Examples with AccessControlException alluxio.exception.AccessControlException used on opensource projects

Example 61 with AccessControlException

use of alluxio.exception.AccessControlException in project alluxio by Alluxio.

the class DefaultFileSystemMaster method createAuditContext.

/**
 * Creates a {@link FileSystemMasterAuditContext} instance.
 *
 * @param command the command to be logged by this {@link AuditContext}
 * @param srcPath the source path of this command
 * @param dstPath the destination path of this command
 * @param srcInode the source inode of this command
 * @return newly-created {@link FileSystemMasterAuditContext} instance
 */
private FileSystemMasterAuditContext createAuditContext(String command, AlluxioURI srcPath, @Nullable AlluxioURI dstPath, @Nullable Inode srcInode) {
    // Audit log may be enabled during runtime
    AsyncUserAccessAuditLogWriter auditLogWriter = null;
    if (ServerConfiguration.getBoolean(PropertyKey.MASTER_AUDIT_LOGGING_ENABLED)) {
        auditLogWriter = mAsyncAuditLogWriter;
    }
    FileSystemMasterAuditContext auditContext = new FileSystemMasterAuditContext(auditLogWriter);
    if (auditLogWriter != null) {
        String user = null;
        String ugi = "";
        try {
            user = AuthenticatedClientUser.getClientUser(ServerConfiguration.global());
        } catch (AccessControlException e) {
            ugi = "N/A";
        }
        if (user != null) {
            try {
                String primaryGroup = CommonUtils.getPrimaryGroupName(user, ServerConfiguration.global());
                ugi = user + "," + primaryGroup;
            } catch (IOException e) {
                LOG.debug("Failed to get primary group for user {}.", user);
                ugi = user + ",N/A";
            }
        }
        AuthType authType = ServerConfiguration.getEnum(PropertyKey.SECURITY_AUTHENTICATION_TYPE, AuthType.class);
        auditContext.setUgi(ugi).setAuthType(authType).setIp(ClientIpAddressInjector.getIpAddress()).setCommand(command).setSrcPath(srcPath).setDstPath(dstPath).setSrcInode(srcInode).setAllowed(true).setCreationTimeNs(System.nanoTime());
    }
    return auditContext;
}

Example 62 with AccessControlException

use of alluxio.exception.AccessControlException in project alluxio by Alluxio.

the class DefaultFileSystemMaster method setAclSingleInode.

private void setAclSingleInode(RpcContext rpcContext, SetAclAction action, LockedInodePath inodePath, List<AclEntry> entries, boolean replay, long opTimeMs) throws IOException, FileDoesNotExistException {
    Preconditions.checkState(inodePath.getLockPattern().isWrite());
    Inode inode = inodePath.getInode();
    // Check that we are not removing an extended mask.
    if (action == SetAclAction.REMOVE) {
        for (AclEntry entry : entries) {
            if ((entry.isDefault() && inode.getDefaultACL().hasExtended()) || (!entry.isDefault() && inode.getACL().hasExtended())) {
                if (entry.getType() == AclEntryType.MASK) {
                    throw new InvalidArgumentException("Deleting the mask for an extended ACL is not allowed. entry: " + entry);
                }
            }
        }
    }
    // Check that we are not setting default ACL to a file
    if (inode.isFile()) {
        for (AclEntry entry : entries) {
            if (entry.isDefault()) {
                throw new UnsupportedOperationException("Can not set default ACL for a file");
            }
        }
    }
    mInodeTree.setAcl(rpcContext, SetAclEntry.newBuilder().setId(inode.getId()).setOpTimeMs(opTimeMs).setAction(ProtoUtils.toProto(action)).addAllEntries(entries.stream().map(ProtoUtils::toProto).collect(Collectors.toList())).build());
    try {
        if (!replay && inode.isPersisted()) {
            setUfsAcl(inodePath);
        }
    } catch (InvalidPathException | AccessControlException e) {
        LOG.warn("Setting ufs ACL failed for path: {}", inodePath.getUri(), e);
    // TODO(david): revert the acl and default acl to the initial state if writing to ufs failed.
    }
}

Example 63 with AccessControlException

use of alluxio.exception.AccessControlException in project alluxio by Alluxio.

the class DefaultPermissionChecker method checkInodeList.

/**
 * This method provides basic permission checking logic on a list of inodes. The input includes
 * user and its group, requested action and inode list (by traversing the path). Then user,
 * group, and the requested action will be evaluated on each of the inodes. It will return if
 * check passed, and throw exception if check failed.
 *
 * @param user who requests access permission
 * @param groups in which user belongs to
 * @param bits bits that capture the action {@link Mode.Bits} by user
 * @param path the path to check permission on
 * @param inodeList file info list of all the inodes retrieved by traversing the path
 * @param checkIsOwner indicates whether to check the user is the owner of the path
 * @throws AccessControlException if permission checking fails
 */
protected void checkInodeList(String user, List<String> groups, Mode.Bits bits, String path, List<InodeView> inodeList, boolean checkIsOwner) throws AccessControlException {
    int size = inodeList.size();
    Preconditions.checkArgument(size > 0, PreconditionMessage.EMPTY_FILE_INFO_LIST_FOR_PERMISSION_CHECK);
    // bypass checking permission for super user or super group of Alluxio file system.
    if (isPrivilegedUser(user, groups)) {
        return;
    }
    // traverses from root to the parent dir to all inodes included by this path are executable
    for (int i = 0; i < size - 1; i++) {
        checkInode(user, groups, inodeList.get(i), Mode.Bits.EXECUTE, path);
    }
    InodeView inode = inodeList.get(inodeList.size() - 1);
    if (checkIsOwner) {
        if (inode == null || user.equals(inode.getOwner())) {
            return;
        }
        throw new AccessControlException(ExceptionMessage.PERMISSION_DENIED.getMessage("user=" + user + " is not the owner of path=" + path));
    }
    checkInode(user, groups, inode, bits, path);
}

Example 64 with AccessControlException

use of alluxio.exception.AccessControlException in project alluxio by Alluxio.

the class DefaultPermissionChecker method getPermissionInternal.

/**
 * Gets the permission to access an inode path given a user and its groups.
 *
 * @param user the user
 * @param groups the groups this user belongs to
 * @param path the inode path
 * @param inodeList the list of inodes in the path
 * @return the permission
 */
private Mode.Bits getPermissionInternal(String user, List<String> groups, String path, List<InodeView> inodeList) {
    int size = inodeList.size();
    Preconditions.checkArgument(size > 0, PreconditionMessage.EMPTY_FILE_INFO_LIST_FOR_PERMISSION_CHECK);
    // bypass checking permission for super user or super group of Alluxio file system.
    if (isPrivilegedUser(user, groups)) {
        return Mode.Bits.ALL;
    }
    // traverses from root to the parent dir to all inodes included by this path are executable
    for (int i = 0; i < size - 1; i++) {
        try {
            checkInode(user, groups, inodeList.get(i), Mode.Bits.EXECUTE, path);
        } catch (AccessControlException e) {
            return Mode.Bits.NONE;
        }
    }
    InodeView inode = inodeList.get(inodeList.size() - 1);
    if (inode == null) {
        return Mode.Bits.NONE;
    }
    return inode.getPermission(user, groups).toModeBits();
}