[ https://issues.apache.org/jira/browse/HDFS-14517?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16875261#comment-16875261 ]
Istvan Fajth commented on HDFS-14517: ------------------------------------- This is pretty much misleading in the following scenario: {code:java} $ hdfs groups systest systest : systest testacl $ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: syst...@vpc.cloudera.com Valid starting Expires Service principal 06/28/2019 14:55:59 06/28/2019 15:20:59 krbtgt/vpc.cloudera....@vpc.cloudera.com renew until 06/28/2019 16:25:59 $ hdfs dfs -ls /tmp2 Found 1 items drwxrwxr-x+ - hdfs testacl 0 2019-06-28 14:34 /tmp2/testacl $ hdfs dfs -touchz /tmp2/testacl/file1 touchz: Permission denied: user=systest, access=WRITE, inode="/tmp2/testacl":hdfs:testacl:drwxrwxr-x $ hdfs dfs -getfacl /tmp2/testacl file: /tmp2/testacl owner: hdfs group: testacl user::rwx group::r-x mask::rwx other::r-x {code} So here we have a mask of rwx, and a group permission of r-x. The ls displays the rwx from the mask as the group permission, while the effective permission in the group ACL correctly prevent the write. I have validated, and it is working the same way in a Linux (CentOS) system as well, so it seems to be something that is not a problem at all, and we comply with POSIX here properly. I guess I am closing this ticket as not a problem. > Display bug in permissions when ACL mask is defined > --------------------------------------------------- > > Key: HDFS-14517 > URL: https://issues.apache.org/jira/browse/HDFS-14517 > Project: Hadoop HDFS > Issue Type: Bug > Components: namenode > Environment: Tested on latest CDH integration, and CDH5 as well with > the same result. > Reporter: Istvan Fajth > Priority: Minor > > When ACLs are enabled on a folder, the following sequence of commands provide > the following result: > > {{$ hdfs dfs -mkdir /tmp/acl > $ hdfs dfs -ls /tmp/acl > $ hdfs dfs -ls /tmp > Found 1 items > drwxr-xr-x - hdfs supergroup 0 2019-05-28 11:48 /tmp/acl > $ hdfs dfs -getfacl /tmp/acl > # file: /tmp/acl > # owner: hdfs > # group: supergroup > user::rwx > group::r-x > other::r-x > $ hdfs dfs -setfacl -m mask::rwx /tmp/acl > $ hdfs dfs -ls /tmp > Found 1 items > drwxrwxr-x+ - hdfs supergroup 0 2019-05-28 11:48 /tmp/acl > drwx-wx-wx - hive supergroup 0 2019-05-27 23:48 /tmp/hive > drwxrwxrwt - mapred hadoop 0 2019-05-28 01:32 /tmp/logs > $ hdfs dfs -setfacl -m mask::r-- /tmp/acl > $ hdfs dfs -ls /tmp > Found 1 items > drwxr--r-x+ - hdfs supergroup 0 2019-05-28 11:48 /tmp/acl > $ hdfs dfs -setfacl -m mask::r-x /tmp/acl > $ hdfs dfs -ls /tmp > Found 1 items > drwxr-xr-x+ - hdfs supergroup 0 2019-05-28 11:48 /tmp/acl > $ hdfs dfs -getfacl /tmp/acl > # file: /tmp/acl > # owner: hdfs > # group: supergroup > user::rwx > group::r-x > mask::r-x > other::r-x}} > > So the group permission representation is changing with the defined mask ACL > instead of the group ACL or, maybe even better, the effective group ACL. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org