From 312e57b95477ec95e6735f5721c646ad1df019f8 Mon Sep 17 00:00:00 2001 From: John Zhuge Date: Fri, 9 Jun 2017 08:42:16 -0700 Subject: [PATCH] HDFS-11957. Enable POSIX ACL inheritance by default. Contributed by John Zhuge. --- .../java/org/apache/hadoop/hdfs/DFSConfigKeys.java | 2 +- .../src/main/resources/hdfs-default.xml | 2 +- .../src/site/markdown/HdfsPermissionsGuide.md | 2 +- .../java/org/apache/hadoop/cli/TestAclCLI.java | 2 ++ .../hadoop/hdfs/server/namenode/FSAclBaseTest.java | 8 ++++---- .../hdfs/server/namenode/TestFSImageWithAcl.java | 14 ++++++++------ 6 files changed, 17 insertions(+), 13 deletions(-) diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java index dc9bf765b9..f4c383e84f 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java @@ -269,7 +269,7 @@ public class DFSConfigKeys extends CommonConfigurationKeys { public static final String DFS_NAMENODE_POSIX_ACL_INHERITANCE_ENABLED_KEY = "dfs.namenode.posix.acl.inheritance.enabled"; public static final boolean - DFS_NAMENODE_POSIX_ACL_INHERITANCE_ENABLED_DEFAULT = false; + DFS_NAMENODE_POSIX_ACL_INHERITANCE_ENABLED_DEFAULT = true; public static final String DFS_NAMENODE_XATTRS_ENABLED_KEY = "dfs.namenode.xattrs.enabled"; public static final boolean DFS_NAMENODE_XATTRS_ENABLED_DEFAULT = true; public static final String DFS_ADMIN = "dfs.cluster.administrators"; diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml index 49429672cc..03becc96ea 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml @@ -459,7 +459,7 @@ dfs.namenode.posix.acl.inheritance.enabled - false + true Set to true to enable POSIX style ACL inheritance. When it is enabled and the create request comes from a compatible client, the NameNode diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/site/markdown/HdfsPermissionsGuide.md b/hadoop-hdfs-project/hadoop-hdfs/src/site/markdown/HdfsPermissionsGuide.md index c50253459d..82b5cec09f 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/site/markdown/HdfsPermissionsGuide.md +++ b/hadoop-hdfs-project/hadoop-hdfs/src/site/markdown/HdfsPermissionsGuide.md @@ -322,7 +322,7 @@ Configuration Parameters * `dfs.namenode.posix.acl.inheritance.enabled` - Set to true to enable POSIX style ACL inheritance. Disabled by default. + Set to true to enable POSIX style ACL inheritance. Enabled by default. When it is enabled and the create request comes from a compatible client, the NameNode will apply default ACLs from the parent directory to the create mode and ignore the client umask. If no default ACL is found, diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/TestAclCLI.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/TestAclCLI.java index 75111bb484..9cf2180ff5 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/TestAclCLI.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/cli/TestAclCLI.java @@ -34,6 +34,8 @@ public class TestAclCLI extends CLITestHelperDFS { protected void initConf() { conf.setBoolean(DFSConfigKeys.DFS_NAMENODE_ACLS_ENABLED_KEY, true); + conf.setBoolean( + DFSConfigKeys.DFS_NAMENODE_POSIX_ACL_INHERITANCE_ENABLED_KEY, false); } @Before diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java index 60b0ab168d..93a83fd3dc 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java @@ -903,7 +903,7 @@ public void testDefaultAclNewFile() throws Exception { assertArrayEquals(new AclEntry[] { aclEntry(ACCESS, USER, "foo", ALL), aclEntry(ACCESS, GROUP, READ_EXECUTE) }, returned); - assertPermission(filePath, (short)010640); + assertPermission(filePath, (short)010660); assertAclFeature(filePath, true); } @@ -1003,7 +1003,7 @@ public void testDefaultAclNewDir() throws Exception { aclEntry(DEFAULT, GROUP, READ_EXECUTE), aclEntry(DEFAULT, MASK, ALL), aclEntry(DEFAULT, OTHER, NONE) }, returned); - assertPermission(dirPath, (short)010750); + assertPermission(dirPath, (short)010770); assertAclFeature(dirPath, true); } @@ -1120,7 +1120,7 @@ public void testDefaultAclNewFileIntermediate() throws Exception { s = fs.getAclStatus(filePath); returned = s.getEntries().toArray(new AclEntry[0]); assertArrayEquals(expected, returned); - assertPermission(filePath, (short)010640); + assertPermission(filePath, (short)010660); assertAclFeature(filePath, true); } @@ -1149,7 +1149,7 @@ public void testDefaultAclNewDirIntermediate() throws Exception { s = fs.getAclStatus(subdirPath); returned = s.getEntries().toArray(new AclEntry[0]); assertArrayEquals(expected, returned); - assertPermission(subdirPath, (short)010750); + assertPermission(subdirPath, (short)010770); assertAclFeature(subdirPath, true); } diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFSImageWithAcl.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFSImageWithAcl.java index 48d3dea81c..d9c24d9c9f 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFSImageWithAcl.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFSImageWithAcl.java @@ -138,13 +138,15 @@ private void doTestDefaultAclNewChildren(boolean persistNamespace) aclEntry(DEFAULT, MASK, ALL), aclEntry(DEFAULT, OTHER, READ_EXECUTE) }; + short permExpected = (short)010775; + AclEntry[] fileReturned = fs.getAclStatus(filePath).getEntries() .toArray(new AclEntry[0]); Assert.assertArrayEquals(fileExpected, fileReturned); AclEntry[] subdirReturned = fs.getAclStatus(subdirPath).getEntries() .toArray(new AclEntry[0]); Assert.assertArrayEquals(subdirExpected, subdirReturned); - assertPermission(fs, subdirPath, (short)010755); + assertPermission(fs, subdirPath, permExpected); restart(fs, persistNamespace); @@ -154,7 +156,7 @@ private void doTestDefaultAclNewChildren(boolean persistNamespace) subdirReturned = fs.getAclStatus(subdirPath).getEntries() .toArray(new AclEntry[0]); Assert.assertArrayEquals(subdirExpected, subdirReturned); - assertPermission(fs, subdirPath, (short)010755); + assertPermission(fs, subdirPath, permExpected); aclSpec = Lists.newArrayList(aclEntry(DEFAULT, USER, "foo", READ_WRITE)); fs.modifyAclEntries(dirPath, aclSpec); @@ -165,7 +167,7 @@ private void doTestDefaultAclNewChildren(boolean persistNamespace) subdirReturned = fs.getAclStatus(subdirPath).getEntries() .toArray(new AclEntry[0]); Assert.assertArrayEquals(subdirExpected, subdirReturned); - assertPermission(fs, subdirPath, (short)010755); + assertPermission(fs, subdirPath, permExpected); restart(fs, persistNamespace); @@ -175,7 +177,7 @@ private void doTestDefaultAclNewChildren(boolean persistNamespace) subdirReturned = fs.getAclStatus(subdirPath).getEntries() .toArray(new AclEntry[0]); Assert.assertArrayEquals(subdirExpected, subdirReturned); - assertPermission(fs, subdirPath, (short)010755); + assertPermission(fs, subdirPath, permExpected); fs.removeAcl(dirPath); @@ -185,7 +187,7 @@ private void doTestDefaultAclNewChildren(boolean persistNamespace) subdirReturned = fs.getAclStatus(subdirPath).getEntries() .toArray(new AclEntry[0]); Assert.assertArrayEquals(subdirExpected, subdirReturned); - assertPermission(fs, subdirPath, (short)010755); + assertPermission(fs, subdirPath, permExpected); restart(fs, persistNamespace); @@ -195,7 +197,7 @@ private void doTestDefaultAclNewChildren(boolean persistNamespace) subdirReturned = fs.getAclStatus(subdirPath).getEntries() .toArray(new AclEntry[0]); Assert.assertArrayEquals(subdirExpected, subdirReturned); - assertPermission(fs, subdirPath, (short)010755); + assertPermission(fs, subdirPath, permExpected); } @Test