Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-14359

Inherited ACL permissions masked when parent directory does not exist (mkdir -p)

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.3.0
    • Fix Version/s: 3.3.0
    • Component/s: None
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      There appears to be an issue with ACL inheritance if you 'mkdir' a directory such that the parent directories need to be created (ie mkdir -p).

      If you have a folder /tmp2/testacls as:

      hadoop fs -mkdir /tmp2
      hadoop fs -mkdir /tmp2/testacls
      hadoop fs -setfacl -m default:user:hive:rwx /tmp2/testacls
      hadoop fs -setfacl -m default:user:flume:rwx /tmp2/testacls
      hadoop fs -setfacl -m user:hive:rwx /tmp2/testacls
      hadoop fs -setfacl -m user:flume:rwx /tmp2/testacls
      
      hadoop fs -getfacl -R /tmp2/testacls
      # file: /tmp2/testacls
      # owner: kafka
      # group: supergroup
      user::rwx
      user:flume:rwx
      user:hive:rwx
      group::r-x
      mask::rwx
      other::r-x
      default:user::rwx
      default:user:flume:rwx
      default:user:hive:rwx
      default:group::r-x
      default:mask::rwx
      default:other::r-x
      

      Then create a sub-directory in it, the ACLs are as expected:

      hadoop fs -mkdir /tmp2/testacls/dir_from_mkdir
      
      # file: /tmp2/testacls/dir_from_mkdir
      # owner: sodonnell
      # group: supergroup
      user::rwx
      user:flume:rwx
      user:hive:rwx
      group::r-x
      mask::rwx
      other::r-x
      default:user::rwx
      default:user:flume:rwx
      default:user:hive:rwx
      default:group::r-x
      default:mask::rwx
      default:other::r-x
      

      However if you mkdir -p a directory, the situation is not the same:

      hadoop fs -mkdir -p /tmp2/testacls/dir_with_subdirs/sub1/sub2
      
      # file: /tmp2/testacls/dir_with_subdirs
      # owner: sodonnell
      # group: supergroup
      user::rwx
      user:flume:rwx	#effective:r-x
      user:hive:rwx	#effective:r-x
      group::r-x
      mask::r-x
      other::r-x
      default:user::rwx
      default:user:flume:rwx
      default:user:hive:rwx
      default:group::r-x
      default:mask::rwx
      default:other::r-x
      
      # file: /tmp2/testacls/dir_with_subdirs/sub1
      # owner: sodonnell
      # group: supergroup
      user::rwx
      user:flume:rwx	#effective:r-x
      user:hive:rwx	#effective:r-x
      group::r-x
      mask::r-x
      other::r-x
      default:user::rwx
      default:user:flume:rwx
      default:user:hive:rwx
      default:group::r-x
      default:mask::rwx
      default:other::r-x
      
      # file: /tmp2/testacls/dir_with_subdirs/sub1/sub2
      # owner: sodonnell
      # group: supergroup
      user::rwx
      user:flume:rwx
      user:hive:rwx
      group::r-x
      mask::rwx
      other::r-x
      default:user::rwx
      default:user:flume:rwx
      default:user:hive:rwx
      default:group::r-x
      default:mask::rwx
      default:other::r-x
      

      Notice the the leaf folder "sub2" is correct, but the two ancestor folders have their permissions masked. I believe this is a regression from the fix for HDFS-6962 with dfs.namenode.posix.acl.inheritance.enabled set to true, as the code has changed significantly from the earlier 2.6 / 2.8 branch.

      I will submit a patch for this.

        Attachments

        1. HDFS-14359.003.patch
          6 kB
          Stephen O'Donnell
        2. HDFS-14359.002.patch
          5 kB
          Stephen O'Donnell
        3. HDFS-14359.001.patch
          5 kB
          Stephen O'Donnell

          Activity

            People

            • Assignee:
              sodonnell Stephen O'Donnell
              Reporter:
              sodonnell Stephen O'Donnell
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: