[ https://issues.apache.org/jira/browse/HDFS-6962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15354400#comment-15354400 ]
John Zhuge edited comment on HDFS-6962 at 6/29/16 2:48 AM: ----------------------------------------------------------- Patch 004 passed system and compatibility tests on a pseudo cluster. Upload test logs. Focus on group permission, especially WRITE. The test script is {{run}}, the command line is {code} test_tag=disabled_new_client ; script ~/test/$test_tag.log ~/test/run $test_tag {code} Test server is running {{3.0.0-alpha1 + Patch 004}} with POSIX ACL Inheritance either enabled or disabled. There are 2 versions of test clients. The POSIX ACL inheritance is only in effect when the flag is true and the requests come from a compatible client. The following table shows the matrix for the log files. || Client Version\POSIX ACL Inheritance || Enabled || Disabled || | 2.6.0 | enabled_old_client.log | disabled_old_client.log | | 3.0.0-alpha1 + Patch 004 | enabled_new_client.log | disabled_new_client.log | In each log file, there is a test matrix of the following dimensions: * Parent dir has default ACL or not * Umask 002 or 027 * Create a file (create request) or a sub-directory (mkdirs request) was (Author: jzhuge): Pass system and compatibility tests with Patch 004 on a pseudo cluster. Upload test logs. Focus on group permission, especially WRITE. The test script is {{run}}, the command line is {code} test_tag=disabled_new_client ; script ~/test/$test_tag.log ~/test/run $test_tag {code} Test server is running {{3.0.0-alpha1 + Patch 004}} with POSIX ACL Inheritance either enabled or disabled. There are 2 versions of test clients. The POSIX ACL inheritance is only in effect when the flag is true and the requests come from a compatible client. The following table shows the matrix for the log files. || Client Version\POSIX ACL Inheritance || Enabled || Disabled || | 2.6.0 | enabled_old_client.log | disabled_old_client.log | | 3.0.0-alpha1 + Patch 004 | enabled_new_client.log | disabled_new_client.log | In each log file, there is a test matrix of the following dimensions: * Parent dir has default ACL or not * Umask 002 or 027 * Create a file (create request) or a sub-directory (mkdirs request) > ACLs inheritance conflict with umaskmode > ---------------------------------------- > > Key: HDFS-6962 > URL: https://issues.apache.org/jira/browse/HDFS-6962 > Project: Hadoop HDFS > Issue Type: Bug > Components: security > Affects Versions: 2.4.1 > Environment: CentOS release 6.5 (Final) > Reporter: LINTE > Assignee: John Zhuge > Priority: Critical > Labels: hadoop, security > Attachments: HDFS-6962.001.patch, HDFS-6962.002.patch, > HDFS-6962.003.patch, HDFS-6962.1.patch, disabled_new_client.log, > disabled_old_client.log, enabled_new_client.log, enabled_old_client.log, run > > > In hdfs-site.xml > <property> > <name>dfs.umaskmode</name> > <value>027</value> > </property> > 1/ Create a directory as superuser > bash# hdfs dfs -mkdir /tmp/ACLS > 2/ set default ACLs on this directory rwx access for group readwrite and user > toto > bash# hdfs dfs -setfacl -m default:group:readwrite:rwx /tmp/ACLS > bash# hdfs dfs -setfacl -m default:user:toto:rwx /tmp/ACLS > 3/ check ACLs /tmp/ACLS/ > bash# hdfs dfs -getfacl /tmp/ACLS/ > # file: /tmp/ACLS > # owner: hdfs > # group: hadoop > user::rwx > group::r-x > other::--- > default:user::rwx > default:user:toto:rwx > default:group::r-x > default:group:readwrite:rwx > default:mask::rwx > default:other::--- > user::rwx | group::r-x | other::--- matches with the umaskmode defined in > hdfs-site.xml, everything ok ! > default:group:readwrite:rwx allow readwrite group with rwx access for > inhéritance. > default:user:toto:rwx allow toto user with rwx access for inhéritance. > default:mask::rwx inhéritance mask is rwx, so no mask > 4/ Create a subdir to test inheritance of ACL > bash# hdfs dfs -mkdir /tmp/ACLS/hdfs > 5/ check ACLs /tmp/ACLS/hdfs > bash# hdfs dfs -getfacl /tmp/ACLS/hdfs > # file: /tmp/ACLS/hdfs > # owner: hdfs > # group: hadoop > user::rwx > user:toto:rwx #effective:r-x > group::r-x > group:readwrite:rwx #effective:r-x > mask::r-x > other::--- > default:user::rwx > default:user:toto:rwx > default:group::r-x > default:group:readwrite:rwx > default:mask::rwx > default:other::--- > Here we can see that the readwrite group has rwx ACL bu only r-x is effective > because the mask is r-x (mask::r-x) in spite of default mask for inheritance > is set to default:mask::rwx on /tmp/ACLS/ > 6/ Modifiy hdfs-site.xml et restart namenode > <property> > <name>dfs.umaskmode</name> > <value>010</value> > </property> > 7/ Create a subdir to test inheritance of ACL with new parameter umaskmode > bash# hdfs dfs -mkdir /tmp/ACLS/hdfs2 > 8/ Check ACL on /tmp/ACLS/hdfs2 > bash# hdfs dfs -getfacl /tmp/ACLS/hdfs2 > # file: /tmp/ACLS/hdfs2 > # owner: hdfs > # group: hadoop > user::rwx > user:toto:rwx #effective:rw- > group::r-x #effective:r-- > group:readwrite:rwx #effective:rw- > mask::rw- > other::--- > default:user::rwx > default:user:toto:rwx > default:group::r-x > default:group:readwrite:rwx > default:mask::rwx > default:other::--- > So HDFS masks the ACL value (user, group and other -- exepted the POSIX > owner -- ) with the group mask of dfs.umaskmode properties when creating > directory with inherited ACL. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org