Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-6962

ACL inheritance conflicts with umaskmode

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.4.1
    • Fix Version/s: 3.0.0-alpha2
    • Component/s: security
    • Labels:
    • Environment:

      CentOS release 6.5 (Final)

    • Target Version/s:
    • Hadoop Flags:
      Incompatible change, Reviewed
    • Release Note:
      Hide
      <!-- markdown -->
      The original implementation of HDFS ACLs applied the client's umask to the permissions when
      inheriting a default ACL defined on a parent directory. This behavior is a deviation from the
      POSIX ACL specification, which states that the umask has no influence when a default ACL
      propagates from parent to child. HDFS now offers the capability to ignore the umask in this
      case for improved compliance with POSIX. This change is considered backward-incompatible,
      so the new behavior is off by default and must be explicitly configured by setting
      dfs.namenode.posix.acl.inheritance.enabled to true in hdfs-site.xml.
      Please see the HDFS Permissions Guide for further details.
      Show
      <!-- markdown --> The original implementation of HDFS ACLs applied the client's umask to the permissions when inheriting a default ACL defined on a parent directory. This behavior is a deviation from the POSIX ACL specification, which states that the umask has no influence when a default ACL propagates from parent to child. HDFS now offers the capability to ignore the umask in this case for improved compliance with POSIX. This change is considered backward-incompatible, so the new behavior is off by default and must be explicitly configured by setting dfs.namenode.posix.acl.inheritance.enabled to true in hdfs-site.xml. Please see the HDFS Permissions Guide for further details.

      Description

      In hdfs-site.xml
      <property>
      <name>dfs.umaskmode</name>
      <value>027</value>
      </property>

      1/ Create a directory as superuser
      bash# hdfs dfs -mkdir /tmp/ACLS

      2/ set default ACLs on this directory rwx access for group readwrite and user toto
      bash# hdfs dfs -setfacl -m default:group:readwrite:rwx /tmp/ACLS
      bash# hdfs dfs -setfacl -m default:user:toto:rwx /tmp/ACLS

      3/ check ACLs /tmp/ACLS/
      bash# hdfs dfs -getfacl /tmp/ACLS/

      1. file: /tmp/ACLS
      2. owner: hdfs
      3. group: hadoop
        user::rwx
        group::r-x
        other::---
        default:user::rwx
        default:user:toto:rwx
        default:group::r-x
        default:group:readwrite:rwx
        default:mask::rwx
        default:other::---

      user::rwx | group::r-x | other::--- matches with the umaskmode defined in hdfs-site.xml, everything ok !

      default:group:readwrite:rwx allow readwrite group with rwx access for inhéritance.
      default:user:toto:rwx allow toto user with rwx access for inhéritance.

      default:mask::rwx inhéritance mask is rwx, so no mask

      4/ Create a subdir to test inheritance of ACL
      bash# hdfs dfs -mkdir /tmp/ACLS/hdfs

      5/ check ACLs /tmp/ACLS/hdfs
      bash# hdfs dfs -getfacl /tmp/ACLS/hdfs

      1. file: /tmp/ACLS/hdfs
      2. owner: hdfs
      3. group: hadoop
        user::rwx
        user:toto:rwx #effective:r-x
        group::r-x
        group:readwrite:rwx #effective:r-x
        mask::r-x
        other::---
        default:user::rwx
        default:user:toto:rwx
        default:group::r-x
        default:group:readwrite:rwx
        default:mask::rwx
        default:other::---

      Here we can see that the readwrite group has rwx ACL bu only r-x is effective because the mask is r-x (mask::r-x) in spite of default mask for inheritance is set to default:mask::rwx on /tmp/ACLS/

      6/ Modifiy hdfs-site.xml et restart namenode
      <property>
      <name>dfs.umaskmode</name>
      <value>010</value>
      </property>

      7/ Create a subdir to test inheritance of ACL with new parameter umaskmode
      bash# hdfs dfs -mkdir /tmp/ACLS/hdfs2

      8/ Check ACL on /tmp/ACLS/hdfs2
      bash# hdfs dfs -getfacl /tmp/ACLS/hdfs2

      1. file: /tmp/ACLS/hdfs2
      2. owner: hdfs
      3. group: hadoop
        user::rwx
        user:toto:rwx #effective:rw-
        group::r-x #effective:r--
        group:readwrite:rwx #effective:rw-
        mask::rw-
        other::---
        default:user::rwx
        default:user:toto:rwx
        default:group::r-x
        default:group:readwrite:rwx
        default:mask::rwx
        default:other::---

      So HDFS masks the ACL value (user, group and other – exepted the POSIX owner – ) with the group mask of dfs.umaskmode properties when creating directory with inherited ACL.

        Attachments

        1. disabled_new_client.log
          7 kB
          John Zhuge
        2. disabled_old_client.log
          7 kB
          John Zhuge
        3. enabled_new_client.log
          7 kB
          John Zhuge
        4. enabled_old_client.log
          7 kB
          John Zhuge
        5. HDFS-6962.001.patch
          17 kB
          John Zhuge
        6. HDFS-6962.002.patch
          24 kB
          John Zhuge
        7. HDFS-6962.003.patch
          34 kB
          John Zhuge
        8. HDFS-6962.004.patch
          35 kB
          John Zhuge
        9. HDFS-6962.005.patch
          35 kB
          John Zhuge
        10. HDFS-6962.006.patch
          34 kB
          John Zhuge
        11. HDFS-6962.007.patch
          85 kB
          John Zhuge
        12. HDFS-6962.008.patch
          99 kB
          John Zhuge
        13. HDFS-6962.009.patch
          102 kB
          John Zhuge
        14. HDFS-6962.010.patch
          102 kB
          John Zhuge
        15. HDFS-6962.1.patch
          16 kB
          Srikanth Upputuri
        16. run_compat_tests
          0.8 kB
          John Zhuge
        17. run_unit_tests
          0.3 kB
          John Zhuge
        18. test_plan.md
          1.0 kB
          John Zhuge

          Issue Links

            Activity

              People

              • Assignee:
                jzhuge John Zhuge
                Reporter:
                Alexandre LINTE LINTE
              • Votes:
                1 Vote for this issue
                Watchers:
                30 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: