[
https://issues.apache.org/jira/browse/HDFS-14517?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16875261#comment-16875261
]
Istvan Fajth commented on HDFS-14517:
-------------------------------------
This is pretty much misleading in the following scenario:
{code:java}
$ hdfs groups systest
systest : systest testacl
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: syst...@vpc.cloudera.com
Valid starting Expires Service principal
06/28/2019 14:55:59 06/28/2019 15:20:59
krbtgt/vpc.cloudera....@vpc.cloudera.com
renew until 06/28/2019 16:25:59
$ hdfs dfs -ls /tmp2
Found 1 items
drwxrwxr-x+ - hdfs testacl 0 2019-06-28 14:34 /tmp2/testacl
$ hdfs dfs -touchz /tmp2/testacl/file1
touchz: Permission denied: user=systest, access=WRITE,
inode="/tmp2/testacl":hdfs:testacl:drwxrwxr-x
$ hdfs dfs -getfacl /tmp2/testacl
file: /tmp2/testacl owner: hdfs group: testacl
user::rwx
group::r-x
mask::rwx
other::r-x
{code}
So here we have a mask of rwx, and a group permission of r-x. The ls displays
the rwx from the mask as the group permission, while the effective permission
in the group ACL correctly prevent the write.
I have validated, and it is working the same way in a Linux (CentOS) system as
well, so it seems to be something that is not a problem at all, and we comply
with POSIX here properly.
I guess I am closing this ticket as not a problem.
> Display bug in permissions when ACL mask is defined
> ---------------------------------------------------
>
> Key: HDFS-14517
> URL: https://issues.apache.org/jira/browse/HDFS-14517
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: namenode
> Environment: Tested on latest CDH integration, and CDH5 as well with
> the same result.
> Reporter: Istvan Fajth
> Priority: Minor
>
> When ACLs are enabled on a folder, the following sequence of commands provide
> the following result:
>
> {{$ hdfs dfs -mkdir /tmp/acl
> $ hdfs dfs -ls /tmp/acl
> $ hdfs dfs -ls /tmp
> Found 1 items
> drwxr-xr-x - hdfs supergroup 0 2019-05-28 11:48 /tmp/acl
> $ hdfs dfs -getfacl /tmp/acl
> # file: /tmp/acl
> # owner: hdfs
> # group: supergroup
> user::rwx
> group::r-x
> other::r-x
> $ hdfs dfs -setfacl -m mask::rwx /tmp/acl
> $ hdfs dfs -ls /tmp
> Found 1 items
> drwxrwxr-x+ - hdfs supergroup 0 2019-05-28 11:48 /tmp/acl
> drwx-wx-wx - hive supergroup 0 2019-05-27 23:48 /tmp/hive
> drwxrwxrwt - mapred hadoop 0 2019-05-28 01:32 /tmp/logs
> $ hdfs dfs -setfacl -m mask::r-- /tmp/acl
> $ hdfs dfs -ls /tmp
> Found 1 items
> drwxr--r-x+ - hdfs supergroup 0 2019-05-28 11:48 /tmp/acl
> $ hdfs dfs -setfacl -m mask::r-x /tmp/acl
> $ hdfs dfs -ls /tmp
> Found 1 items
> drwxr-xr-x+ - hdfs supergroup 0 2019-05-28 11:48 /tmp/acl
> $ hdfs dfs -getfacl /tmp/acl
> # file: /tmp/acl
> # owner: hdfs
> # group: supergroup
> user::rwx
> group::r-x
> mask::r-x
> other::r-x}}
>
> So the group permission representation is changing with the defined mask ACL
> instead of the group ACL or, maybe even better, the effective group ACL.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
