[HDFS-6962] ACL inheritance conflicts with umaskmode - ASF JIRA

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.4.1
Fix Version/s: 3.0.0-alpha2
Component/s: security
Labels:
- hadoop
- security
Environment:

CentOS release 6.5 (Final)

Target Version/s:

3.0.0-alpha2
Hadoop Flags:

Incompatible change, Reviewed
Release Note:

Hide

The original implementation of HDFS ACLs applied the client's umask to the permissions when
inheriting a default ACL defined on a parent directory. This behavior is a deviation from the
POSIX ACL specification, which states that the umask has no influence when a default ACL
propagates from parent to child. HDFS now offers the capability to ignore the umask in this
case for improved compliance with POSIX. This change is considered backward-incompatible,
so the new behavior is off by default and must be explicitly configured by setting
dfs.namenode.posix.acl.inheritance.enabled to true in hdfs-site.xml.
Please see the HDFS Permissions Guide for further details.

Show
 The original implementation of HDFS ACLs applied the client's umask to the permissions when inheriting a default ACL defined on a parent directory. This behavior is a deviation from the POSIX ACL specification, which states that the umask has no influence when a default ACL propagates from parent to child. HDFS now offers the capability to ignore the umask in this case for improved compliance with POSIX. This change is considered backward-incompatible, so the new behavior is off by default and must be explicitly configured by setting dfs.namenode.posix.acl.inheritance.enabled to true in hdfs-site.xml. Please see the HDFS Permissions Guide for further details.

Description

In hdfs-site.xml
<property>
<name>dfs.umaskmode</name>
<value>027</value>
</property>

1/ Create a directory as superuser
bash# hdfs dfs -mkdir /tmp/ACLS

2/ set default ACLs on this directory rwx access for group readwrite and user toto
bash# hdfs dfs -setfacl -m default:group:readwrite:rwx /tmp/ACLS
bash# hdfs dfs -setfacl -m default:user:toto:rwx /tmp/ACLS

3/ check ACLs /tmp/ACLS/
bash# hdfs dfs -getfacl /tmp/ACLS/

file: /tmp/ACLS
owner: hdfs
group: hadoop
user::rwx
group::r-x
other::---
default:user::rwx
default:user:toto:rwx
default:group::r-x
default:group:readwrite:rwx
default:mask::rwx
default:other::---

user::rwx | group::r-x | other::--- matches with the umaskmode defined in hdfs-site.xml, everything ok !

default:group:readwrite:rwx allow readwrite group with rwx access for inhéritance.
default:user:toto:rwx allow toto user with rwx access for inhéritance.

default:mask::rwx inhéritance mask is rwx, so no mask

4/ Create a subdir to test inheritance of ACL
bash# hdfs dfs -mkdir /tmp/ACLS/hdfs

5/ check ACLs /tmp/ACLS/hdfs
bash# hdfs dfs -getfacl /tmp/ACLS/hdfs

file: /tmp/ACLS/hdfs
owner: hdfs
group: hadoop
user::rwx
user:toto:rwx #effective:r-x
group::r-x
group:readwrite:rwx #effective:r-x
mask::r-x
other::---
default:user::rwx
default:user:toto:rwx
default:group::r-x
default:group:readwrite:rwx
default:mask::rwx
default:other::---

Here we can see that the readwrite group has rwx ACL bu only r-x is effective because the mask is r-x (mask::r-x) in spite of default mask for inheritance is set to default:mask::rwx on /tmp/ACLS/

6/ Modifiy hdfs-site.xml et restart namenode
<property>
<name>dfs.umaskmode</name>
<value>010</value>
</property>

7/ Create a subdir to test inheritance of ACL with new parameter umaskmode
bash# hdfs dfs -mkdir /tmp/ACLS/hdfs2

8/ Check ACL on /tmp/ACLS/hdfs2
bash# hdfs dfs -getfacl /tmp/ACLS/hdfs2

file: /tmp/ACLS/hdfs2
owner: hdfs
group: hadoop
user::rwx
user:toto:rwx #effective:rw-
group::r-x #effective:r--
group:readwrite:rwx #effective:rw-
mask::rw-
other::---
default:user::rwx
default:user:toto:rwx
default:group::r-x
default:group:readwrite:rwx
default:mask::rwx
default:other::---

So HDFS masks the ACL value (user, group and other – exepted the POSIX owner – ) with the group mask of dfs.umaskmode properties when creating directory with inherited ACL.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

test_plan.md
30/Sep/16 01:04
1.0 kB
John Zhuge
run_unit_tests
10/Aug/16 07:42
0.3 kB
John Zhuge
run_compat_tests
10/Aug/16 07:42
0.8 kB
John Zhuge
HDFS-6962.1.patch
16/Feb/15 09:14
16 kB
Srikanth Upputuri
HDFS-6962.010.patch
04/Sep/16 06:13
102 kB
John Zhuge
HDFS-6962.009.patch
23/Jul/16 10:17
102 kB
John Zhuge
HDFS-6962.008.patch
21/Jul/16 08:27
99 kB
John Zhuge
HDFS-6962.007.patch
20/Jul/16 18:38
85 kB
John Zhuge
HDFS-6962.006.patch
05/Jul/16 08:31
34 kB
John Zhuge
HDFS-6962.005.patch
04/Jul/16 09:06
35 kB
John Zhuge
HDFS-6962.004.patch
29/Jun/16 03:01
35 kB
John Zhuge
HDFS-6962.003.patch
24/Jun/16 08:33
34 kB
John Zhuge
HDFS-6962.002.patch
10/Jun/16 06:17
24 kB
John Zhuge
HDFS-6962.001.patch
02/Jun/16 02:50
17 kB
John Zhuge
enabled_old_client.log
29/Jun/16 02:29
7 kB
John Zhuge
enabled_new_client.log
29/Jun/16 02:29
7 kB
John Zhuge
disabled_old_client.log
29/Jun/16 02:29
7 kB
John Zhuge
disabled_new_client.log
29/Jun/16 02:29
7 kB
John Zhuge

Issue Links

is depended upon by

HDFS-11957 Enable POSIX ACL inheritance by default

Resolved

is related to

HDFS-13170 Port webhdfs unmaskedpermission parameter to HTTPFS

Resolved

HDFS-10488 Update WebHDFS documentation regarding CREATE and MKDIR default permissions

Closed

relates to

HDFS-4685 Implementation of ACLs in HDFS

Closed

ACL inheritance conflicts with umaskmode

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates