ACLs are of the order <type>:<name (optional)>:<permission>
. If the name field is not populated, it applies to every user/group. If the name is supplied, it will be supplemental to the entry without the name. Meaning, in your example above, user permissions by default are rw-
. However, because user 'bruce' is also defined, his permissions are rwx
.
However, the mask directive is also set. From the HDFS Permission page, mask is defined as : ... a special ACL entry that filters the permissions granted to all named user entries and named group entries, and also the unnamed group entry. What this means is it filters or overrides any named user/group entries as well as unnamed group entries. This overrides the permissions for bruce to be r--
. That is why they note the effective permissions of #r--
.
Group mapping is determined by the following from the HDFS Permission page : This implementation shells out with the bash -c groups command (for a Linux/Unix environment) or the net group command (for a Windows environment) to resolve a list of groups for a user.