[ https://issues.apache.org/jira/browse/HDFS-5923?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chris Nauroth resolved HDFS-5923. --------------------------------- Resolution: Fixed Fix Version/s: HDFS ACLs (HDFS-4685) Hadoop Flags: Reviewed +1 for the patch. Thanks for addressing the feedback. In addition to the automated tests, I manually tested upgrading a NameNode with edits from a trunk build to a HDFS-4685 build. The latest patch loaded the existing {{OP_ADD}} and {{OP_MKDIR}} ops with no problem. I've committed this to the HDFS-4685 branch. > Do not persist the ACL bit in the FsPermission > ---------------------------------------------- > > Key: HDFS-5923 > URL: https://issues.apache.org/jira/browse/HDFS-5923 > Project: Hadoop HDFS > Issue Type: Sub-task > Components: hdfs-client, namenode, security > Affects Versions: HDFS ACLs (HDFS-4685) > Reporter: Haohui Mai > Assignee: Haohui Mai > Fix For: HDFS ACLs (HDFS-4685) > > Attachments: HDFS-5923.000.patch, HDFS-5923.001.patch, > HDFS-5923.002.patch, HDFS-5923.003.patch, HDFS-5923.004.patch > > > The current implementation persists and ACL bit in FSImage and editlogs. > Moreover, the security decisions also depend on whether the bit is set. > The problem here is that we have to maintain the implicit invariant, which is > the ACL bit is set if and only if the the inode has AclFeature. The invariant > has to be maintained everywhere otherwise it can lead to a security > vulnerability. In the worst case, an attacker can toggle the bit and bypass > the ACL checks. > The jira proposes to treat the ACL bit as a transient bit. The bit should not > be persisted onto the disk, neither it should affect any security decisions. -- This message was sent by Atlassian JIRA (v6.1.5#6160)