3.3. Example 2: Using a Default ACL for Automatic Application to New Children

In addition to an ACL enforced during permission checks, there is also the separate concept of a default ACL. A default ACL can only be applied to a directory -- not to a file.  Default ACLs have no direct effect on permission checks for existing child files and directories, but instead define the ACL that new child files and directories will receive when they are created.

Suppose we have a "monthly-sales-data" directory that is further subdivided into separate directories for each month. We will set a default ACL to guarantee that members of the "execs" group automatically get access to new subdirectories as they get created each month.

  • Set a default ACL on the parent directory:

    > hdfs dfs -setfacl -m default:group:execs:r-x /monthly-sales-data

  • Make subdirectories:

    > hdfs dfs -mkdir /monthly-sales-data/JAN
    > hdfs dfs -mkdir /monthly-sales-data/FEB

  • Verify that HDFS has automatically applied the default ACL to the subdirectories :

    > hdfs dfs -getfacl -R /monthly-sales-data
    # file: /monthly-sales-data
    # owner: bruce
    # group: sales
    user::rwx
    group::r-x
    other::---
    default:user::rwx
    default:group::r-x
    default:group:execs:r-x
    default:mask::r-x
    default:other::---
    
    # file: /monthly-sales-data/FEB
    # owner: bruce
    # group: sales
    user::rwx
    group::r-x
    group:execs:r-x
    mask::r-x
    other::---
    default:user::rwx
    default:group::r-x
    default:group:execs:r-x
    default:mask::r-x
    default:other::---
    
    # file: /monthly-sales-data/JAN
    # owner: bruce
    # group: sales
    user::rwx
    group::r-x
    group:execs:r-x
    mask::r-x
    other::---
    default:user::rwx
    default:group::r-x
    default:group:execs:r-x
    default:mask::r-x
    default:other::---

The default ACL is copied from the parent directory to a child file or directory when it is created.  Subsequent changes to the default ACL of the parent directory do not alter the ACLs of existing children.


loading table of contents...