big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HDFS-14359. Inherited ACL permissions masked when parent directory does not exist (mkdir -p)

Browse Source 
(Contributed by Stephen O'Donnell via Daniel Templeton)

Change-Id: Ia83f799a8f56aa8057a967b234f184683395fa41
This commit is contained in:
Stephen O'Donnell 2019-03-25 16:16:13 -07:00 committed by Daniel Templeton
parent 710cbc9bd6
commit 3f6d6d2811
3 changed files with 92 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirMkdirOp.java
View File

@ -17,6 +17,7 @@
*/ */
package org.apache.hadoop.hdfs.server.namenode; package org.apache.hadoop.hdfs.server.namenode;
import org.apache.hadoop.fs.permission.FsCreateModes;
import com.google.common.base.Preconditions; import com.google.common.base.Preconditions;
import org.apache.hadoop.fs.FileAlreadyExistsException; import org.apache.hadoop.fs.FileAlreadyExistsException;
import org.apache.hadoop.fs.FileStatus; import org.apache.hadoop.fs.FileStatus;
@ -187,10 +188,19 @@ private static INodesInPath createSingleDirectory(FSDirectory fsd,
private static PermissionStatus addImplicitUwx(PermissionStatus parentPerm, private static PermissionStatus addImplicitUwx(PermissionStatus parentPerm,
PermissionStatus perm) { PermissionStatus perm) {
FsPermission p = parentPerm.getPermission(); FsPermission p = parentPerm.getPermission();
FsPermission ancestorPerm = new FsPermission( FsPermission ancestorPerm;
if (p.getUnmasked() == null) {
ancestorPerm = new FsPermission(
p.getUserAction().or(FsAction.WRITE_EXECUTE), p.getUserAction().or(FsAction.WRITE_EXECUTE),
p.getGroupAction(), p.getGroupAction(),
p.getOtherAction()); p.getOtherAction());
} else {
ancestorPerm = FsCreateModes.create(
new FsPermission(
p.getUserAction().or(FsAction.WRITE_EXECUTE),
p.getGroupAction(),
p.getOtherAction()), p.getUnmasked());
}
return new PermissionStatus(perm.getUserName(), perm.getGroupName(), return new PermissionStatus(perm.getUserName(), perm.getGroupName(),
ancestorPerm); ancestorPerm);
} }

2
hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java
View File

@ -1150,7 +1150,7 @@ public void testDefaultAclNewDirIntermediate() throws Exception {
AclStatus s = fs.getAclStatus(dirPath); AclStatus s = fs.getAclStatus(dirPath);
AclEntry[] returned = s.getEntries().toArray(new AclEntry[0]); AclEntry[] returned = s.getEntries().toArray(new AclEntry[0]);
assertArrayEquals(expected, returned); assertArrayEquals(expected, returned);
assertPermission(dirPath, (short)010750); assertPermission(dirPath, (short)010770);
assertAclFeature(dirPath, true); assertAclFeature(dirPath, true);
s = fs.getAclStatus(subdirPath); s = fs.getAclStatus(subdirPath);
returned = s.getEntries().toArray(new AclEntry[0]); returned = s.getEntries().toArray(new AclEntry[0]);

77
hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testAclCLIWithPosixAclInheritance.xml
View File

@ -740,6 +740,83 @@
</comparator> </comparator>
</comparators> </comparators>
</test> </test>
<test>
<!-- Added to verify HDFS-14359 -->
<description>setfacl : check inherit default ACL to ancestor dir with mkdir -p</description>
<test-commands>
<command>-fs NAMENODE -mkdir /dir1</command>
<command>-fs NAMENODE -setfacl -m default:user:charlie:r-x,default:group:admin:rwx /dir1</command>
<command>-fs NAMENODE -mkdir -p /dir1/dir2/dir3</command>
<command>-fs NAMENODE -getfacl /dir1/dir2</command>
</test-commands>
<cleanup-commands>
<command>-fs NAMENODE -rm -R /dir1</command>
</cleanup-commands>
<comparators>
<comparator>
<type>SubstringComparator</type>
<expected-output># file: /dir1/dir2</expected-output>
</comparator>
<comparator>
<type>SubstringComparator</type>
<expected-output># owner: USERNAME</expected-output>
</comparator>
<comparator>
<type>SubstringComparator</type>
<expected-output># group: supergroup</expected-output>
</comparator>
<comparator>
<type>SubstringComparator</type>
<expected-output>user::rwx</expected-output>
</comparator>
<comparator>
<!-- Ensure there is no #effective comment after the permissions, masking them -->
<type>RegexpComparator</type>
<expected-output>^user:charlie:r-x$</expected-output>
</comparator>
<comparator>
<type>SubstringComparator</type>
<expected-output>group::r-x</expected-output>
</comparator>
<comparator>
<!-- Ensure there is no #effective comment after the permissions, masking them -->
<type>RegexpComparator</type>
<expected-output>^group:admin:rwx$</expected-output>
</comparator>
<comparator>
<type>RegexpComparator</type>
<expected-output>^mask::rwx$</expected-output>
</comparator>
<comparator>
<type>SubstringComparator</type>
<expected-output>default:user::rwx</expected-output>
</comparator>
<comparator>
<type>SubstringComparator</type>
<expected-output>default:user:charlie:r-x</expected-output>
</comparator>
<comparator>
<type>SubstringComparator</type>
<expected-output>default:group::r-x</expected-output>
</comparator>
<comparator>
<type>SubstringComparator</type>
<expected-output>default:group:admin:rwx</expected-output>
</comparator>
<comparator>
<type>SubstringComparator</type>
<expected-output>default:mask::rwx</expected-output>
</comparator>
<comparator>
<type>SubstringComparator</type>
<expected-output>default:other::r-x</expected-output>
</comparator>
<comparator>
<type>SubstringComparator</type>
<expected-output>other::r-x</expected-output>
</comparator>
</comparators>
</test>
<test> <test>
<description>getfacl -R : recursive</description> <description>getfacl -R : recursive</description>
<test-commands> <test-commands>