[
https://issues.apache.org/jira/browse/HADOOP-2514?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12555708#action_12555708
]
Doug Cutting commented on HADOOP-2514:
--------------------------------------
Every other trashcan implementation I know of does not require changes to the
filesystem, but is implemented in user code. Currently we run a thread on the
namenode, but that thread could be run anywhere, it's just convenient to run it
on the namenode. And that thread is written entirely in user code. With
permissions, such a centralized trash-dumping thread will need to run as the
superuser, but still, it shouldn't require special support in the filesystem's
core.
> moving to the trash can is essentially a deletion operation
No, it's a rename. We shouldn't need to add "special" directories or other
features to the filesystem to support trash. If we want centralized dumping
then this will have to be done by a privileged process, but other than that,
trash shouldn't be too hard to implement with ordinary user code. If we want
to prevent the centralized thread from removing things in a user's trash that
that user could not themselves delete, then we can explicitly check that before
removing things. Or we could discard the centralized thread and have each user
be responsible for their own trash. That would fix all permission-related
problems. The shell could check to see if it was time to dump the trash each
time you run a command or somesuch.
> Trash and permissions don't mix
> -------------------------------
>
> Key: HADOOP-2514
> URL: https://issues.apache.org/jira/browse/HADOOP-2514
> Project: Hadoop
> Issue Type: New Feature
> Components: dfs
> Affects Versions: 0.16.0
> Reporter: Robert Chansler
> Fix For: 0.16.0
>
>
> Shell command "rm" is really "mv" to trash with the expectation that the
> server will at some point really delete the contents of trash. With the
> advent of permissions, a user can "mv" folders that the user cannot "rm". The
> present trash feature as implemented would allow the user to suborn the
> server into deleting a folder in violation of the permissions model.
> A related issue is that if anybody can mv a folder to the trash anybody else
> can mv that same folder from the trash. This may be contrary to the
> expectations of the user.
> What is a better model for trash?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
