[
https://issues.apache.org/jira/browse/HDFS-7477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chris Nauroth resolved HDFS-7477.
---------------------------------
Resolution: Not a Problem
{{AclException}} is used to indicate an attempt to set an invalid ACL. You'll
see it thrown from places like {{AclTransformation}} and {{AclStorage}} that
are involved in calculating a new ACL and setting it on an inode. This
exception is never used to indicate access denied.
{{FSPermissionChecker}} always throws {{AccessControlException}} to indicate
access denied. In the presence of an ACL, the exception comes from
{{FSPermissionChecker#checkAccessAcl}}. This correctly triggers an audit log
entry.
Also, if we consider the ACL mutation operations like {{setAcl}}, they check
{{FSPermissionChecker}} first before going into {{AclTransformation}} and
{{AclStorage}}. That means the {{AccessControlException}} would get thrown
before any potential {{AclException}} is thrown, so again, we have correct
audit logging behavior for those operations.
I don't believe there is anything to be done here, so I'm resolving this as Not
a Problem. Please feel free to reopen if you think if I've misunderstood
something, and we do in fact have a bug. Thanks!
> Replace ACLException with AccessControlException
> ------------------------------------------------
>
> Key: HDFS-7477
> URL: https://issues.apache.org/jira/browse/HDFS-7477
> Project: Hadoop HDFS
> Issue Type: Bug
> Reporter: Haohui Mai
> Assignee: Li Lu
>
> Currently many functions logs audit log during failures only when
> {{AccessControlException}} is thrown, thus no audit logs are logged if
> {{AclException}} is thrown when the ACLs deny the access.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
