Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-8748

ACL permission check does not union groups to determine effective permissions



    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 2.7.1
    • Fix Version/s: None
    • Component/s: security
    • Labels:
    • Target Version/s:
    • Flags:


      In the ACL permission checking routine, the implemented named group section does not match the design document.

      In the design document, its shown in the pseudo-code that if the requester is not the owner or a named user, then the applicable groups are unioned together to form effective permissions for the requester.

      Instead, the current implementation will search for the first group that grants access and will use that. It will not union the permissions together.

      Here is the design document's description of the desired behavior

      If the user is a member of the file's group or at least one group for which there is a
      named group entry in the ACL, then effective permissions are calculated from groups.
      This is the union of the file group permissions (if the user is a member of the file group)
      and all named group entries matching the user's groups. For example, consider a user
      that is a member of 2 groups: sales and execs. The user is not the file owner, and the
      ACL contains no named user entries. The ACL contains named group entries for both
      groups as follows: group:sales:r­­--, group:execs:-­w-­. In this case, the user's effective
      permissions are rw­-.

      https://issues.apache.org/jira/secure/attachment/12627729/HDFS-ACLs-Design-3.pdf page 10

      The design document's algorithm matches that description:

      Design Document Algorithm

      if (user == fileOwner) {
          effectivePermissions = aclEntries.getOwnerPermissions()
      } else if (user ∈ aclEntries.getNamedUsers()) {
          effectivePermissions = aclEntries.getNamedUserPermissions(user)
      } else if (userGroupsInAcl != ∅) {
          effectivePermissions = ∅
          if (fileGroup ∈ userGroupsInAcl) {
              effectivePermissions = effectivePermissions ∪
          for ({group | group ∈ userGroupsInAcl}) {
              effectivePermissions = effectivePermissions ∪
      } else {
          effectivePermissions = aclEntries.getOthersPermissions()

      https://issues.apache.org/jira/secure/attachment/12627729/HDFS-ACLs-Design-3.pdf page 9

      The current implementation does NOT match the description.
      Current Trunk

          // Use owner entry from permission bits if user is owner.
          if (getUser().equals(inode.getUserName())) {
            if (mode.getUserAction().implies(access)) {
            foundMatch = true;
          // Check named user and group entries if user was not denied by owner entry.
          if (!foundMatch) {
            for (int pos = 0, entry; pos < aclFeature.getEntriesSize(); pos++) {
              entry = aclFeature.getEntryAt(pos);
              if (AclEntryStatusFormat.getScope(entry) == AclEntryScope.DEFAULT) {
              AclEntryType type = AclEntryStatusFormat.getType(entry);
              String name = AclEntryStatusFormat.getName(entry);
              if (type == AclEntryType.USER) {
                // Use named user entry with mask from permission bits applied if user
                // matches name.
                if (getUser().equals(name)) {
                  FsAction masked = AclEntryStatusFormat.getPermission(entry).and(
                  if (masked.implies(access)) {
                  foundMatch = true;
              } else if (type == AclEntryType.GROUP) {
                // Use group entry (unnamed or named) with mask from permission bits
                // applied if user is a member and entry grants access.  If user is a
                // member of multiple groups that have entries that grant access, then
                // it doesn't matter which is chosen, so exit early after first match.
                String group = name == null ? inode.getGroupName() : name;
                if (getGroups().contains(group)) {
                  FsAction masked = AclEntryStatusFormat.getPermission(entry).and(
                  if (masked.implies(access)) {
                  foundMatch = true;

      As seen in the GROUP section, the permissions check will succeed if and only if a single group (either owning group or named group) has all of the requested permissions. The permissions check should instead succeed if the requested permissions can be obtained by unioning all of the groups permissions.


        1. HDFS_8748.patch
          5 kB
          Scott Opell



            • Assignee:
              scott_o Scott Opell
            • Votes:
              0 Vote for this issue
              5 Start watching this issue


              • Created: