HADOOP-10270. getfacl does not display effective permissions of masked. Contributed by Chris Nauroth.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/HDFS-4685@1563219 13f79535-47bb-0310-9956-ffa450edef68

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/AclCommands.java

@@ -116,6 +116,7 @@ class AclCommands extends FsCommand {
         .build());
 
       // Print all extended access ACL entries.
+      boolean hasAccessAcl = false;
       Iterator<AclEntry> entryIter = entries.iterator();
       AclEntry curEntry = null;
       while (entryIter.hasNext()) {
@@ -123,13 +124,15 @@ class AclCommands extends FsCommand {
         if (curEntry.getScope() == AclEntryScope.DEFAULT) {
           break;
         }
-        out.println(curEntry);
+        hasAccessAcl = true;
+        printExtendedAclEntry(curEntry, perm.getGroupAction());
       }
 
-      // Print mask entry implied by group permission bits.
+      // Print mask entry implied by group permission bits, or print group entry
+      // if there is no access ACL (only default ACL).
       out.println(new AclEntry.Builder()
         .setScope(AclEntryScope.ACCESS)
-        .setType(AclEntryType.MASK)
+        .setType(hasAccessAcl ? AclEntryType.MASK : AclEntryType.GROUP)
         .setPermission(perm.getGroupAction())
         .build());
 
@@ -143,9 +146,35 @@ class AclCommands extends FsCommand {
       // Print default ACL entries.
       if (curEntry != null && curEntry.getScope() == AclEntryScope.DEFAULT) {
         out.println(curEntry);
+        // ACL sort order guarantees default mask is the second-to-last entry.
+        FsAction maskPerm = entries.get(entries.size() - 2).getPermission();
+        while (entryIter.hasNext()) {
+          printExtendedAclEntry(entryIter.next(), maskPerm);
+        }
       }
-      while (entryIter.hasNext()) {
-        out.println(entryIter.next());
+    }
+
+    /**
+     * Prints a single extended ACL entry.  If the mask restricts the
+     * permissions of the entry, then also prints the restricted version as the
+     * effective permissions.  The mask applies to all named entries and also
+     * the unnamed group entry.
+     *
+     * @param entry AclEntry extended ACL entry to print
+     * @param maskPerm FsAction permissions in the ACL's mask entry
+     */
+    private void printExtendedAclEntry(AclEntry entry, FsAction maskPerm) {
+      if (entry.getName() != null || entry.getType() == AclEntryType.GROUP) {
+        FsAction entryPerm = entry.getPermission();
+        FsAction effectivePerm = entryPerm.and(maskPerm);
+        if (entryPerm != effectivePerm) {
+          out.println(String.format("%-31s #effective:%s", entry,
+            effectivePerm.SYMBOL));
+        } else {
+          out.println(entry);
+        }
+      } else {
+        out.println(entry);
       }
     }
 

hadoop-hdfs-project/hadoop-hdfs/CHANGES-HDFS-4685.txt

@@ -70,3 +70,6 @@ HDFS-4685 (Unreleased)
 
     HDFS-5849. Removing ACL from an inode fails if it has only a default ACL.
     (cnauroth)
+
+    HADOOP-10270. getfacl does not display effective permissions of masked
+    entries. (cnauroth)

hadoop-hdfs-project/hadoop-hdfs/src/test/resources/testAclCLI.xml

@@ -756,5 +756,135 @@
         </comparator>
       </comparators>
     </test>
+    <test>
+      <description>getfacl: only default ACL</description>
+      <test-commands>
+        <command>-fs NAMENODE -mkdir /dir1</command>
+        <command>-fs NAMENODE -setfacl -m default:user:charlie:rwx /dir1</command>
+        <command>-fs NAMENODE -getfacl /dir1</command>
+      </test-commands>
+      <cleanup-commands>
+        <command>-fs NAMENODE -rm -R /dir1</command>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output># file: /dir1</expected-output>
+        </comparator>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output># owner: USERNAME</expected-output>
+        </comparator>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output># group: supergroup</expected-output>
+        </comparator>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>user::rwx</expected-output>
+        </comparator>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>group::r-x</expected-output>
+        </comparator>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>other::r-x</expected-output>
+        </comparator>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>default:user::rwx</expected-output>
+        </comparator>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>default:user:charlie:rwx</expected-output>
+        </comparator>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>default:group::r-x</expected-output>
+        </comparator>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>default:mask::rwx</expected-output>
+        </comparator>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>default:other::r-x</expected-output>
+        </comparator>
+      </comparators>
+    </test>
+    <test>
+      <description>getfacl: effective permissions</description>
+      <test-commands>
+        <command>-fs NAMENODE -mkdir /dir1</command>
+        <command>-fs NAMENODE -setfacl -m user:charlie:rwx,group::-wx,group:sales:rwx,mask::r-x,default:user:charlie:rwx,default:group::r-x,default:group:sales:rwx,default:mask::rw- /dir1</command>
+        <command>-fs NAMENODE -getfacl /dir1</command>
+      </test-commands>
+      <cleanup-commands>
+        <command>-fs NAMENODE -rm -R /dir1</command>
+      </cleanup-commands>
+      <comparators>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output># file: /dir1</expected-output>
+        </comparator>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output># owner: USERNAME</expected-output>
+        </comparator>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output># group: supergroup</expected-output>
+        </comparator>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>user::rwx</expected-output>
+        </comparator>
+        <comparator>
+          <type>RegexpComparator</type>
+          <expected-output>^user:charlie:rwx\s+#effective:r-x$</expected-output>
+        </comparator>
+        <comparator>
+          <type>RegexpComparator</type>
+          <expected-output>^group::-wx\s+#effective:--x$</expected-output>
+        </comparator>
+        <comparator>
+          <type>RegexpComparator</type>
+          <expected-output>^group:sales:rwx\s+#effective:r-x$</expected-output>
+        </comparator>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>mask::r-x</expected-output>
+        </comparator>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>other::r-x</expected-output>
+        </comparator>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>default:user::rwx</expected-output>
+        </comparator>
+        <comparator>
+          <type>RegexpComparator</type>
+          <expected-output>^default:user:charlie:rwx\s+#effective:rw-$</expected-output>
+        </comparator>
+        <comparator>
+          <type>RegexpComparator</type>
+          <expected-output>^default:group::r-x\s+#effective:r--$</expected-output>
+        </comparator>
+        <comparator>
+          <type>RegexpComparator</type>
+          <expected-output>^default:group:sales:rwx\s+#effective:rw-$</expected-output>
+        </comparator>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>default:mask::rw-</expected-output>
+        </comparator>
+        <comparator>
+          <type>SubstringComparator</type>
+          <expected-output>default:other::r-x</expected-output>
+        </comparator>
+      </comparators>
+    </test>
   </tests>
-</configuration>
+</configuration>