Example #1
0
        /// <summary>
        /// Checks for a given path whether the Other permissions on it
        /// imply the permission in the passed FsAction
        /// </summary>
        /// <param name="fs"/>
        /// <param name="path"/>
        /// <param name="action"/>
        /// <returns>true if the path in the uri is visible to all, false otherwise</returns>
        /// <exception cref="System.IO.IOException"/>
        private static bool CheckPermissionOfOther(FileSystem fs, Path path, FsAction action
                                                   , LoadingCache <Path, Future <FileStatus> > statCache)
        {
            FileStatus   status      = GetFileStatus(fs, path, statCache);
            FsPermission perms       = status.GetPermission();
            FsAction     otherAction = perms.GetOtherAction();

            return(otherAction.Implies(action));
        }
        /// <summary>
        /// Checks for a given path whether the Other permissions on it
        /// imply the permission in the passed FsAction
        /// </summary>
        /// <param name="fs"/>
        /// <param name="path"/>
        /// <param name="action"/>
        /// <returns>true if the path in the uri is visible to all, false otherwise</returns>
        /// <exception cref="System.IO.IOException"/>
        private static bool CheckPermissionOfOther(FileSystem fs, Path path, FsAction action
                                                   , IDictionary <URI, FileStatus> statCache)
        {
            FileStatus   status      = GetFileStatus(fs, path.ToUri(), statCache);
            FsPermission perms       = status.GetPermission();
            FsAction     otherAction = perms.GetOtherAction();

            if (otherAction.Implies(action))
            {
                return(true);
            }
            return(false);
        }
Example #3
0
        /// <exception cref="System.IO.IOException"/>
        private static bool CheckPublicPermsForAll(FileSystem fs, FileStatus status, FsAction
                                                   dir, FsAction file)
        {
            FsPermission perms       = status.GetPermission();
            FsAction     otherAction = perms.GetOtherAction();

            if (status.IsDirectory())
            {
                if (!otherAction.Implies(dir))
                {
                    return(false);
                }
                foreach (FileStatus child in fs.ListStatus(status.GetPath()))
                {
                    if (!CheckPublicPermsForAll(fs, child, dir, file))
                    {
                        return(false);
                    }
                }
                return(true);
            }
            return(otherAction.Implies(file));
        }
Example #4
0
        /// <exception cref="Org.Apache.Hadoop.Security.AccessControlException"/>
        public virtual void CheckPermission(string fsOwner, string supergroup, UserGroupInformation
                                            callerUgi, INodeAttributes[] inodeAttrs, INode[] inodes, byte[][] pathByNameArr
                                            , int snapshotId, string path, int ancestorIndex, bool doCheckOwner, FsAction ancestorAccess
                                            , FsAction parentAccess, FsAction access, FsAction subAccess, bool ignoreEmptyDir
                                            )
        {
            for (; ancestorIndex >= 0 && inodes[ancestorIndex] == null; ancestorIndex--)
            {
            }
            CheckTraverse(inodeAttrs, path, ancestorIndex);
            INodeAttributes last = inodeAttrs[inodeAttrs.Length - 1];

            if (parentAccess != null && parentAccess.Implies(FsAction.Write) && inodeAttrs.Length
                > 1 && last != null)
            {
                CheckStickyBit(inodeAttrs[inodeAttrs.Length - 2], last);
            }
            if (ancestorAccess != null && inodeAttrs.Length > 1)
            {
                Check(inodeAttrs, path, ancestorIndex, ancestorAccess);
            }
            if (parentAccess != null && inodeAttrs.Length > 1)
            {
                Check(inodeAttrs, path, inodeAttrs.Length - 2, parentAccess);
            }
            if (access != null)
            {
                Check(last, path, access);
            }
            if (subAccess != null)
            {
                INode rawLast = inodes[inodeAttrs.Length - 1];
                CheckSubAccess(pathByNameArr, inodeAttrs.Length - 1, rawLast, snapshotId, subAccess
                               , ignoreEmptyDir);
            }
            if (doCheckOwner)
            {
                CheckOwner(last);
            }
        }
Example #5
0
        /// <summary>Checks requested access against an Access Control List.</summary>
        /// <remarks>
        /// Checks requested access against an Access Control List.  This method relies
        /// on finding the ACL data in the relevant portions of
        /// <see cref="Org.Apache.Hadoop.FS.Permission.FsPermission"/>
        /// and
        /// <see cref="AclFeature"/>
        /// as implemented in the logic of
        /// <see cref="AclStorage"/>
        /// .  This
        /// method also relies on receiving the ACL entries in sorted order.  This is
        /// assumed to be true, because the ACL modification methods in
        /// <see cref="AclTransformation"/>
        /// sort the resulting entries.
        /// More specifically, this method depends on these invariants in an ACL:
        /// - The list must be sorted.
        /// - Each entry in the list must be unique by scope + type + name.
        /// - There is exactly one each of the unnamed user/group/other entries.
        /// - The mask entry must not have a name.
        /// - The other entry must not have a name.
        /// - Default entries may be present, but they are ignored during enforcement.
        /// </remarks>
        /// <param name="inode">INodeAttributes accessed inode</param>
        /// <param name="snapshotId">int snapshot ID</param>
        /// <param name="access">FsAction requested permission</param>
        /// <param name="mode">FsPermission mode from inode</param>
        /// <param name="aclFeature">AclFeature of inode</param>
        /// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the ACL denies permission
        ///     </exception>
        private void CheckAccessAcl(INodeAttributes inode, string path, FsAction access,
                                    FsPermission mode, AclFeature aclFeature)
        {
            bool foundMatch = false;

            // Use owner entry from permission bits if user is owner.
            if (GetUser().Equals(inode.GetUserName()))
            {
                if (mode.GetUserAction().Implies(access))
                {
                    return;
                }
                foundMatch = true;
            }
            // Check named user and group entries if user was not denied by owner entry.
            if (!foundMatch)
            {
                for (int pos = 0; pos < aclFeature.GetEntriesSize(); pos++)
                {
                    entry = aclFeature.GetEntryAt(pos);
                    if (AclEntryStatusFormat.GetScope(entry) == AclEntryScope.Default)
                    {
                        break;
                    }
                    AclEntryType type = AclEntryStatusFormat.GetType(entry);
                    string       name = AclEntryStatusFormat.GetName(entry);
                    if (type == AclEntryType.User)
                    {
                        // Use named user entry with mask from permission bits applied if user
                        // matches name.
                        if (GetUser().Equals(name))
                        {
                            FsAction masked = AclEntryStatusFormat.GetPermission(entry).And(mode.GetGroupAction
                                                                                                ());
                            if (masked.Implies(access))
                            {
                                return;
                            }
                            foundMatch = true;
                            break;
                        }
                    }
                    else
                    {
                        if (type == AclEntryType.Group)
                        {
                            // Use group entry (unnamed or named) with mask from permission bits
                            // applied if user is a member and entry grants access.  If user is a
                            // member of multiple groups that have entries that grant access, then
                            // it doesn't matter which is chosen, so exit early after first match.
                            string group = name == null?inode.GetGroupName() : name;

                            if (GetGroups().Contains(group))
                            {
                                FsAction masked = AclEntryStatusFormat.GetPermission(entry).And(mode.GetGroupAction
                                                                                                    ());
                                if (masked.Implies(access))
                                {
                                    return;
                                }
                                foundMatch = true;
                            }
                        }
                    }
                }
            }
            // Use other entry if user was not denied by an earlier match.
            if (!foundMatch && mode.GetOtherAction().Implies(access))
            {
                return;
            }
            throw new AccessControlException(ToAccessControlString(inode, path, access, mode)
                                             );
        }