test getfacl: basic permissions -fs NAMENODE -touchz /file1 -fs NAMENODE -getfacl /file1 -fs NAMENODE -rm /file1 SubstringComparator # file: /file1 SubstringComparator # owner: USERNAME SubstringComparator # group: supergroup SubstringComparator user::rw- SubstringComparator group::r-- SubstringComparator other::r-- getfacl: basic permissions for directory -fs NAMENODE -mkdir /dir1 -fs NAMENODE -getfacl /dir1 -fs NAMENODE -rm /dir1 SubstringComparator # file: /dir1 SubstringComparator # owner: USERNAME SubstringComparator # group: supergroup SubstringComparator user::rwx SubstringComparator group::r-x SubstringComparator other::r-x setfacl : Add an ACL -fs NAMENODE -touchz /file1 -fs NAMENODE -setfacl -m user:bob:r-- /file1 -fs NAMENODE -getfacl /file1 -fs NAMENODE -rm /file1 SubstringComparator # file: /file1 SubstringComparator # owner: USERNAME SubstringComparator # group: supergroup SubstringComparator user::rw- SubstringComparator user:bob:r-- SubstringComparator group::r-- SubstringComparator mask::r-- SubstringComparator other::r-- setfacl : Add multiple ACLs at once -fs NAMENODE -touchz /file1 -fs NAMENODE -setfacl -m user:bob:r--,group:users:r-x /file1 -fs NAMENODE -getfacl /file1 -fs NAMENODE -rm /file1 SubstringComparator # file: /file1 SubstringComparator # owner: USERNAME SubstringComparator # group: supergroup SubstringComparator user::rw- SubstringComparator user:bob:r-- SubstringComparator group::r-- SubstringComparator group:users:r-x SubstringComparator mask::r-x SubstringComparator other::r-- setfacl : Remove an ACL -fs NAMENODE -touchz /file1 -fs NAMENODE -setfacl -m user:bob:r--,user:charlie:r-x /file1 -fs NAMENODE -setfacl -x user:bob /file1 -fs NAMENODE -getfacl /file1 -fs NAMENODE -rm /file1 SubstringComparator # file: /file1 SubstringComparator # owner: USERNAME SubstringComparator # group: supergroup SubstringComparator user::rw- SubstringComparator user:charlie:r-x SubstringComparator group::r-- SubstringComparator other::r-- RegexpAcrossOutputComparator .*(?!bob)* setfacl : Add default ACL -fs NAMENODE -mkdir /dir1 -fs NAMENODE -setfacl -m user:bob:r--,group:users:r-x /dir1 -fs NAMENODE -setfacl -m default:user:charlie:r-x,default:group:admin:rwx /dir1 -fs NAMENODE -getfacl /dir1 -fs NAMENODE -rm -R /dir1 SubstringComparator # file: /dir1 SubstringComparator # owner: USERNAME SubstringComparator # group: supergroup SubstringComparator user::rwx SubstringComparator user:bob:r-- SubstringComparator group::r-x SubstringComparator group:users:r-x SubstringComparator mask::r-x SubstringComparator other::r-x SubstringComparator default:user::rwx SubstringComparator default:user:charlie:r-x SubstringComparator default:group::r-x SubstringComparator default:group:admin:rwx SubstringComparator default:mask::rwx SubstringComparator default:other::r-x setfacl : Add minimal default ACL -fs NAMENODE -mkdir /dir1 -fs NAMENODE -setfacl -m default:user::rwx /dir1 -fs NAMENODE -getfacl /dir1 -fs NAMENODE -rm -R /dir1 SubstringComparator # file: /dir1 SubstringComparator # owner: USERNAME SubstringComparator # group: supergroup SubstringComparator user::rwx SubstringComparator group::r-x SubstringComparator other::r-x SubstringComparator default:user::rwx SubstringComparator default:group::r-x SubstringComparator default:other::r-x RegexpAcrossOutputComparator .*(?!default\:mask)* setfacl : try adding default ACL to file -fs NAMENODE -touchz /file1 -fs NAMENODE -setfacl -m default:user:charlie:r-x /file1 -fs NAMENODE -rm /file1 SubstringComparator setfacl: Invalid ACL: only directories may have a default ACL setfacl : Remove one default ACL -fs NAMENODE -mkdir /dir1 -fs NAMENODE -setfacl -m user:bob:r--,group:users:r-x /dir1 -fs NAMENODE -setfacl -m default:user:charlie:r-x,default:group:admin:rwx /dir1 -fs NAMENODE -setfacl -x default:user:charlie /dir1 -fs NAMENODE -getfacl /dir1 -fs NAMENODE -rm -R /dir1 SubstringComparator # file: /dir1 SubstringComparator # owner: USERNAME SubstringComparator # group: supergroup SubstringComparator user::rwx SubstringComparator user:bob:r-- SubstringComparator group::r-x SubstringComparator group:users:r-x SubstringComparator mask::r-x SubstringComparator other::r-x SubstringComparator default:user::rwx SubstringComparator default:group::r-x SubstringComparator default:group:admin:rwx SubstringComparator default:mask::rwx SubstringComparator default:other::r-x RegexpAcrossOutputComparator .*(?!default:user:charlie).* setfacl : Remove all default ACL -fs NAMENODE -mkdir /dir1 -fs NAMENODE -setfacl -m user:bob:r--,group:users:r-x /dir1 -fs NAMENODE -setfacl -m default:user:charlie:r-x,default:group:admin:rwx /dir1 -fs NAMENODE -setfacl -k /dir1 -fs NAMENODE -getfacl /dir1 -fs NAMENODE -rm -R /dir1 SubstringComparator # file: /dir1 SubstringComparator # owner: USERNAME SubstringComparator # group: supergroup SubstringComparator user::rwx SubstringComparator user:bob:r-- SubstringComparator group::r-x SubstringComparator group:users:r-x SubstringComparator mask::r-x SubstringComparator other::r-x RegexpAcrossOutputComparator .*(?!default).* setfacl : Remove all but base ACLs for a directory -fs NAMENODE -mkdir /dir1 -fs NAMENODE -setfacl -m user:charlie:r-x,default:group:admin:rwx /dir1 -fs NAMENODE -setfacl -b /dir1 -fs NAMENODE -getfacl /dir1 -fs NAMENODE -rm -R /dir1 SubstringComparator # file: /dir1 SubstringComparator # owner: USERNAME SubstringComparator # group: supergroup SubstringComparator user::rwx SubstringComparator group::r-x SubstringComparator other::r-x RegexpAcrossOutputComparator .*(?!charlie).* RegexpAcrossOutputComparator .*(?!default).* RegexpAcrossOutputComparator .*(?!admin).* setfacl : Remove all but base ACLs for a file -fs NAMENODE -touchz /file1 -fs NAMENODE -setfacl -m user:charlie:r-x,group:admin:rwx /file1 -fs NAMENODE -setfacl -b /file1 -fs NAMENODE -getfacl /file1 -fs NAMENODE -rm /file1 SubstringComparator # file: /file1 SubstringComparator # owner: USERNAME SubstringComparator # group: supergroup SubstringComparator user::rw- SubstringComparator group::r-- SubstringComparator other::r-- RegexpAcrossOutputComparator .*(?!charlie).* RegexpAcrossOutputComparator .*(?!admin).* setfacl : check inherit default ACL to file -fs NAMENODE -mkdir /dir1 -fs NAMENODE -setfacl -m default:user:charlie:r-x,default:group:admin:rwx /dir1 -fs NAMENODE -touchz /dir1/file -fs NAMENODE -getfacl /dir1/file -fs NAMENODE -rm -R /dir1 SubstringComparator # file: /dir1/file SubstringComparator # owner: USERNAME SubstringComparator # group: supergroup SubstringComparator user::rw- SubstringComparator user:charlie:r-x SubstringComparator group::r-x SubstringComparator group:admin:rwx RegexpComparator ^mask::rw-$ SubstringComparator other::r-- RegexpAcrossOutputComparator .*(?!default).* setfacl : check inherit default ACL to dir -fs NAMENODE -mkdir /dir1 -fs NAMENODE -setfacl -m default:user:charlie:r-x,default:group:admin:rwx /dir1 -fs NAMENODE -mkdir /dir1/dir2 -fs NAMENODE -getfacl /dir1/dir2 -fs NAMENODE -rm -R /dir1 SubstringComparator # file: /dir1/dir2 SubstringComparator # owner: USERNAME SubstringComparator # group: supergroup SubstringComparator user::rwx SubstringComparator user:charlie:r-x SubstringComparator group::r-x SubstringComparator group:admin:rwx RegexpComparator ^mask::rwx$ SubstringComparator default:user::rwx SubstringComparator default:user:charlie:r-x SubstringComparator default:group::r-x SubstringComparator default:group:admin:rwx SubstringComparator default:mask::rwx SubstringComparator default:other::r-x SubstringComparator other::r-x setfacl : check inherit default ACL to ancestor dir with mkdir -p -fs NAMENODE -mkdir /dir1 -fs NAMENODE -setfacl -m default:user:charlie:r-x,default:group:admin:rwx /dir1 -fs NAMENODE -mkdir -p /dir1/dir2/dir3 -fs NAMENODE -getfacl /dir1/dir2 -fs NAMENODE -rm -R /dir1 SubstringComparator # file: /dir1/dir2 SubstringComparator # owner: USERNAME SubstringComparator # group: supergroup SubstringComparator user::rwx RegexpComparator ^user:charlie:r-x$ SubstringComparator group::r-x RegexpComparator ^group:admin:rwx$ RegexpComparator ^mask::rwx$ SubstringComparator default:user::rwx SubstringComparator default:user:charlie:r-x SubstringComparator default:group::r-x SubstringComparator default:group:admin:rwx SubstringComparator default:mask::rwx SubstringComparator default:other::r-x SubstringComparator other::r-x getfacl -R : recursive -fs NAMENODE -mkdir /dir1 -fs NAMENODE -setfacl -m user:charlie:r-x,group:admin:rwx /dir1 -fs NAMENODE -mkdir /dir1/dir2 -fs NAMENODE -setfacl -m user:user1:r-x,group:users:rwx /dir1/dir2 -fs NAMENODE -getfacl -R /dir1 -fs NAMENODE -rm -R /dir1 ExactComparator # file: /dir1#LF## owner: USERNAME#LF## group: supergroup#LF#user::rwx#LF#user:charlie:r-x#LF#group::r-x#LF#group:admin:rwx#LF#mask::rwx#LF#other::r-x#LF##LF## file: /dir1/dir2#LF## owner: USERNAME#LF## group: supergroup#LF#user::rwx#LF#user:user1:r-x#LF#group::r-x#LF#group:users:rwx#LF#mask::rwx#LF#other::r-x#LF##LF# setfacl -R : recursive -fs NAMENODE -mkdir /dir1 -fs NAMENODE -mkdir /dir1/dir2 -fs NAMENODE -setfacl -R -m user:charlie:r-x,group:admin:rwx /dir1 -fs NAMENODE -getfacl -R /dir1 -fs NAMENODE -rm -R /dir1 ExactComparator # file: /dir1#LF## owner: USERNAME#LF## group: supergroup#LF#user::rwx#LF#user:charlie:r-x#LF#group::r-x#LF#group:admin:rwx#LF#mask::rwx#LF#other::r-x#LF##LF## file: /dir1/dir2#LF## owner: USERNAME#LF## group: supergroup#LF#user::rwx#LF#user:charlie:r-x#LF#group::r-x#LF#group:admin:rwx#LF#mask::rwx#LF#other::r-x#LF##LF# setfacl --set : Set full set of ACLs -fs NAMENODE -mkdir /dir1 -fs NAMENODE -setfacl -m user:charlie:r-x,group:admin:rwx /dir1 -fs NAMENODE -setfacl --set user::rw-,group::r--,other::r--,user:user1:r-x,group:users:rw- /dir1 -fs NAMENODE -getfacl /dir1 -fs NAMENODE -rm -R /dir1 ExactComparator # file: /dir1#LF## owner: USERNAME#LF## group: supergroup#LF#user::rw-#LF#user:user1:r-x#LF#group::r--#LF#group:users:rw-#LF#mask::rwx#LF#other::r--#LF##LF# setfacl -x mask : remove mask entry along with other ACL entries -fs NAMENODE -mkdir /dir1 -fs NAMENODE -setfacl -m user:charlie:r-x,group:admin:rwx /dir1 -fs NAMENODE -setfacl -x mask::,user:charlie,group:admin /dir1 -fs NAMENODE -getfacl /dir1 -fs NAMENODE -rm -R /dir1 ExactComparator # file: /dir1#LF## owner: USERNAME#LF## group: supergroup#LF#user::rwx#LF#group::r-x#LF#other::r-x#LF##LF# getfacl: only default ACL -fs NAMENODE -mkdir /dir1 -fs NAMENODE -setfacl -m default:user:charlie:rwx /dir1 -fs NAMENODE -getfacl /dir1 -fs NAMENODE -rm -R /dir1 SubstringComparator # file: /dir1 SubstringComparator # owner: USERNAME SubstringComparator # group: supergroup SubstringComparator user::rwx SubstringComparator group::r-x SubstringComparator other::r-x SubstringComparator default:user::rwx SubstringComparator default:user:charlie:rwx SubstringComparator default:group::r-x SubstringComparator default:mask::rwx SubstringComparator default:other::r-x getfacl: effective permissions -fs NAMENODE -mkdir /dir1 -fs NAMENODE -setfacl -m user:charlie:rwx,group::-wx,group:sales:rwx,mask::r-x,default:user:charlie:rwx,default:group::r-x,default:group:sales:rwx,default:mask::rw- /dir1 -fs NAMENODE -getfacl /dir1 -fs NAMENODE -rm -R /dir1 SubstringComparator # file: /dir1 SubstringComparator # owner: USERNAME SubstringComparator # group: supergroup SubstringComparator user::rwx RegexpComparator ^user:charlie:rwx\t#effective:r-x$ RegexpComparator ^group::-wx\t#effective:--x$ RegexpComparator ^group:sales:rwx\t#effective:r-x$ SubstringComparator mask::r-x SubstringComparator other::r-x SubstringComparator default:user::rwx RegexpComparator ^default:user:charlie:rwx\t#effective:rw-$ RegexpComparator ^default:group::r-x\t#effective:r--$ RegexpComparator ^default:group:sales:rwx\t#effective:rw-$ SubstringComparator default:mask::rw- SubstringComparator default:other::r-x ls: display extended acl marker -fs NAMENODE -mkdir -p /dir1/dir2 -fs NAMENODE -setfacl -m user:charlie:rwx,group::-wx,group:sales:rwx,mask::r-x,default:user:charlie:rwx,default:group::r-x,default:group:sales:rwx,default:mask::rw- /dir1/dir2 -fs NAMENODE -ls /dir1 -fs NAMENODE -rm -R /dir1 RegexpComparator ^drwxr-xr-x\+( )*-( )*USERNAME( )*supergroup( )*0( )*[0-9]{4,}-[0-9]{2,}-[0-9]{2,} [0-9]{2,}:[0-9]{2,}( )*/dir1/dir2 setfacl: recursive modify entries with mix of files and directories -fs NAMENODE -mkdir -p /dir1 -fs NAMENODE -touchz /dir1/file1 -fs NAMENODE -mkdir -p /dir1/dir2 -fs NAMENODE -touchz /dir1/dir2/file2 -fs NAMENODE -setfacl -R -m user:charlie:rwx,default:user:charlie:r-x /dir1 -fs NAMENODE -getfacl -R /dir1 -fs NAMENODE -rm -R /dir1 ExactComparator # file: /dir1#LF## owner: USERNAME#LF## group: supergroup#LF#user::rwx#LF#user:charlie:rwx#LF#group::r-x#LF#mask::rwx#LF#other::r-x#LF#default:user::rwx#LF#default:user:charlie:r-x#LF#default:group::r-x#LF#default:mask::r-x#LF#default:other::r-x#LF##LF## file: /dir1/dir2#LF## owner: USERNAME#LF## group: supergroup#LF#user::rwx#LF#user:charlie:rwx#LF#group::r-x#LF#mask::rwx#LF#other::r-x#LF#default:user::rwx#LF#default:user:charlie:r-x#LF#default:group::r-x#LF#default:mask::r-x#LF#default:other::r-x#LF##LF## file: /dir1/dir2/file2#LF## owner: USERNAME#LF## group: supergroup#LF#user::rw-#LF#user:charlie:rwx#LF#group::r--#LF#mask::rwx#LF#other::r--#LF##LF## file: /dir1/file1#LF## owner: USERNAME#LF## group: supergroup#LF#user::rw-#LF#user:charlie:rwx#LF#group::r--#LF#mask::rwx#LF#other::r--#LF##LF# setfacl: recursive remove entries with mix of files and directories -fs NAMENODE -mkdir -p /dir1 -fs NAMENODE -touchz /dir1/file1 -fs NAMENODE -mkdir -p /dir1/dir2 -fs NAMENODE -touchz /dir1/dir2/file2 -fs NAMENODE -setfacl -R -m user:bob:rwx,user:charlie:rwx,default:user:bob:rwx,default:user:charlie:r-x /dir1 -fs NAMENODE -setfacl -R -x user:bob,default:user:bob /dir1 -fs NAMENODE -getfacl -R /dir1 -fs NAMENODE -rm -R /dir1 ExactComparator # file: /dir1#LF## owner: USERNAME#LF## group: supergroup#LF#user::rwx#LF#user:charlie:rwx#LF#group::r-x#LF#mask::rwx#LF#other::r-x#LF#default:user::rwx#LF#default:user:charlie:r-x#LF#default:group::r-x#LF#default:mask::r-x#LF#default:other::r-x#LF##LF## file: /dir1/dir2#LF## owner: USERNAME#LF## group: supergroup#LF#user::rwx#LF#user:charlie:rwx#LF#group::r-x#LF#mask::rwx#LF#other::r-x#LF#default:user::rwx#LF#default:user:charlie:r-x#LF#default:group::r-x#LF#default:mask::r-x#LF#default:other::r-x#LF##LF## file: /dir1/dir2/file2#LF## owner: USERNAME#LF## group: supergroup#LF#user::rw-#LF#user:charlie:rwx#LF#group::r--#LF#mask::rwx#LF#other::r--#LF##LF## file: /dir1/file1#LF## owner: USERNAME#LF## group: supergroup#LF#user::rw-#LF#user:charlie:rwx#LF#group::r--#LF#mask::rwx#LF#other::r--#LF##LF# setfacl: recursive set with mix of files and directories -fs NAMENODE -mkdir -p /dir1 -fs NAMENODE -touchz /dir1/file1 -fs NAMENODE -mkdir -p /dir1/dir2 -fs NAMENODE -touchz /dir1/dir2/file2 -fs NAMENODE -setfacl -R --set user::rwx,user:charlie:rwx,group::r-x,other::r-x,default:user:charlie:r-x /dir1 -fs NAMENODE -getfacl -R /dir1 -fs NAMENODE -rm -R /dir1 ExactComparator # file: /dir1#LF## owner: USERNAME#LF## group: supergroup#LF#user::rwx#LF#user:charlie:rwx#LF#group::r-x#LF#mask::rwx#LF#other::r-x#LF#default:user::rwx#LF#default:user:charlie:r-x#LF#default:group::r-x#LF#default:mask::r-x#LF#default:other::r-x#LF##LF## file: /dir1/dir2#LF## owner: USERNAME#LF## group: supergroup#LF#user::rwx#LF#user:charlie:rwx#LF#group::r-x#LF#mask::rwx#LF#other::r-x#LF#default:user::rwx#LF#default:user:charlie:r-x#LF#default:group::r-x#LF#default:mask::r-x#LF#default:other::r-x#LF##LF## file: /dir1/dir2/file2#LF## owner: USERNAME#LF## group: supergroup#LF#user::rwx#LF#user:charlie:rwx#LF#group::r-x#LF#mask::rwx#LF#other::r-x#LF##LF## file: /dir1/file1#LF## owner: USERNAME#LF## group: supergroup#LF#user::rwx#LF#user:charlie:rwx#LF#group::r-x#LF#mask::rwx#LF#other::r-x#LF##LF# copyFromLocal: copying file into a directory with a default ACL -fs NAMENODE -mkdir /dir1 -fs NAMENODE -setfacl -m default:user:charlie:rwx /dir1 -fs NAMENODE -copyFromLocal CLITEST_DATA/data1k /dir1/data1k -fs NAMENODE -getfacl /dir1/data1k -fs NAMENODE -rm -R /dir1 RegexpComparator ^# file: /dir1/data1k$ RegexpComparator ^# owner: USERNAME$ RegexpComparator ^# group: supergroup$ RegexpComparator ^user::rw-$ RegexpComparator ^user:charlie:rwx\t#effective:rw-$ RegexpComparator ^group::r-x\t#effective:r--$ RegexpComparator ^mask::rw-$ RegexpComparator ^other::r--$ RegexpAcrossOutputComparator .*(?!default).*