use of alluxio.exception.AccessControlException in project alluxio by Alluxio.
the class DefaultFileSystemMaster method createAuditContext.
/**
* Creates a {@link FileSystemMasterAuditContext} instance.
*
* @param command the command to be logged by this {@link AuditContext}
* @param srcPath the source path of this command
* @param dstPath the destination path of this command
* @param srcInode the source inode of this command
* @return newly-created {@link FileSystemMasterAuditContext} instance
*/
private FileSystemMasterAuditContext createAuditContext(String command, AlluxioURI srcPath, @Nullable AlluxioURI dstPath, @Nullable Inode srcInode) {
// Audit log may be enabled during runtime
AsyncUserAccessAuditLogWriter auditLogWriter = null;
if (ServerConfiguration.getBoolean(PropertyKey.MASTER_AUDIT_LOGGING_ENABLED)) {
auditLogWriter = mAsyncAuditLogWriter;
}
FileSystemMasterAuditContext auditContext = new FileSystemMasterAuditContext(auditLogWriter);
if (auditLogWriter != null) {
String user = null;
String ugi = "";
try {
user = AuthenticatedClientUser.getClientUser(ServerConfiguration.global());
} catch (AccessControlException e) {
ugi = "N/A";
}
if (user != null) {
try {
String primaryGroup = CommonUtils.getPrimaryGroupName(user, ServerConfiguration.global());
ugi = user + "," + primaryGroup;
} catch (IOException e) {
LOG.debug("Failed to get primary group for user {}.", user);
ugi = user + ",N/A";
}
}
AuthType authType = ServerConfiguration.getEnum(PropertyKey.SECURITY_AUTHENTICATION_TYPE, AuthType.class);
auditContext.setUgi(ugi).setAuthType(authType).setIp(ClientIpAddressInjector.getIpAddress()).setCommand(command).setSrcPath(srcPath).setDstPath(dstPath).setSrcInode(srcInode).setAllowed(true).setCreationTimeNs(System.nanoTime());
}
return auditContext;
}
use of alluxio.exception.AccessControlException in project alluxio by Alluxio.
the class DefaultFileSystemMaster method setAclSingleInode.
private void setAclSingleInode(RpcContext rpcContext, SetAclAction action, LockedInodePath inodePath, List<AclEntry> entries, boolean replay, long opTimeMs) throws IOException, FileDoesNotExistException {
Preconditions.checkState(inodePath.getLockPattern().isWrite());
Inode inode = inodePath.getInode();
// Check that we are not removing an extended mask.
if (action == SetAclAction.REMOVE) {
for (AclEntry entry : entries) {
if ((entry.isDefault() && inode.getDefaultACL().hasExtended()) || (!entry.isDefault() && inode.getACL().hasExtended())) {
if (entry.getType() == AclEntryType.MASK) {
throw new InvalidArgumentException("Deleting the mask for an extended ACL is not allowed. entry: " + entry);
}
}
}
}
// Check that we are not setting default ACL to a file
if (inode.isFile()) {
for (AclEntry entry : entries) {
if (entry.isDefault()) {
throw new UnsupportedOperationException("Can not set default ACL for a file");
}
}
}
mInodeTree.setAcl(rpcContext, SetAclEntry.newBuilder().setId(inode.getId()).setOpTimeMs(opTimeMs).setAction(ProtoUtils.toProto(action)).addAllEntries(entries.stream().map(ProtoUtils::toProto).collect(Collectors.toList())).build());
try {
if (!replay && inode.isPersisted()) {
setUfsAcl(inodePath);
}
} catch (InvalidPathException | AccessControlException e) {
LOG.warn("Setting ufs ACL failed for path: {}", inodePath.getUri(), e);
// TODO(david): revert the acl and default acl to the initial state if writing to ufs failed.
}
}
use of alluxio.exception.AccessControlException in project alluxio by Alluxio.
the class DefaultPermissionChecker method checkInodeList.
/**
* This method provides basic permission checking logic on a list of inodes. The input includes
* user and its group, requested action and inode list (by traversing the path). Then user,
* group, and the requested action will be evaluated on each of the inodes. It will return if
* check passed, and throw exception if check failed.
*
* @param user who requests access permission
* @param groups in which user belongs to
* @param bits bits that capture the action {@link Mode.Bits} by user
* @param path the path to check permission on
* @param inodeList file info list of all the inodes retrieved by traversing the path
* @param checkIsOwner indicates whether to check the user is the owner of the path
* @throws AccessControlException if permission checking fails
*/
protected void checkInodeList(String user, List<String> groups, Mode.Bits bits, String path, List<InodeView> inodeList, boolean checkIsOwner) throws AccessControlException {
int size = inodeList.size();
Preconditions.checkArgument(size > 0, PreconditionMessage.EMPTY_FILE_INFO_LIST_FOR_PERMISSION_CHECK);
// bypass checking permission for super user or super group of Alluxio file system.
if (isPrivilegedUser(user, groups)) {
return;
}
// traverses from root to the parent dir to all inodes included by this path are executable
for (int i = 0; i < size - 1; i++) {
checkInode(user, groups, inodeList.get(i), Mode.Bits.EXECUTE, path);
}
InodeView inode = inodeList.get(inodeList.size() - 1);
if (checkIsOwner) {
if (inode == null || user.equals(inode.getOwner())) {
return;
}
throw new AccessControlException(ExceptionMessage.PERMISSION_DENIED.getMessage("user=" + user + " is not the owner of path=" + path));
}
checkInode(user, groups, inode, bits, path);
}
use of alluxio.exception.AccessControlException in project alluxio by Alluxio.
the class DefaultPermissionChecker method getPermissionInternal.
/**
* Gets the permission to access an inode path given a user and its groups.
*
* @param user the user
* @param groups the groups this user belongs to
* @param path the inode path
* @param inodeList the list of inodes in the path
* @return the permission
*/
private Mode.Bits getPermissionInternal(String user, List<String> groups, String path, List<InodeView> inodeList) {
int size = inodeList.size();
Preconditions.checkArgument(size > 0, PreconditionMessage.EMPTY_FILE_INFO_LIST_FOR_PERMISSION_CHECK);
// bypass checking permission for super user or super group of Alluxio file system.
if (isPrivilegedUser(user, groups)) {
return Mode.Bits.ALL;
}
// traverses from root to the parent dir to all inodes included by this path are executable
for (int i = 0; i < size - 1; i++) {
try {
checkInode(user, groups, inodeList.get(i), Mode.Bits.EXECUTE, path);
} catch (AccessControlException e) {
return Mode.Bits.NONE;
}
}
InodeView inode = inodeList.get(inodeList.size() - 1);
if (inode == null) {
return Mode.Bits.NONE;
}
return inode.getPermission(user, groups).toModeBits();
}
Aggregations