 
> given user has permissions on a certain file or directory. For example, the 
> storage based authorization mode allows hive table metadata to be modified 
> only when the user has access to the corresponding table directory on hdfs. 
> There are likely to be such use cases outside of Hive as well.
> HDFS does not provide an api for such checks. As a result, the logic to check 
> if a user has permissions on a directory gets replicated in Hive. This 
> results in duplicate logic and there introduces possibilities for 
> inconsistencies in the interpretation of the permission model. This becomes a 
> bigger problem with the complexity of ACL logic.
> HDFS should provide an api that provides functionality that is similar to 
> access function in unistd.h - http://linux.die.net/man/2/access .



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to