[
https://issues.apache.org/jira/browse/HDFS-5612?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13865997#comment-13865997
]
Chris Nauroth commented on HDFS-5612:
-------------------------------------
Sure thing. Here is a list of the invariants. I'll also fold this list into
the comments in a new patch later.
# The list must be sorted.
# Each entry in the list is unique.
# There is exactly one each of the unnamed user / group / other entries. These
entries are identical to the classic owner / group / other permissions encoded
in permission bits today. The ACL enforcement algorithm states that owner
permissions trump named user permissions. This becomes important if the file
owner also has a named user entry in the ACL. Assume the file owner is haohui,
and the owner permissions are rw-, but there is also a named user entry for
user:haohui:r--. In this case, the owner entry must take precedence over the
named user entry so that you get read-write access. Additionally, the
effective permissions granted to a user through groups must include the
permissions of the file's group (if the user is a member).
# The mask entry, if present, must not have a name. (The name would be
meaningless.)
# The owner entry must not have a name. (The name would be meaningless.)
# There may be any number of named user entries. These entries are used if the
username is a specific match (assuming the user is not the owner as discussed
above).
# There may be any number of named group entries. Assuming the user is not the
owner, and there is no named user entry matching that user, and the user is a
member of at least one named group or the file's group, then the user's
effective permissions are the union of permissions for all such groups in which
the user is a member.
# Default entries are ignored during permission enforcement.
Regarding default entries, these are not used during permission enforcement at
all, so there really are no invariants related to the default ACL within the
context of {{checkAcl}}. However, the default ACL on a directory will be
copied to the access ACL of its newly created child inodes. Since the default
ACL eventually becomes an access ACL for a different inode, we can say that the
same set of invariants must hold for the default ACL entries. (Otherwise, we'd
have a violation of invariants later when it comes time to run {{checkAcl}} on
that child inode.)
> NameNode: change all permission checks to enforce ACLs in addition to
> permissions.
> ----------------------------------------------------------------------------------
>
> Key: HDFS-5612
> URL: https://issues.apache.org/jira/browse/HDFS-5612
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: namenode
> Affects Versions: HDFS ACLs (HDFS-4685)
> Reporter: Chris Nauroth
> Assignee: Chris Nauroth
> Attachments: HDFS-5612.1.patch, HDFS-5612.2.patch
>
>
> All {{NameNode}} code paths that enforce permissions must be updated so that
> they also enforce ACLs.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
