Search in sources :

Example 61 with AccessControlException

use of alluxio.exception.AccessControlException in project alluxio by Alluxio.

the class DefaultFileSystemMaster method createAuditContext.

/**
 * Creates a {@link FileSystemMasterAuditContext} instance.
 *
 * @param command the command to be logged by this {@link AuditContext}
 * @param srcPath the source path of this command
 * @param dstPath the destination path of this command
 * @param srcInode the source inode of this command
 * @return newly-created {@link FileSystemMasterAuditContext} instance
 */
private FileSystemMasterAuditContext createAuditContext(String command, AlluxioURI srcPath, @Nullable AlluxioURI dstPath, @Nullable Inode srcInode) {
    // Audit log may be enabled during runtime
    AsyncUserAccessAuditLogWriter auditLogWriter = null;
    if (ServerConfiguration.getBoolean(PropertyKey.MASTER_AUDIT_LOGGING_ENABLED)) {
        auditLogWriter = mAsyncAuditLogWriter;
    }
    FileSystemMasterAuditContext auditContext = new FileSystemMasterAuditContext(auditLogWriter);
    if (auditLogWriter != null) {
        String user = null;
        String ugi = "";
        try {
            user = AuthenticatedClientUser.getClientUser(ServerConfiguration.global());
        } catch (AccessControlException e) {
            ugi = "N/A";
        }
        if (user != null) {
            try {
                String primaryGroup = CommonUtils.getPrimaryGroupName(user, ServerConfiguration.global());
                ugi = user + "," + primaryGroup;
            } catch (IOException e) {
                LOG.debug("Failed to get primary group for user {}.", user);
                ugi = user + ",N/A";
            }
        }
        AuthType authType = ServerConfiguration.getEnum(PropertyKey.SECURITY_AUTHENTICATION_TYPE, AuthType.class);
        auditContext.setUgi(ugi).setAuthType(authType).setIp(ClientIpAddressInjector.getIpAddress()).setCommand(command).setSrcPath(srcPath).setDstPath(dstPath).setSrcInode(srcInode).setAllowed(true).setCreationTimeNs(System.nanoTime());
    }
    return auditContext;
}
Also used : AccessControlException(alluxio.exception.AccessControlException) IOException(java.io.IOException) AuthType(alluxio.security.authentication.AuthType) AsyncUserAccessAuditLogWriter(alluxio.master.audit.AsyncUserAccessAuditLogWriter)

Example 62 with AccessControlException

use of alluxio.exception.AccessControlException in project alluxio by Alluxio.

the class DefaultFileSystemMaster method setAclSingleInode.

private void setAclSingleInode(RpcContext rpcContext, SetAclAction action, LockedInodePath inodePath, List<AclEntry> entries, boolean replay, long opTimeMs) throws IOException, FileDoesNotExistException {
    Preconditions.checkState(inodePath.getLockPattern().isWrite());
    Inode inode = inodePath.getInode();
    // Check that we are not removing an extended mask.
    if (action == SetAclAction.REMOVE) {
        for (AclEntry entry : entries) {
            if ((entry.isDefault() && inode.getDefaultACL().hasExtended()) || (!entry.isDefault() && inode.getACL().hasExtended())) {
                if (entry.getType() == AclEntryType.MASK) {
                    throw new InvalidArgumentException("Deleting the mask for an extended ACL is not allowed. entry: " + entry);
                }
            }
        }
    }
    // Check that we are not setting default ACL to a file
    if (inode.isFile()) {
        for (AclEntry entry : entries) {
            if (entry.isDefault()) {
                throw new UnsupportedOperationException("Can not set default ACL for a file");
            }
        }
    }
    mInodeTree.setAcl(rpcContext, SetAclEntry.newBuilder().setId(inode.getId()).setOpTimeMs(opTimeMs).setAction(ProtoUtils.toProto(action)).addAllEntries(entries.stream().map(ProtoUtils::toProto).collect(Collectors.toList())).build());
    try {
        if (!replay && inode.isPersisted()) {
            setUfsAcl(inodePath);
        }
    } catch (InvalidPathException | AccessControlException e) {
        LOG.warn("Setting ufs ACL failed for path: {}", inodePath.getUri(), e);
    // TODO(david): revert the acl and default acl to the initial state if writing to ufs failed.
    }
}
Also used : Inode(alluxio.master.file.meta.Inode) InvalidArgumentException(alluxio.exception.status.InvalidArgumentException) AclEntry(alluxio.security.authorization.AclEntry) SetAclEntry(alluxio.proto.journal.File.SetAclEntry) ProtoUtils(alluxio.util.proto.ProtoUtils) AccessControlException(alluxio.exception.AccessControlException) InvalidPathException(alluxio.exception.InvalidPathException)

Example 63 with AccessControlException

use of alluxio.exception.AccessControlException in project alluxio by Alluxio.

the class DefaultPermissionChecker method checkInodeList.

/**
 * This method provides basic permission checking logic on a list of inodes. The input includes
 * user and its group, requested action and inode list (by traversing the path). Then user,
 * group, and the requested action will be evaluated on each of the inodes. It will return if
 * check passed, and throw exception if check failed.
 *
 * @param user who requests access permission
 * @param groups in which user belongs to
 * @param bits bits that capture the action {@link Mode.Bits} by user
 * @param path the path to check permission on
 * @param inodeList file info list of all the inodes retrieved by traversing the path
 * @param checkIsOwner indicates whether to check the user is the owner of the path
 * @throws AccessControlException if permission checking fails
 */
protected void checkInodeList(String user, List<String> groups, Mode.Bits bits, String path, List<InodeView> inodeList, boolean checkIsOwner) throws AccessControlException {
    int size = inodeList.size();
    Preconditions.checkArgument(size > 0, PreconditionMessage.EMPTY_FILE_INFO_LIST_FOR_PERMISSION_CHECK);
    // bypass checking permission for super user or super group of Alluxio file system.
    if (isPrivilegedUser(user, groups)) {
        return;
    }
    // traverses from root to the parent dir to all inodes included by this path are executable
    for (int i = 0; i < size - 1; i++) {
        checkInode(user, groups, inodeList.get(i), Mode.Bits.EXECUTE, path);
    }
    InodeView inode = inodeList.get(inodeList.size() - 1);
    if (checkIsOwner) {
        if (inode == null || user.equals(inode.getOwner())) {
            return;
        }
        throw new AccessControlException(ExceptionMessage.PERMISSION_DENIED.getMessage("user=" + user + " is not the owner of path=" + path));
    }
    checkInode(user, groups, inode, bits, path);
}
Also used : InodeView(alluxio.master.file.meta.InodeView) AccessControlException(alluxio.exception.AccessControlException)

Example 64 with AccessControlException

use of alluxio.exception.AccessControlException in project alluxio by Alluxio.

the class DefaultPermissionChecker method getPermissionInternal.

/**
 * Gets the permission to access an inode path given a user and its groups.
 *
 * @param user the user
 * @param groups the groups this user belongs to
 * @param path the inode path
 * @param inodeList the list of inodes in the path
 * @return the permission
 */
private Mode.Bits getPermissionInternal(String user, List<String> groups, String path, List<InodeView> inodeList) {
    int size = inodeList.size();
    Preconditions.checkArgument(size > 0, PreconditionMessage.EMPTY_FILE_INFO_LIST_FOR_PERMISSION_CHECK);
    // bypass checking permission for super user or super group of Alluxio file system.
    if (isPrivilegedUser(user, groups)) {
        return Mode.Bits.ALL;
    }
    // traverses from root to the parent dir to all inodes included by this path are executable
    for (int i = 0; i < size - 1; i++) {
        try {
            checkInode(user, groups, inodeList.get(i), Mode.Bits.EXECUTE, path);
        } catch (AccessControlException e) {
            return Mode.Bits.NONE;
        }
    }
    InodeView inode = inodeList.get(inodeList.size() - 1);
    if (inode == null) {
        return Mode.Bits.NONE;
    }
    return inode.getPermission(user, groups).toModeBits();
}
Also used : InodeView(alluxio.master.file.meta.InodeView) AccessControlException(alluxio.exception.AccessControlException)

Aggregations

AccessControlException (alluxio.exception.AccessControlException)64 AlluxioURI (alluxio.AlluxioURI)29 LockedInodePath (alluxio.master.file.meta.LockedInodePath)21 Test (org.junit.Test)21 FileDoesNotExistException (alluxio.exception.FileDoesNotExistException)16 LockingScheme (alluxio.master.file.meta.LockingScheme)15 InvalidPathException (alluxio.exception.InvalidPathException)12 BaseIntegrationTest (alluxio.testutils.BaseIntegrationTest)11 IOException (java.io.IOException)11 ArrayList (java.util.ArrayList)10 Inode (alluxio.master.file.meta.Inode)9 MountTable (alluxio.master.file.meta.MountTable)7 FileInfo (alluxio.wire.FileInfo)7 AlluxioException (alluxio.exception.AlluxioException)4 LockedInodePathList (alluxio.master.file.meta.LockedInodePathList)4 Mode (alluxio.security.authorization.Mode)4 UnderFileSystem (alluxio.underfs.UnderFileSystem)4 FileBlockInfo (alluxio.wire.FileBlockInfo)4 DescendantType (alluxio.file.options.DescendantType)3 FileSystemMasterCommonPOptions (alluxio.grpc.FileSystemMasterCommonPOptions)3