/// <summary>
/// Parses a string representation of an ACL spec into a list of AclEntry
/// objects.
/// </summary>
/// <remarks>
/// Parses a string representation of an ACL spec into a list of AclEntry
/// objects. Example: "user::rwx,user:foo:rw-,group::r--,other::---"
/// </remarks>
/// <param name="aclSpec">String representation of an ACL spec.</param>
/// <param name="includePermission">
/// for setAcl operations this will be true. i.e. AclSpec should
/// include permissions.<br />
/// But for removeAcl operation it will be false. i.e. AclSpec should
/// not contain permissions.<br />
/// Example: "user:foo,group:bar"
/// </param>
/// <returns>
/// Returns list of
/// <see cref="AclEntry"/>
/// parsed
/// </returns>
public static IList <AclEntry> ParseAclSpec(string aclSpec, bool includePermission
)
{
IList <AclEntry> aclEntries = new AList <AclEntry>();
ICollection <string> aclStrings = StringUtils.GetStringCollection(aclSpec, ",");
foreach (string aclStr in aclStrings)
{
AclEntry aclEntry = ParseAclEntry(aclStr, includePermission);
aclEntries.AddItem(aclEntry);
}
return(aclEntries);
}
public static void SetUp()
{
// named user
AclEntry.Builder aclEntryBuilder = new AclEntry.Builder().SetType(AclEntryType.User
).SetName("user1").SetPermission(FsAction.All);
Entry1 = aclEntryBuilder.Build();
Entry2 = aclEntryBuilder.Build();
// named group
Entry3 = new AclEntry.Builder().SetType(AclEntryType.Group).SetName("group2").SetPermission
(FsAction.ReadWrite).Build();
// default other
Entry4 = new AclEntry.Builder().SetType(AclEntryType.Other).SetPermission(FsAction
.None).SetScope(AclEntryScope.Default).Build();
// owner
Entry5 = new AclEntry.Builder().SetType(AclEntryType.User).SetPermission(FsAction
.All).Build();
// default named group
Entry6 = new AclEntry.Builder().SetType(AclEntryType.Group).SetName("group3").SetPermission
(FsAction.ReadWrite).SetScope(AclEntryScope.Default).Build();
// other
Entry7 = new AclEntry.Builder().SetType(AclEntryType.Other).SetPermission(FsAction
.None).Build();
// default named user
Entry8 = new AclEntry.Builder().SetType(AclEntryType.User).SetName("user3").SetPermission
(FsAction.All).SetScope(AclEntryScope.Default).Build();
// mask
Entry9 = new AclEntry.Builder().SetType(AclEntryType.Mask).SetPermission(FsAction
.Read).Build();
// default mask
Entry10 = new AclEntry.Builder().SetType(AclEntryType.Mask).SetPermission(FsAction
.ReadExecute).SetScope(AclEntryScope.Default).Build();
// group
Entry11 = new AclEntry.Builder().SetType(AclEntryType.Group).SetPermission(FsAction
.Read).Build();
// default group
Entry12 = new AclEntry.Builder().SetType(AclEntryType.Group).SetPermission(FsAction
.Read).SetScope(AclEntryScope.Default).Build();
// default owner
Entry13 = new AclEntry.Builder().SetType(AclEntryType.User).SetPermission(FsAction
.All).SetScope(AclEntryScope.Default).Build();
AclStatus.Builder aclStatusBuilder = new AclStatus.Builder().Owner("owner1").Group
("group1").AddEntry(Entry1).AddEntry(Entry3).AddEntry(Entry4);
Status1 = aclStatusBuilder.Build();
Status2 = aclStatusBuilder.Build();
Status3 = new AclStatus.Builder().Owner("owner2").Group("group2").StickyBit(true)
.Build();
Status4 = new AclStatus.Builder().AddEntry(Entry1).AddEntry(Entry3).AddEntry(Entry4
).AddEntry(Entry5).AddEntry(Entry6).AddEntry(Entry7).AddEntry(Entry8).AddEntry(Entry9
).AddEntry(Entry10).AddEntry(Entry11).AddEntry(Entry12).AddEntry(Entry13).Build(
);
}
/// <summary>Given permissions and extended ACL entries, returns the full logical ACL.
/// </summary>
/// <param name="perm">FsPermission containing permissions</param>
/// <param name="entries">List<AclEntry> containing extended ACL entries</param>
/// <returns>List<AclEntry> containing full logical ACL</returns>
public static IList <AclEntry> GetAclFromPermAndEntries(FsPermission perm, IList <AclEntry
> entries)
{
IList <AclEntry> acl = Lists.NewArrayListWithCapacity(entries.Count + 3);
// Owner entry implied by owner permission bits.
acl.AddItem(new AclEntry.Builder().SetScope(AclEntryScope.Access).SetType(AclEntryType
.User).SetPermission(perm.GetUserAction()).Build());
// All extended access ACL entries.
bool hasAccessAcl = false;
IEnumerator <AclEntry> entryIter = entries.GetEnumerator();
AclEntry curEntry = null;
while (entryIter.HasNext())
{
curEntry = entryIter.Next();
if (curEntry.GetScope() == AclEntryScope.Default)
{
break;
}
hasAccessAcl = true;
acl.AddItem(curEntry);
}
// Mask entry implied by group permission bits, or group entry if there is
// no access ACL (only default ACL).
acl.AddItem(new AclEntry.Builder().SetScope(AclEntryScope.Access).SetType(hasAccessAcl
? AclEntryType.Mask : AclEntryType.Group).SetPermission(perm.GetGroupAction()).
Build());
// Other entry implied by other bits.
acl.AddItem(new AclEntry.Builder().SetScope(AclEntryScope.Access).SetType(AclEntryType
.Other).SetPermission(perm.GetOtherAction()).Build());
// Default ACL entries.
if (curEntry != null && curEntry.GetScope() == AclEntryScope.Default)
{
acl.AddItem(curEntry);
while (entryIter.HasNext())
{
acl.AddItem(entryIter.Next());
}
}
return(acl);
}
/// <summary>Get the effective permission for the AclEntry.</summary>
/// <remarks>
/// Get the effective permission for the AclEntry. <br />
/// Recommended to use this API ONLY if client communicates with the old
/// NameNode, needs to pass the Permission for the path to get effective
/// permission, else use
/// <see cref="GetEffectivePermission(AclEntry)"/>
/// .
/// </remarks>
/// <param name="entry">AclEntry to get the effective action</param>
/// <param name="permArg">
/// Permission for the path. However if the client is NOT
/// communicating with old namenode, then this argument will not have
/// any preference.
/// </param>
/// <returns>Returns the effective permission for the entry.</returns>
/// <exception cref="System.ArgumentException">
/// If the client communicating with old
/// namenode and permission is not passed as an argument.
/// </exception>
public virtual FsAction GetEffectivePermission(AclEntry entry, FsPermission permArg
)
{
// At least one permission bits should be available.
Preconditions.CheckArgument(this.permission != null || permArg != null, "Permission bits are not available to calculate effective permission"
);
if (this.permission != null)
{
// permission bits from server response will have the priority for
// accuracy.
permArg = this.permission;
}
if ((entry.GetName() != null || entry.GetType() == AclEntryType.Group))
{
if (entry.GetScope() == AclEntryScope.Access)
{
FsAction entryPerm = entry.GetPermission();
return(entryPerm.And(permArg.GetGroupAction()));
}
else
{
Preconditions.CheckArgument(this.entries.Contains(entry) && this.entries.Count >=
3, "Passed default ACL entry not found in the list of ACLs");
// default mask entry for effective permission calculation will be the
// penultimate entry. This can be mask entry in case of extended ACLs.
// In case of minimal ACL, this is the owner group entry, and we end up
// intersecting group FsAction with itself, which is a no-op.
FsAction defaultMask = this.entries[this.entries.Count - 2].GetPermission();
FsAction entryPerm = entry.GetPermission();
return(entryPerm.And(defaultMask));
}
}
else
{
return(entry.GetPermission());
}
}
/// <summary>Get the effective permission for the AclEntry</summary>
/// <param name="entry">AclEntry to get the effective action</param>
public virtual FsAction GetEffectivePermission(AclEntry entry)
{
return(GetEffectivePermission(entry, permission));
}
/// <summary>Adds an ACL entry.</summary>
/// <param name="e">AclEntry entry to add</param>
/// <returns>Builder this builder, for call chaining</returns>
public virtual AclStatus.Builder AddEntry(AclEntry e)
{
this.entries.AddItem(e);
return(this);
}
/// <summary>Parses a string representation of an ACL into a AclEntry object.<br /></summary>
/// <param name="aclStr">
/// String representation of an ACL.<br />
/// Example: "user:foo:rw-"
/// </param>
/// <param name="includePermission">
/// for setAcl operations this will be true. i.e. Acl should include
/// permissions.<br />
/// But for removeAcl operation it will be false. i.e. Acl should not
/// contain permissions.<br />
/// Example: "user:foo,group:bar,mask::"
/// </param>
/// <returns>
/// Returns an
/// <see cref="AclEntry"/>
/// object
/// </returns>
public static AclEntry ParseAclEntry(string aclStr, bool includePermission)
{
AclEntry.Builder builder = new AclEntry.Builder();
// Here "::" represent one empty string.
// StringUtils.getStringCollection() will ignore this.
string[] split = aclStr.Split(":");
if (split.Length == 0)
{
throw new HadoopIllegalArgumentException("Invalid <aclSpec> : " + aclStr);
}
int index = 0;
if ("default".Equals(split[0]))
{
// default entry
index++;
builder.SetScope(AclEntryScope.Default);
}
if (split.Length <= index)
{
throw new HadoopIllegalArgumentException("Invalid <aclSpec> : " + aclStr);
}
AclEntryType aclType = null;
try
{
aclType = Enum.ValueOf <AclEntryType>(StringUtils.ToUpperCase(split[index]));
builder.SetType(aclType);
index++;
}
catch (ArgumentException)
{
throw new HadoopIllegalArgumentException("Invalid type of acl in <aclSpec> :" + aclStr
);
}
if (split.Length > index)
{
string name = split[index];
if (!name.IsEmpty())
{
builder.SetName(name);
}
index++;
}
if (includePermission)
{
if (split.Length <= index)
{
throw new HadoopIllegalArgumentException("Invalid <aclSpec> : " + aclStr);
}
string permission = split[index];
FsAction fsAction = FsAction.GetFsAction(permission);
if (null == fsAction)
{
throw new HadoopIllegalArgumentException("Invalid permission in <aclSpec> : " + aclStr
);
}
builder.SetPermission(fsAction);
index++;
}
if (split.Length > index)
{
throw new HadoopIllegalArgumentException("Invalid <aclSpec> : " + aclStr);
}
AclEntry aclEntry = builder.Build();
return(aclEntry);
}
