[jira] [Commented] (HDFS-14517) Display bug in permissions when ACL mask is defined

[Istvan Fajth (JIRA)]

[ 
https://issues.apache.org/jira/browse/HDFS-14517?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16875261#comment-16875261
 ] 

Istvan Fajth commented on HDFS-14517:
-

This is pretty much misleading in the following scenario:

 
{code:java}
$ hdfs groups systest
 systest : systest testacl
$ klist
 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: syst...@vpc.cloudera.com
Valid starting Expires Service principal
 06/28/2019 14:55:59 06/28/2019 15:20:59 
krbtgt/vpc.cloudera@vpc.cloudera.com
 renew until 06/28/2019 16:25:59


$ hdfs dfs -ls /tmp2
 Found 1 items
 drwxrwxr-x+ - hdfs testacl 0 2019-06-28 14:34 /tmp2/testacl
$ hdfs dfs -touchz /tmp2/testacl/file1
 touchz: Permission denied: user=systest, access=WRITE, 
inode="/tmp2/testacl":hdfs:testacl:drwxrwxr-x
$ hdfs dfs -getfacl /tmp2/testacl

file: /tmp2/testacl owner: hdfs group: testacl
 user::rwx
 group::r-x
 mask::rwx
 other::r-x
 
{code}
So here we have a mask of rwx, and a group permission of r-x. The ls displays 
the rwx from the mask as the group permission, while the effective permission 
in the group ACL correctly prevent the write.

 

I have validated, and it is working the same way in a Linux (CentOS) system as 
well, so it seems to be something that is not a problem at all, and we comply 
with POSIX here properly.

I guess I am closing this ticket as not a problem.

> Display bug in permissions when ACL mask is defined
> ---
>
> Key: HDFS-14517
> URL: https://issues.apache.org/jira/browse/HDFS-14517
> Project: Hadoop HDFS
>  Issue Type: Bug
>  Components: namenode
> Environment: Tested on latest CDH integration, and CDH5 as well with 
> the same result.
>Reporter: Istvan Fajth
>Priority: Minor
>
> When ACLs are enabled on a folder, the following sequence of commands provide 
> the following result:
>  
> {{$ hdfs dfs -mkdir /tmp/acl
> $ hdfs dfs -ls /tmp/acl
> $ hdfs dfs -ls /tmp
> Found 1 items
> drwxr-xr-x   - hdfs   supergroup          0 2019-05-28 11:48 /tmp/acl
> $ hdfs dfs -getfacl /tmp/acl
> # file: /tmp/acl
> # owner: hdfs
> # group: supergroup
> user::rwx
> group::r-x
> other::r-x
> $ hdfs dfs -setfacl -m mask::rwx /tmp/acl
> $ hdfs dfs -ls /tmp
> Found 1 items
> drwxrwxr-x+  - hdfs   supergroup          0 2019-05-28 11:48 /tmp/acl
> drwx-wx-wx   - hive   supergroup          0 2019-05-27 23:48 /tmp/hive
> drwxrwxrwt   - mapred hadoop              0 2019-05-28 01:32 /tmp/logs
> $ hdfs dfs -setfacl -m mask::r-- /tmp/acl
> $ hdfs dfs -ls /tmp
> Found 1 items
> drwxr--r-x+  - hdfs   supergroup          0 2019-05-28 11:48 /tmp/acl
> $ hdfs dfs -setfacl -m mask::r-x /tmp/acl
> $ hdfs dfs -ls /tmp
> Found 1 items
> drwxr-xr-x+  - hdfs   supergroup          0 2019-05-28 11:48 /tmp/acl
> $ hdfs dfs -getfacl /tmp/acl
> # file: /tmp/acl
> # owner: hdfs
> # group: supergroup
> user::rwx
> group::r-x
> mask::r-x
> other::r-x}}
>  
> So the group permission representation is changing with the defined mask ACL 
> instead of the group ACL or, maybe even better, the effective group ACL.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Commented] (HDFS-14517) Display bug in permissions when ACL mask is defined

[Stephen O'Donnell (JIRA)]

[ 
https://issues.apache.org/jira/browse/HDFS-14517?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16875218#comment-16875218
 ] 

Stephen O'Donnell commented on HDFS-14517:
--

I believe this is expected behaviour. When ACLs are on a file, the group 
permission bits become the mask. Therefore it would be expected that adjusting 
the mask will impact the group permission bits. To be honest, you only ever 
need to worry about the group permission bits when you see the "# effective 
comment" after an ACL. Adjusting the group permissions will remove the 
effective comment and I suspect will adjust the mask too, which is likely just 
an alias for the group permissions.

See 
[https://serverfault.com/questions/352783/why-does-chmod1-on-the-group-affect-the-acl-mask]
 for the explanation and reason why this is the case on POSIX systems.

> Display bug in permissions when ACL mask is defined
> ---
>
> Key: HDFS-14517
> URL: https://issues.apache.org/jira/browse/HDFS-14517
> Project: Hadoop HDFS
>  Issue Type: Bug
>  Components: namenode
> Environment: Tested on latest CDH integration, and CDH5 as well with 
> the same result.
>Reporter: Istvan Fajth
>Priority: Minor
>
> When ACLs are enabled on a folder, the following sequence of commands provide 
> the following result:
>  
> {{$ hdfs dfs -mkdir /tmp/acl
> $ hdfs dfs -ls /tmp/acl
> $ hdfs dfs -ls /tmp
> Found 1 items
> drwxr-xr-x   - hdfs   supergroup          0 2019-05-28 11:48 /tmp/acl
> $ hdfs dfs -getfacl /tmp/acl
> # file: /tmp/acl
> # owner: hdfs
> # group: supergroup
> user::rwx
> group::r-x
> other::r-x
> $ hdfs dfs -setfacl -m mask::rwx /tmp/acl
> $ hdfs dfs -ls /tmp
> Found 1 items
> drwxrwxr-x+  - hdfs   supergroup          0 2019-05-28 11:48 /tmp/acl
> drwx-wx-wx   - hive   supergroup          0 2019-05-27 23:48 /tmp/hive
> drwxrwxrwt   - mapred hadoop              0 2019-05-28 01:32 /tmp/logs
> $ hdfs dfs -setfacl -m mask::r-- /tmp/acl
> $ hdfs dfs -ls /tmp
> Found 1 items
> drwxr--r-x+  - hdfs   supergroup          0 2019-05-28 11:48 /tmp/acl
> $ hdfs dfs -setfacl -m mask::r-x /tmp/acl
> $ hdfs dfs -ls /tmp
> Found 1 items
> drwxr-xr-x+  - hdfs   supergroup          0 2019-05-28 11:48 /tmp/acl
> $ hdfs dfs -getfacl /tmp/acl
> # file: /tmp/acl
> # owner: hdfs
> # group: supergroup
> user::rwx
> group::r-x
> mask::r-x
> other::r-x}}
>  
> So the group permission representation is changing with the defined mask ACL 
> instead of the group ACL or, maybe even better, the effective group ACL.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org