In addition to an ACL enforced during permission checks, there is also the separate concept of a default ACL. A default ACL can only be applied to a directory -- not to a file. Default ACLs have no direct effect on permission checks for existing child files and directories, but instead define the ACL that new child files and directories will receive when they are created.
Suppose we have a "monthly-sales-data" directory that is further subdivided into separate directories for each month. We will set a default ACL to guarantee that members of the "execs" group automatically get access to new subdirectories as they get created each month.
Set a default ACL on the parent directory:
> hdfs dfs -setfacl -m default:group:execs:r-x /monthly-sales-data
Make subdirectories:
> hdfs dfs -mkdir /monthly-sales-data/JAN > hdfs dfs -mkdir /monthly-sales-data/FEB
Verify that HDFS has automatically applied the default ACL to the subdirectories :
> hdfs dfs -getfacl -R /monthly-sales-data # file: /monthly-sales-data # owner: bruce # group: sales user::rwx group::r-x other::--- default:user::rwx default:group::r-x default:group:execs:r-x default:mask::r-x default:other::--- # file: /monthly-sales-data/FEB # owner: bruce # group: sales user::rwx group::r-x group:execs:r-x mask::r-x other::--- default:user::rwx default:group::r-x default:group:execs:r-x default:mask::r-x default:other::--- # file: /monthly-sales-data/JAN # owner: bruce # group: sales user::rwx group::r-x group:execs:r-x mask::r-x other::--- default:user::rwx default:group::r-x default:group:execs:r-x default:mask::r-x default:other::---
The default ACL is copied from the parent directory to a child file or directory when it is created. Subsequent changes to the default ACL of the parent directory do not alter the ACLs of existing children.
