Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-14359

Inherited ACL permissions masked when parent directory does not exist (mkdir -p)

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 3.3.0
    • 3.3.0
    • None
    • None
    • Reviewed

    Description

      There appears to be an issue with ACL inheritance if you 'mkdir' a directory such that the parent directories need to be created (ie mkdir -p).

      If you have a folder /tmp2/testacls as:

      hadoop fs -mkdir /tmp2
hadoop fs -mkdir /tmp2/testacls
hadoop fs -setfacl -m default:user:hive:rwx /tmp2/testacls
hadoop fs -setfacl -m default:user:flume:rwx /tmp2/testacls
hadoop fs -setfacl -m user:hive:rwx /tmp2/testacls
hadoop fs -setfacl -m user:flume:rwx /tmp2/testacls

hadoop fs -getfacl -R /tmp2/testacls
# file: /tmp2/testacls
# owner: kafka
# group: supergroup
user::rwx
user:flume:rwx
user:hive:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:flume:rwx
default:user:hive:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

      Then create a sub-directory in it, the ACLs are as expected:

      hadoop fs -mkdir /tmp2/testacls/dir_from_mkdir

# file: /tmp2/testacls/dir_from_mkdir
# owner: sodonnell
# group: supergroup
user::rwx
user:flume:rwx
user:hive:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:flume:rwx
default:user:hive:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

      However if you mkdir -p a directory, the situation is not the same:

      hadoop fs -mkdir -p /tmp2/testacls/dir_with_subdirs/sub1/sub2

# file: /tmp2/testacls/dir_with_subdirs
# owner: sodonnell
# group: supergroup
user::rwx
user:flume:rwx	#effective:r-x
user:hive:rwx	#effective:r-x
group::r-x
mask::r-x
other::r-x
default:user::rwx
default:user:flume:rwx
default:user:hive:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

# file: /tmp2/testacls/dir_with_subdirs/sub1
# owner: sodonnell
# group: supergroup
user::rwx
user:flume:rwx	#effective:r-x
user:hive:rwx	#effective:r-x
group::r-x
mask::r-x
other::r-x
default:user::rwx
default:user:flume:rwx
default:user:hive:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

# file: /tmp2/testacls/dir_with_subdirs/sub1/sub2
# owner: sodonnell
# group: supergroup
user::rwx
user:flume:rwx
user:hive:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:flume:rwx
default:user:hive:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

      Notice the the leaf folder "sub2" is correct, but the two ancestor folders have their permissions masked. I believe this is a regression from the fix for HDFS-6962 with dfs.namenode.posix.acl.inheritance.enabled set to true, as the code has changed significantly from the earlier 2.6 / 2.8 branch.

      I will submit a patch for this.

      Attachments

        1. HDFS-14359.001.patch
          5 kB
          Stephen O'Donnell
        2. HDFS-14359.002.patch
          5 kB
          Stephen O'Donnell
        3. HDFS-14359.003.patch
          6 kB
          Stephen O'Donnell

        Activity

          People

            sodonnell Stephen O'Donnell
            sodonnell Stephen O'Donnell
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: