Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
2.4.1
-
CentOS release 6.5 (Final)
-
Incompatible change, Reviewed
-
Description
In hdfs-site.xml
<property>
<name>dfs.umaskmode</name>
<value>027</value>
</property>
1/ Create a directory as superuser
bash# hdfs dfs -mkdir /tmp/ACLS
2/ set default ACLs on this directory rwx access for group readwrite and user toto
bash# hdfs dfs -setfacl -m default:group:readwrite:rwx /tmp/ACLS
bash# hdfs dfs -setfacl -m default:user:toto:rwx /tmp/ACLS
3/ check ACLs /tmp/ACLS/
bash# hdfs dfs -getfacl /tmp/ACLS/
- file: /tmp/ACLS
- owner: hdfs
- group: hadoop
user::rwx
group::r-x
other::---
default:user::rwx
default:user:toto:rwx
default:group::r-x
default:group:readwrite:rwx
default:mask::rwx
default:other::---
user::rwx | group::r-x | other::--- matches with the umaskmode defined in hdfs-site.xml, everything ok !
default:group:readwrite:rwx allow readwrite group with rwx access for inhéritance.
default:user:toto:rwx allow toto user with rwx access for inhéritance.
default:mask::rwx inhéritance mask is rwx, so no mask
4/ Create a subdir to test inheritance of ACL
bash# hdfs dfs -mkdir /tmp/ACLS/hdfs
5/ check ACLs /tmp/ACLS/hdfs
bash# hdfs dfs -getfacl /tmp/ACLS/hdfs
- file: /tmp/ACLS/hdfs
- owner: hdfs
- group: hadoop
user::rwx
user:toto:rwx #effective:r-x
group::r-x
group:readwrite:rwx #effective:r-x
mask::r-x
other::---
default:user::rwx
default:user:toto:rwx
default:group::r-x
default:group:readwrite:rwx
default:mask::rwx
default:other::---
Here we can see that the readwrite group has rwx ACL bu only r-x is effective because the mask is r-x (mask::r-x) in spite of default mask for inheritance is set to default:mask::rwx on /tmp/ACLS/
6/ Modifiy hdfs-site.xml et restart namenode
<property>
<name>dfs.umaskmode</name>
<value>010</value>
</property>
7/ Create a subdir to test inheritance of ACL with new parameter umaskmode
bash# hdfs dfs -mkdir /tmp/ACLS/hdfs2
8/ Check ACL on /tmp/ACLS/hdfs2
bash# hdfs dfs -getfacl /tmp/ACLS/hdfs2
- file: /tmp/ACLS/hdfs2
- owner: hdfs
- group: hadoop
user::rwx
user:toto:rwx #effective:rw-
group::r-x #effective:r--
group:readwrite:rwx #effective:rw-
mask::rw-
other::---
default:user::rwx
default:user:toto:rwx
default:group::r-x
default:group:readwrite:rwx
default:mask::rwx
default:other::---
So HDFS masks the ACL value (user, group and other – exepted the POSIX owner – ) with the group mask of dfs.umaskmode properties when creating directory with inherited ACL.
Attachments
Attachments
Issue Links
- is depended upon by
-
HDFS-11957 Enable POSIX ACL inheritance by default
- Resolved
- is related to
-
HDFS-13170 Port webhdfs unmaskedpermission parameter to HTTPFS
- Resolved
-
HDFS-10488 Update WebHDFS documentation regarding CREATE and MKDIR default permissions
- Closed
- relates to
-
HDFS-4685 Implementation of ACLs in HDFS
- Closed