Details
-
New Feature
-
Status: Reopened
-
Major
-
Resolution: Unresolved
-
2.4.0, 3.0.0-alpha1
-
None
-
None
Description
As hdfs user, I created a directory /tmp/acl_dir/ and set permissions to 700. Then I set a new acl group:jenkins:rwx on /tmp/acl_dir.
jenkins@hdfs-vanilla-1 ~]$ hdfs dfs -getfacl /tmp/acl_dir # file: /tmp/acl_dir # owner: hdfs # group: supergroup user::rwx group::--- group:jenkins:rwx mask::rwx other::---
Through the FsShell, the jenkins user can list /tmp/acl_dir as well as create a file and directory inside.
[jenkins@hdfs-vanilla-1 ~]$ hdfs dfs -touchz /tmp/acl_dir/testfile1 [jenkins@hdfs-vanilla-1 ~]$ hdfs dfs -mkdir /tmp/acl_dir/testdir1 hdfs dfs -ls /tmp/acl[jenkins@hdfs-vanilla-1 ~]$ hdfs dfs -ls /tmp/acl_dir/ Found 2 items drwxr-xr-x - jenkins supergroup 0 2014-04-17 19:11 /tmp/acl_dir/testdir1 -rw-r--r-- 1 jenkins supergroup 0 2014-04-17 19:11 /tmp/acl_dir/testfile1 [jenkins@hdfs-vanilla-1 ~]$
However, as the same jenkins user, when I try to cd into /tmp/acl_dir using a fuse_dfs mount, I get permission denied. Same permission denied when I try to create or list files.
[jenkins@hdfs-vanilla-1 tmp]$ ls -l total 16 drwxrwx--- 4 hdfs nobody 4096 Apr 17 19:11 acl_dir drwx------ 2 hdfs nobody 4096 Apr 17 18:30 acl_dir_2 drwxr-xr-x 3 mapred nobody 4096 Mar 11 03:53 mapred drwxr-xr-x 4 jenkins nobody 4096 Apr 17 07:25 testcli -rwx------ 1 hdfs nobody 0 Apr 7 17:18 tf1 [jenkins@hdfs-vanilla-1 tmp]$ cd acl_dir bash: cd: acl_dir: Permission denied [jenkins@hdfs-vanilla-1 tmp]$ touch acl_dir/testfile2 touch: cannot touch `acl_dir/testfile2': Permission denied [jenkins@hdfs-vanilla-1 tmp]$ mkdir acl_dir/testdir2 mkdir: cannot create directory `acl_dir/testdir2': Permission denied [jenkins@hdfs-vanilla-1 tmp]$
The fuse_dfs debug output doesn't show any error for the above operations:
unique: 18, opcode: OPENDIR (27), nodeid: 2, insize: 48 unique: 18, success, outsize: 32 unique: 19, opcode: READDIR (28), nodeid: 2, insize: 80 readdir[0] from 0 unique: 19, success, outsize: 312 unique: 20, opcode: GETATTR (3), nodeid: 2, insize: 56 getattr /tmp unique: 20, success, outsize: 120 unique: 21, opcode: READDIR (28), nodeid: 2, insize: 80 unique: 21, success, outsize: 16 unique: 22, opcode: RELEASEDIR (29), nodeid: 2, insize: 64 unique: 22, success, outsize: 16 unique: 23, opcode: GETATTR (3), nodeid: 2, insize: 56 getattr /tmp unique: 23, success, outsize: 120 unique: 24, opcode: GETATTR (3), nodeid: 3, insize: 56 getattr /tmp/acl_dir unique: 24, success, outsize: 120 unique: 25, opcode: GETATTR (3), nodeid: 3, insize: 56 getattr /tmp/acl_dir unique: 25, success, outsize: 120 unique: 26, opcode: GETATTR (3), nodeid: 3, insize: 56 getattr /tmp/acl_dir unique: 26, success, outsize: 120 unique: 27, opcode: GETATTR (3), nodeid: 3, insize: 56 getattr /tmp/acl_dir unique: 27, success, outsize: 120 unique: 28, opcode: GETATTR (3), nodeid: 3, insize: 56 getattr /tmp/acl_dir unique: 28, success, outsize: 120
In other scenarios, ACL permissions are enforced successfully. For example, as hdfs user I create /tmp/acl_dir_2 and set permissions to 777. I then set the acl user:jenkins:--- on the directory. On the fuse mount, I am not able to ls, mkdir, or touch to that directory as jenkins user.