Examples with ACE org.dcache.acl.ACE used on opensource projects

Example 1 with ACE

use of org.dcache.acl.ACE in project dcache by dCache.

the class ChimeraVfs method valueOf.

private static ACE valueOf(nfsace4 ace, NfsIdMapping idMapping) throws BadOwnerException {
    String principal = ace.who.toString();
    int type = ace.type.value;
    int flags = ace.flag.value;
    int mask = ace.access_mask.value;
    int id = -1;
    Who who = Who.fromAbbreviation(principal);
    if (who == null) {
        // not a special principal
        boolean isGroup = AceFlags.IDENTIFIER_GROUP.matches(flags);
        if (isGroup) {
            who = Who.GROUP;
            id = idMapping.principalToGid(principal);
        } else {
            who = Who.USER;
            id = idMapping.principalToUid(principal);
        }
    }
    return new ACE(AceType.valueOf(type), flags, mask, who, id);
}

Example 2 with ACE

use of org.dcache.acl.ACE in project dcache by dCache.

the class JdbcFsTest method testReSetAcl.

@Test
public void testReSetAcl() throws Exception {
    FsInode dirInode = _rootInode.mkdir("testDir", 0, 0, 0755);
    RsType rsType = RsType.FILE;
    List<ACE> aces = new ArrayList<>();
    aces.add(new ACE(AceType.ACCESS_DENIED_ACE_TYPE, 0, AccessMask.ADD_SUBDIRECTORY.getValue(), Who.USER, 1001));
    aces.add(new ACE(AceType.ACCESS_ALLOWED_ACE_TYPE, 0, AccessMask.ADD_FILE.getValue(), Who.USER, 1001));
    _fs.setACL(dirInode, aces);
    _fs.setACL(dirInode, new ArrayList<ACE>());
    assertTrue(_fs.getACL(dirInode).isEmpty());
}

Example 3 with ACE

use of org.dcache.acl.ACE in project dcache by dCache.

the class JdbcFsTest method testSetAcl.

@Test
public void testSetAcl() throws Exception {
    FsInode dirInode = _rootInode.mkdir("testDir", 0, 0, 0755);
    RsType rsType = RsType.FILE;
    List<ACE> aces = new ArrayList<>();
    aces.add(new ACE(AceType.ACCESS_DENIED_ACE_TYPE, 0, AccessMask.ADD_SUBDIRECTORY.getValue(), Who.USER, 1001));
    aces.add(new ACE(AceType.ACCESS_ALLOWED_ACE_TYPE, 0, AccessMask.ADD_FILE.getValue(), Who.USER, 1001));
    _fs.setACL(dirInode, aces);
    List<ACE> l2 = _fs.getACL(dirInode);
    assertEquals(aces, l2);
}

Example 4 with ACE

use of org.dcache.acl.ACE in project dcache by dCache.

the class ChimeraNameSpaceProvider method createUploadPath.

@Override
public FsPath createUploadPath(Subject subject, FsPath path, FsPath rootPath, Long size, AccessLatency al, RetentionPolicy rp, String spaceToken, Set<CreateOption> options) throws CacheException {
    checkState(_uploadDirectory != null, "Upload directory is not configured.");
    try {
        /* Parent directory must exist.
             */
        ExtendedInode parentOfPath = options.contains(CreateOption.CREATE_PARENTS) ? installDirectory(subject, path.parent(), INHERIT_MODE) : lookupDirectory(subject, path.parent());
        FileAttributes attributesOfParent = !Subjects.isExemptFromNamespaceChecks(subject) ? getFileAttributesForPermissionHandler(parentOfPath) : null;
        /* File must not exist unless overwrite is enabled.
             */
        try {
            ExtendedInode inodeOfPath = parentOfPath.inodeOf(path.name(), STAT);
            if (!options.contains(CreateOption.OVERWRITE_EXISTING) || (inodeOfPath.statCache().getMode() & UnixPermission.S_TYPE) != UnixPermission.S_IFREG) {
                throw new FileExistsCacheException("File exists: " + path);
            }
            /* User must be authorized to delete existing file.
                 */
            if (!Subjects.isExemptFromNamespaceChecks(subject)) {
                FileAttributes attributesOfPath = getFileAttributesForPermissionHandler(inodeOfPath);
                if (_permissionHandler.canDeleteFile(subject, attributesOfParent, attributesOfPath) != ACCESS_ALLOWED) {
                    throw new PermissionDeniedCacheException("Access denied: " + path);
                }
            }
        } catch (FileNotFoundChimeraFsException ignored) {
        }
        /* User must be authorized to create file.
             */
        if (!Subjects.isExemptFromNamespaceChecks(subject)) {
            if (_permissionHandler.canCreateFile(subject, attributesOfParent) != ACCESS_ALLOWED) {
                throw new PermissionDeniedCacheException("Access denied: " + path);
            }
        }
        /* Attributes are inherited from real parent directory.
             */
        int mode = parentOfPath.statCache().getMode() & UnixPermission.S_PERMS;
        int gid;
        if ((mode & UnixPermission.S_ISGID) != 0) {
            gid = parentOfPath.statCache().getGid();
        } else if (Subjects.isNobody(subject) || _inheritFileOwnership) {
            gid = parentOfPath.statCache().getGid();
        } else {
            gid = Ints.checkedCast(Subjects.getPrimaryGid(subject));
        }
        int uid;
        if (Subjects.isNobody(subject) || _inheritFileOwnership) {
            uid = parentOfPath.statCache().getUid();
        } else {
            uid = Ints.checkedCast(Subjects.getUid(subject));
        }
        /* ACLs are copied from real parent to the temporary upload directory
             * such that the upload is allowed (in case write permissions rely
             * on ACLs) and such that the file will inherit the correct ACLs.
             */
        List<ACE> acl = _fs.getACL(parentOfPath);
        /* The temporary upload directory has the same tags as the real parent,
             * except target file specific properties are stored as tags local to
             * the upload directory.
             */
        Map<String, byte[]> tags = Maps.newHashMap(parentOfPath.getTags());
        if (spaceToken != null) {
            tags.put(TAG_WRITE_TOKEN, spaceToken.getBytes(UTF_8));
            /* If client provides space token to upload to, the access latency and
                 * retention policy tags of the upload directory must be disregarded.
                 */
            tags.remove(TAG_ACCESS_LATENCY);
            tags.remove(TAG_RETENTION_POLICY);
        }
        if (al != null) {
            tags.put(TAG_ACCESS_LATENCY, al.toString().getBytes(UTF_8));
        }
        if (rp != null) {
            tags.put(TAG_RETENTION_POLICY, rp.toString().getBytes(UTF_8));
        }
        if (size != null) {
            tags.put(TAG_EXPECTED_SIZE, size.toString().getBytes(UTF_8));
        }
        tags.put(TAG_PATH, path.toString().getBytes(UTF_8));
        /* Upload directory may optionally be relative to the user's root path. Whether
             * that's the case depends on if the configured upload directory is an absolute
             * or relative path.
             */
        FsPath uploadDirectory = rootPath.resolve(_uploadDirectory);
        if (_uploadSubDirectory != null) {
            uploadDirectory = uploadDirectory.chroot(String.format(_uploadSubDirectory, threadId.get()));
        }
        /* Upload directory must exist and have the right permissions.
             */
        ExtendedInode inodeOfUploadDir = installSystemDirectory(uploadDirectory, 0711, Collections.emptyList(), Collections.emptyMap());
        if (inodeOfUploadDir.statCache().getUid() != 0) {
            LOGGER.error("Owner must be root: {}", uploadDirectory);
            throw new CacheException("Owner must be root: " + uploadDirectory);
        }
        if ((inodeOfUploadDir.statCache().getMode() & UnixPermission.S_PERMS) != 0711) {
            LOGGER.error("File mode must be 0711: {}", uploadDirectory);
            throw new CacheException("File mode must be 0711: " + uploadDirectory);
        }
        /* Use cryptographically strong pseudo random UUID to create temporary upload directory.
             */
        UUID uuid = UUID.randomUUID();
        _fs.mkdir(inodeOfUploadDir, uuid.toString(), uid, gid, mode, acl, tags);
        return uploadDirectory.child(uuid.toString()).child(path.name());
    } catch (ChimeraFsException e) {
        LOGGER.error("Problem with database: {}", e.getMessage());
        throw new CacheException(CacheException.UNEXPECTED_SYSTEM_EXCEPTION, e.getMessage());
    }
}

Example 5 with ACE

use of org.dcache.acl.ACE in project dcache by dCache.

the class AclUnixMapper method getMasks.

private static int[] getMasks(List<ACE> aces) {
    int[] masks = new int[ACLUnix.NUM_ACES];
    Permission permOwner = new Permission();
    Permission permGroup = new Permission();
    Permission permEveryone = new Permission();
    for (ACE ace : aces) {
        Who who = ace.getWho();
        boolean allowed = (AceType.ACCESS_ALLOWED_ACE_TYPE == ace.getType());
        switch(who) {
            case OWNER:
                applyMask(permOwner, ace.getAccessMsk(), allowed);
                break;
            case OWNER_GROUP:
                applyMask(permGroup, ace.getAccessMsk(), allowed);
                break;
            case EVERYONE:
                int msk = applyMask(permEveryone, ace.getAccessMsk(), allowed);
                if (msk != 0) {
                    applyMask(permOwner, msk, allowed);
                    applyMask(permGroup, msk, allowed);
                }
                break;
            default:
                logger.info("Unsupported who: {}", who);
        }
    }
    masks[ACLUnix.OWNER_INDEX] = perm2accessMask(permOwner);
    masks[ACLUnix.GROUP_OWNER_INDEX] = perm2accessMask(permGroup);
    masks[ACLUnix.OTHER_INDEX] = perm2accessMask(permEveryone);
    return masks;
}