[
https://issues.apache.org/jira/browse/HDFS-6962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15323941#comment-15323941
]
John Zhuge edited comment on HDFS-6962 at 6/10/16 6:20 AM:
-----------------------------------------------------------
Patch 002 (prototype):
* Create a new class {{FsPermissionDuo}} that extends {{FsPermission}} to store
both masked and unmasked permissions. HDFS client uses it to sneak unmasked
permission from FileContext/FileSystem -> AFS -> Hdfs -> DFSClient -> RPC. NN
uses it to sneak unmasked permission from RPC -> NameNodeRpcServer.create
(placed into PermissionStatus) -> FSNamesystem.startFile ->
FSDirWriterFileOp.startFile/addFile -> INodeFile -> INodeWithAdditionalFields.
* Add field {{unmasked}} to protobuf message {{CreateRequestProto}} and
{{MkdirsRequestProto}}
* Modify {{copyINodeDefaultAcl}} to switch between old and new ACL inheritance
behavior.
Questions:
* How to query NN config in {{copyINodeDefaultAcl}}?
* Anyway to avoid adding field FsPermissionDuo to {{INodeWithAdditionalFields}}?
* {{PermissionStatus#applyUMask}} never used, remove it?
* {{DFSClient#mkdirs}} and {{{{DFSClient#primitiveMkdir}} use file default if
permission is null. Should use dir default permission?
TODO:
* Investigate the use of permissions in FSDirMkdirOp.createAncestorDirectories
call tree
* Add and run unit tests
* Run system compatibility tests
was (Author: jzhuge):
Patch 002 (prototype):
* Create a new class {{FsPermissionDuo}} that extends {{FsPermission}} to store
both masked and unmasked permissions. HDFS client uses it to sneak unmasked
permission from FileContext/FileSystem -> AFS -> Hdfs -> DFSClient -> RPC. NN
uses it to sneak unmasked permission from RPC -> NameNodeRpcServer.create
(placed into PermissionStatus) -> FSNamesystem.startFile ->
FSDirWriterFileOp.startFile/addFile -> INodeFile -> INodeWithAdditionalFields.
* Add field {{unmasked}} to protobuf message {{CreateRequestProto}} and
{{MkdirsRequestProto}}
* Modify {{copyINodeDefaultAcl}} to switch between old and new ACL inheritance
behavior.
TODO:
* Add and run unit tests
* Run system compatibility tests
* Anyway to avoid adding field FsPermissionDuo to {{INodeWithAdditionalFields}}?
* Investigate the use of permissions in FSDirMkdirOp.createAncestorDirectories
call tree
* {{PermissionStatus#applyUMask}} never used, remove it?
* {{DFSClient#mkdirs}} and {{{{DFSClient#primitiveMkdir}} use file default if
permission is null. Should use dir default permission?
> ACLs inheritance conflict with umaskmode
> ----------------------------------------
>
> Key: HDFS-6962
> URL: https://issues.apache.org/jira/browse/HDFS-6962
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: security
> Affects Versions: 2.4.1
> Environment: CentOS release 6.5 (Final)
> Reporter: LINTE
> Assignee: John Zhuge
> Priority: Critical
> Labels: hadoop, security
> Attachments: HDFS-6962.001.patch, HDFS-6962.002.patch,
> HDFS-6962.1.patch
>
>
> In hdfs-site.xml
> <property>
> <name>dfs.umaskmode</name>
> <value>027</value>
> </property>
> 1/ Create a directory as superuser
> bash# hdfs dfs -mkdir /tmp/ACLS
> 2/ set default ACLs on this directory rwx access for group readwrite and user
> toto
> bash# hdfs dfs -setfacl -m default:group:readwrite:rwx /tmp/ACLS
> bash# hdfs dfs -setfacl -m default:user:toto:rwx /tmp/ACLS
> 3/ check ACLs /tmp/ACLS/
> bash# hdfs dfs -getfacl /tmp/ACLS/
> # file: /tmp/ACLS
> # owner: hdfs
> # group: hadoop
> user::rwx
> group::r-x
> other::---
> default:user::rwx
> default:user:toto:rwx
> default:group::r-x
> default:group:readwrite:rwx
> default:mask::rwx
> default:other::---
> user::rwx | group::r-x | other::--- matches with the umaskmode defined in
> hdfs-site.xml, everything ok !
> default:group:readwrite:rwx allow readwrite group with rwx access for
> inhéritance.
> default:user:toto:rwx allow toto user with rwx access for inhéritance.
> default:mask::rwx inhéritance mask is rwx, so no mask
> 4/ Create a subdir to test inheritance of ACL
> bash# hdfs dfs -mkdir /tmp/ACLS/hdfs
> 5/ check ACLs /tmp/ACLS/hdfs
> bash# hdfs dfs -getfacl /tmp/ACLS/hdfs
> # file: /tmp/ACLS/hdfs
> # owner: hdfs
> # group: hadoop
> user::rwx
> user:toto:rwx #effective:r-x
> group::r-x
> group:readwrite:rwx #effective:r-x
> mask::r-x
> other::---
> default:user::rwx
> default:user:toto:rwx
> default:group::r-x
> default:group:readwrite:rwx
> default:mask::rwx
> default:other::---
> Here we can see that the readwrite group has rwx ACL bu only r-x is effective
> because the mask is r-x (mask::r-x) in spite of default mask for inheritance
> is set to default:mask::rwx on /tmp/ACLS/
> 6/ Modifiy hdfs-site.xml et restart namenode
> <property>
> <name>dfs.umaskmode</name>
> <value>010</value>
> </property>
> 7/ Create a subdir to test inheritance of ACL with new parameter umaskmode
> bash# hdfs dfs -mkdir /tmp/ACLS/hdfs2
> 8/ Check ACL on /tmp/ACLS/hdfs2
> bash# hdfs dfs -getfacl /tmp/ACLS/hdfs2
> # file: /tmp/ACLS/hdfs2
> # owner: hdfs
> # group: hadoop
> user::rwx
> user:toto:rwx #effective:rw-
> group::r-x #effective:r--
> group:readwrite:rwx #effective:rw-
> mask::rw-
> other::---
> default:user::rwx
> default:user:toto:rwx
> default:group::r-x
> default:group:readwrite:rwx
> default:mask::rwx
> default:other::---
> So HDFS masks the ACL value (user, group and other -- exepted the POSIX
> owner -- ) with the group mask of dfs.umaskmode properties when creating
> directory with inherited ACL.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
