Skip to content

HDDS-14574. Enforce 700 permissions on Ozone Metadata and Data(hdds) directories #9735

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Gargi-jais11 wants to merge 3 commits into
base: master
Choose a base branch
from
Open

HDDS-14574. Enforce 700 permissions on Ozone Metadata and Data(hdds) directories #9735

Gargi-jais11 wants to merge 3 commits into from

Conversation

@Gargi-jais11
Copy link
Contributor

@Gargi-jais11 Gargi-jais11 commented Feb 9, 2026

What changes were proposed in this pull request?

Current Behaviour:
For Ozone metadata of OM, SCM, DN and Recon and Datanode Directory(/data/hdds) have 750 and 755 permissions respectively.

Proposed Behaviour:
We should bring Ozone up to parity with HDFS, where we have both a parameter that controls the permission, as well as health alerts for lax permissions.
Incorrectly permissioned data directories can lead to a serious data breach as any user (e.g. any Spark application) is able to read the data files.
Make the default permissions for all ozone metadata and data directories as 700 similar to hdfs.

Added new config for data directory permission: hdds.datanode.data.dir.permissions with default value of 700 and changed ozone metadata directory permissions to 700 from 750.

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-14574

How was this patch tested?

Added unit tests. Also manually tested for permissions:

// DN
[bash]# ls -la
total 4
drwx------ 8 hdfs hdfs 190 Feb 3 08:28 .
drwxr-xr-x 6 root root 76 Feb 2 04:46 ..
-rw-r--r-- 1 hdfs hdfs  0 Feb 3 08:28 cd
drwx------ 3 hdfs hdfs 65 Feb 3 08:28 data --------------------------> 700 data
-rw-r--r-- 1 hdfs hdfs 408 Feb 3 06:08 datanode.id
drwxr-xr-x 2 hdfs hdfs 10 Feb 2 04:46 db.checkpoints
drwxr-xr-x 3 hdfs hdfs 37 Feb 2 04:46 db.snapshots
drwx------ 5 hdfs hdfs 72 Feb 3 07:17 ozone-metadata. ---------------------> 700 metadata
drwxr-xr-x 3 root root 26 Feb 2 04:46 ratis
drwxr-xr-x 2 hdfs hdfs 333 Feb 3 06:08 witnessed_container.db

// OM
[bash om]# ls -la
total 0
drwxr-xr-x 5 root root 69 Feb 2 04:46 .
drwxr-xr-x 6 root root 76 Feb 2 04:46 ..
drwx------ 6 hdfs hdfs 112 Feb 4 06:03 data 
drwx------ 7 hdfs hdfs 117 Feb 2 06:07 ozone-metadata
drwxr-xr-x 3 hdfs hdfs 58 Feb 2 04:47 ratis

// recon
[bash recon]# ls -la
total 0
drwxr-xr-x 6 root root 81 Feb 2 04:46 .
drwxr-xr-x 6 root root 76 Feb 2 04:46 ..
drwx------ 8 hdfs hdfs 184 Feb 2 04:47 data
drwxr-xr-x 3 root root 18 Feb 2 04:46 om
drwx------ 4 hdfs hdfs 48 Feb 2 04:46 ozone-metadata
drwxr-xr-x 3 root root 26 Feb 2 04:46 scm

//SCM
[bash scm]# ls -la
total 0
drwxr-xr-x 5 root root 69 Feb 2 04:46 .
drwxr-xr-x 6 root root 76 Feb 2 04:46 ..
drwx------ 6 hdfs hdfs 93 Feb 2 04:46 data
drwx------ 6 hdfs hdfs 96 Feb 2 06:07 ozone-metadata
drwxr-xr-x 3 hdfs hdfs 58 Feb 2 04:46 ratis

@Gargi-jais11 Gargi-jais11 marked this pull request as ready for review February 9, 2026 04:23
@Gargi-jais11
Copy link
Contributor Author

Gargi-jais11 commented Feb 9, 2026
edited
Loading

@ChenSammi , @sumitagrawl and @jojochuang Please review the patch.

sreejasahithi
sreejasahithi reviewed Feb 9, 2026
View reviewed changes
Copy link
Contributor

@sreejasahithi sreejasahithi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Gargi-jais11 for working on this, left few comments

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sreejasahithi sreejasahithi Awaiting requested review from sreejasahithi

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Gargi-jais11 @sreejasahithi