Search in sources :

Example 51 with AclEntry

use of org.apache.hadoop.fs.permission.AclEntry in project hadoop by apache.

the class PBHelperClient method convertAclEntry.

public static List<AclEntry> convertAclEntry(List<AclEntryProto> aclSpec) {
    ArrayList<AclEntry> r = Lists.newArrayListWithCapacity(aclSpec.size());
    for (AclEntryProto e : aclSpec) {
        AclEntry.Builder builder = new AclEntry.Builder();
        builder.setType(convert(e.getType()));
        builder.setScope(convert(e.getScope()));
        builder.setPermission(convert(e.getPermissions()));
        if (e.hasName()) {
            builder.setName(e.getName());
        }
        r.add(builder.build());
    }
    return r;
}
Also used : Builder(org.apache.hadoop.hdfs.protocol.proto.HdfsProtos.LocatedBlockProto.Builder) DatanodeInfoBuilder(org.apache.hadoop.hdfs.protocol.DatanodeInfo.DatanodeInfoBuilder) AclEntry(org.apache.hadoop.fs.permission.AclEntry) AclEntryProto(org.apache.hadoop.hdfs.protocol.proto.AclProtos.AclEntryProto)

Example 52 with AclEntry

use of org.apache.hadoop.fs.permission.AclEntry in project hadoop by apache.

the class FSDirAclOp method unprotectedRemoveAcl.

private static void unprotectedRemoveAcl(FSDirectory fsd, INodesInPath iip) throws IOException {
    assert fsd.hasWriteLock();
    INode inode = FSDirectory.resolveLastINode(iip);
    int snapshotId = iip.getLatestSnapshotId();
    AclFeature f = inode.getAclFeature();
    if (f == null) {
        return;
    }
    FsPermission perm = inode.getFsPermission();
    List<AclEntry> featureEntries = AclStorage.getEntriesFromAclFeature(f);
    if (featureEntries.get(0).getScope() == AclEntryScope.ACCESS) {
        // Restore group permissions from the feature's entry to permission
        // bits, overwriting the mask, which is not part of a minimal ACL.
        AclEntry groupEntryKey = new AclEntry.Builder().setScope(AclEntryScope.ACCESS).setType(AclEntryType.GROUP).build();
        int groupEntryIndex = Collections.binarySearch(featureEntries, groupEntryKey, AclTransformation.ACL_ENTRY_COMPARATOR);
        Preconditions.checkPositionIndex(groupEntryIndex, featureEntries.size(), "Invalid group entry index after binary-searching inode: " + inode.getFullPathName() + "(" + inode.getId() + ") " + "with featureEntries:" + featureEntries);
        FsAction groupPerm = featureEntries.get(groupEntryIndex).getPermission();
        FsPermission newPerm = new FsPermission(perm.getUserAction(), groupPerm, perm.getOtherAction(), perm.getStickyBit());
        inode.setPermission(newPerm, snapshotId);
    }
    inode.removeAclFeature(snapshotId);
}
Also used : FsAction(org.apache.hadoop.fs.permission.FsAction) AclEntry(org.apache.hadoop.fs.permission.AclEntry) FsPermission(org.apache.hadoop.fs.permission.FsPermission)

Example 53 with AclEntry

use of org.apache.hadoop.fs.permission.AclEntry in project hadoop by apache.

the class AclStorage method updateINodeAcl.

/**
   * Updates an inode with a new ACL.  This method takes a full logical ACL and
   * stores the entries to the inode's {@link FsPermission} and
   * {@link AclFeature}.
   *
   * @param inode INode to update
   * @param newAcl List<AclEntry> containing new ACL entries
   * @param snapshotId int latest snapshot ID of inode
   * @throws AclException if the ACL is invalid for the given inode
   * @throws QuotaExceededException if quota limit is exceeded
   */
public static void updateINodeAcl(INode inode, List<AclEntry> newAcl, int snapshotId) throws AclException, QuotaExceededException {
    assert newAcl.size() >= 3;
    FsPermission perm = inode.getFsPermission();
    final FsPermission newPerm;
    if (!AclUtil.isMinimalAcl(newAcl)) {
        // This is an extended ACL.  Split entries into access vs. default.
        ScopedAclEntries scoped = new ScopedAclEntries(newAcl);
        List<AclEntry> accessEntries = scoped.getAccessEntries();
        List<AclEntry> defaultEntries = scoped.getDefaultEntries();
        // Only directories may have a default ACL.
        if (!defaultEntries.isEmpty() && !inode.isDirectory()) {
            throw new AclException("Invalid ACL: only directories may have a default ACL.");
        }
        // Attach entries to the feature.
        if (inode.getAclFeature() != null) {
            inode.removeAclFeature(snapshotId);
        }
        inode.addAclFeature(createAclFeature(accessEntries, defaultEntries), snapshotId);
        newPerm = createFsPermissionForExtendedAcl(accessEntries, perm);
    } else {
        // This is a minimal ACL.  Remove the ACL feature if it previously had one.
        if (inode.getAclFeature() != null) {
            inode.removeAclFeature(snapshotId);
        }
        newPerm = createFsPermissionForMinimalAcl(newAcl, perm);
    }
    inode.setPermission(newPerm, snapshotId);
}
Also used : ScopedAclEntries(org.apache.hadoop.fs.permission.ScopedAclEntries) AclEntry(org.apache.hadoop.fs.permission.AclEntry) FsPermission(org.apache.hadoop.fs.permission.FsPermission) AclException(org.apache.hadoop.hdfs.protocol.AclException)

Example 54 with AclEntry

use of org.apache.hadoop.fs.permission.AclEntry in project hadoop by apache.

the class AclStorage method readINodeLogicalAcl.

/**
   * Reads the existing ACL of an inode.  This method always returns the full
   * logical ACL of the inode after reading relevant data from the inode's
   * {@link FsPermission} and {@link AclFeature}.  Note that every inode
   * logically has an ACL, even if no ACL has been set explicitly.  If the inode
   * does not have an extended ACL, then the result is a minimal ACL consising of
   * exactly 3 entries that correspond to the owner, group and other permissions.
   * This method always reads the inode's current state and does not support
   * querying by snapshot ID.  This is because the method is intended to support
   * ACL modification APIs, which always apply a delta on top of current state.
   *
   * @param inode INode to read
   * @return List<AclEntry> containing all logical inode ACL entries
   */
public static List<AclEntry> readINodeLogicalAcl(INode inode) {
    FsPermission perm = inode.getFsPermission();
    AclFeature f = inode.getAclFeature();
    if (f == null) {
        return AclUtil.getMinimalAcl(perm);
    }
    final List<AclEntry> existingAcl;
    // Split ACL entries stored in the feature into access vs. default.
    List<AclEntry> featureEntries = getEntriesFromAclFeature(f);
    ScopedAclEntries scoped = new ScopedAclEntries(featureEntries);
    List<AclEntry> accessEntries = scoped.getAccessEntries();
    List<AclEntry> defaultEntries = scoped.getDefaultEntries();
    // Pre-allocate list size for the explicit entries stored in the feature
    // plus the 3 implicit entries (owner, group and other) from the permission
    // bits.
    existingAcl = Lists.newArrayListWithCapacity(featureEntries.size() + 3);
    if (!accessEntries.isEmpty()) {
        // Add owner entry implied from user permission bits.
        existingAcl.add(new AclEntry.Builder().setScope(AclEntryScope.ACCESS).setType(AclEntryType.USER).setPermission(perm.getUserAction()).build());
        // Next add all named user and group entries taken from the feature.
        existingAcl.addAll(accessEntries);
        // Add mask entry implied from group permission bits.
        existingAcl.add(new AclEntry.Builder().setScope(AclEntryScope.ACCESS).setType(AclEntryType.MASK).setPermission(perm.getGroupAction()).build());
        // Add other entry implied from other permission bits.
        existingAcl.add(new AclEntry.Builder().setScope(AclEntryScope.ACCESS).setType(AclEntryType.OTHER).setPermission(perm.getOtherAction()).build());
    } else {
        // It's possible that there is a default ACL but no access ACL. In this
        // case, add the minimal access ACL implied by the permission bits.
        existingAcl.addAll(AclUtil.getMinimalAcl(perm));
    }
    // Add all default entries after the access entries.
    existingAcl.addAll(defaultEntries);
    // The above adds entries in the correct order, so no need to sort here.
    return existingAcl;
}
Also used : ScopedAclEntries(org.apache.hadoop.fs.permission.ScopedAclEntries) AclEntry(org.apache.hadoop.fs.permission.AclEntry) FsPermission(org.apache.hadoop.fs.permission.FsPermission)

Example 55 with AclEntry

use of org.apache.hadoop.fs.permission.AclEntry in project hadoop by apache.

the class AclTransformation method buildAndValidateAcl.

/**
   * Builds the final list of ACL entries to return by trimming, sorting and
   * validating the ACL entries that have been added.
   *
   * @param aclBuilder ArrayList<AclEntry> containing entries to build
   * @return List<AclEntry> unmodifiable, sorted list of ACL entries
   * @throws AclException if validation fails
   */
private static List<AclEntry> buildAndValidateAcl(ArrayList<AclEntry> aclBuilder) throws AclException {
    aclBuilder.trimToSize();
    Collections.sort(aclBuilder, ACL_ENTRY_COMPARATOR);
    // Full iteration to check for duplicates and invalid named entries.
    AclEntry prevEntry = null;
    for (AclEntry entry : aclBuilder) {
        if (prevEntry != null && ACL_ENTRY_COMPARATOR.compare(prevEntry, entry) == 0) {
            throw new AclException("Invalid ACL: multiple entries with same scope, type and name.");
        }
        if (entry.getName() != null && (entry.getType() == MASK || entry.getType() == OTHER)) {
            throw new AclException("Invalid ACL: this entry type must not have a name: " + entry + ".");
        }
        prevEntry = entry;
    }
    ScopedAclEntries scopedEntries = new ScopedAclEntries(aclBuilder);
    checkMaxEntries(scopedEntries);
    // then do the same check on the default entries.
    for (AclEntryType type : EnumSet.of(USER, GROUP, OTHER)) {
        AclEntry accessEntryKey = new AclEntry.Builder().setScope(ACCESS).setType(type).build();
        if (Collections.binarySearch(scopedEntries.getAccessEntries(), accessEntryKey, ACL_ENTRY_COMPARATOR) < 0) {
            throw new AclException("Invalid ACL: the user, group and other entries are required.");
        }
        if (!scopedEntries.getDefaultEntries().isEmpty()) {
            AclEntry defaultEntryKey = new AclEntry.Builder().setScope(DEFAULT).setType(type).build();
            if (Collections.binarySearch(scopedEntries.getDefaultEntries(), defaultEntryKey, ACL_ENTRY_COMPARATOR) < 0) {
                throw new AclException("Invalid default ACL: the user, group and other entries are required.");
            }
        }
    }
    return Collections.unmodifiableList(aclBuilder);
}
Also used : ScopedAclEntries(org.apache.hadoop.fs.permission.ScopedAclEntries) AclEntryType(org.apache.hadoop.fs.permission.AclEntryType) AclEntry(org.apache.hadoop.fs.permission.AclEntry) AclException(org.apache.hadoop.hdfs.protocol.AclException)

Aggregations

AclEntry (org.apache.hadoop.fs.permission.AclEntry)137 Test (org.junit.Test)90 AclStatus (org.apache.hadoop.fs.permission.AclStatus)81 Path (org.apache.hadoop.fs.Path)52 FsPermission (org.apache.hadoop.fs.permission.FsPermission)25 ArrayList (java.util.ArrayList)11 FSAclBaseTest (org.apache.hadoop.hdfs.server.namenode.FSAclBaseTest)11 FileSystem (org.apache.hadoop.fs.FileSystem)10 Configuration (org.apache.hadoop.conf.Configuration)7 FileStatus (org.apache.hadoop.fs.FileStatus)6 MockResponse (com.squareup.okhttp.mockwebserver.MockResponse)5 ScopedAclEntries (org.apache.hadoop.fs.permission.ScopedAclEntries)5 DistributedFileSystem (org.apache.hadoop.hdfs.DistributedFileSystem)5 DatanodeInfoBuilder (org.apache.hadoop.hdfs.protocol.DatanodeInfo.DatanodeInfoBuilder)5 IOException (java.io.IOException)4 List (java.util.List)4 AclEntryScope (org.apache.hadoop.fs.permission.AclEntryScope)4 AclEntryProto (org.apache.hadoop.hdfs.protocol.proto.AclProtos.AclEntryProto)4 URI (java.net.URI)3 AclEntryType (org.apache.hadoop.fs.permission.AclEntryType)3