/// <exception cref="System.IO.IOException"/> private static void WritePermissionStatus(INodeAttributes inode, DataOutput @out) { FsPermission p = TlData.Get().FilePerm; p.FromShort(inode.GetFsPermissionShort()); PermissionStatus.Write(@out, inode.GetUserName(), inode.GetGroupName(), p); }
/// <summary>Create FileStatus with location info by file INode</summary> /// <exception cref="System.IO.IOException"/> private static HdfsLocatedFileStatus CreateLocatedFileStatus(FSDirectory fsd, string fullPath, byte[] path, INode node, byte storagePolicy, int snapshot, bool isRawPath , INodesInPath iip) { System.Diagnostics.Debug.Assert(fsd.HasReadLock()); long size = 0; // length is zero for directories short replication = 0; long blocksize = 0; LocatedBlocks loc = null; bool isEncrypted; FileEncryptionInfo feInfo = isRawPath ? null : fsd.GetFileEncryptionInfo(node, snapshot , iip); if (node.IsFile()) { INodeFile fileNode = node.AsFile(); size = fileNode.ComputeFileSize(snapshot); replication = fileNode.GetFileReplication(snapshot); blocksize = fileNode.GetPreferredBlockSize(); bool inSnapshot = snapshot != Org.Apache.Hadoop.Hdfs.Server.Namenode.Snapshot.Snapshot .CurrentStateId; bool isUc = !inSnapshot && fileNode.IsUnderConstruction(); long fileSize = !inSnapshot && isUc?fileNode.ComputeFileSizeNotIncludingLastUcBlock () : size; loc = fsd.GetFSNamesystem().GetBlockManager().CreateLocatedBlocks(fileNode.GetBlocks (snapshot), fileSize, isUc, 0L, size, false, inSnapshot, feInfo); if (loc == null) { loc = new LocatedBlocks(); } isEncrypted = (feInfo != null) || (isRawPath && fsd.IsInAnEZ(INodesInPath.FromINode (node))); } else { isEncrypted = fsd.IsInAnEZ(INodesInPath.FromINode(node)); } int childrenNum = node.IsDirectory() ? node.AsDirectory().GetChildrenNum(snapshot ) : 0; INodeAttributes nodeAttrs = fsd.GetAttributes(fullPath, path, node, snapshot); HdfsLocatedFileStatus status = new HdfsLocatedFileStatus(size, node.IsDirectory() , replication, blocksize, node.GetModificationTime(snapshot), node.GetAccessTime (snapshot), GetPermissionForFileStatus(nodeAttrs, isEncrypted), nodeAttrs.GetUserName (), nodeAttrs.GetGroupName(), node.IsSymlink() ? node.AsSymlink().GetSymlink() : null, path, node.GetId(), loc, childrenNum, feInfo, storagePolicy); // Set caching information for the located blocks. if (loc != null) { CacheManager cacheManager = fsd.GetFSNamesystem().GetCacheManager(); foreach (LocatedBlock lb in loc.GetLocatedBlocks()) { cacheManager.SetCachedLocations(lb); } } return(status); }
private static long BuildPermissionStatus(INodeAttributes n, FSImageFormatProtobuf.SaverContext.DeduplicationMap <string> stringMap) { long userId = stringMap.GetId(n.GetUserName()); long groupId = stringMap.GetId(n.GetGroupName()); return(((userId & UserGroupStridMask) << UserStridOffset) | ((groupId & UserGroupStridMask ) << GroupStridOffset) | n.GetFsPermissionShort()); }
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException"/> private void Check(INodeAttributes inode, string path, FsAction access) { if (inode == null) { return; } FsPermission mode = inode.GetFsPermission(); AclFeature aclFeature = inode.GetAclFeature(); if (aclFeature != null) { // It's possible that the inode has a default ACL but no access ACL. int firstEntry = aclFeature.GetEntryAt(0); if (AclEntryStatusFormat.GetScope(firstEntry) == AclEntryScope.Access) { CheckAccessAcl(inode, path, access, mode, aclFeature); return; } } if (GetUser().Equals(inode.GetUserName())) { //user class if (mode.GetUserAction().Implies(access)) { return; } } else { if (GetGroups().Contains(inode.GetGroupName())) { //group class if (mode.GetGroupAction().Implies(access)) { return; } } else { //other class if (mode.GetOtherAction().Implies(access)) { return; } } } throw new AccessControlException(ToAccessControlString(inode, path, access, mode) ); }
/// <returns> /// a string for throwing /// <see cref="Org.Apache.Hadoop.Security.AccessControlException"/> /// /// </returns> private string ToAccessControlString(INodeAttributes inodeAttrib, string path, FsAction access, FsPermission mode, bool deniedFromAcl) { StringBuilder sb = new StringBuilder("Permission denied: ").Append("user="******", ").Append("access=").Append(access).Append(", ").Append("inode=\"" ).Append(path).Append("\":").Append(inodeAttrib.GetUserName()).Append(':').Append (inodeAttrib.GetGroupName()).Append(':').Append(inodeAttrib.IsDirectory() ? 'd' : '-').Append(mode); if (deniedFromAcl) { sb.Append("+"); } return(sb.ToString()); }
/// <summary>Create FileStatus by file INode</summary> /// <exception cref="System.IO.IOException"/> internal static HdfsFileStatus CreateFileStatus(FSDirectory fsd, string fullPath, byte[] path, INode node, byte storagePolicy, int snapshot, bool isRawPath, INodesInPath iip) { long size = 0; // length is zero for directories short replication = 0; long blocksize = 0; bool isEncrypted; FileEncryptionInfo feInfo = isRawPath ? null : fsd.GetFileEncryptionInfo(node, snapshot , iip); if (node.IsFile()) { INodeFile fileNode = node.AsFile(); size = fileNode.ComputeFileSize(snapshot); replication = fileNode.GetFileReplication(snapshot); blocksize = fileNode.GetPreferredBlockSize(); isEncrypted = (feInfo != null) || (isRawPath && fsd.IsInAnEZ(INodesInPath.FromINode (node))); } else { isEncrypted = fsd.IsInAnEZ(INodesInPath.FromINode(node)); } int childrenNum = node.IsDirectory() ? node.AsDirectory().GetChildrenNum(snapshot ) : 0; INodeAttributes nodeAttrs = fsd.GetAttributes(fullPath, path, node, snapshot); return(new HdfsFileStatus(size, node.IsDirectory(), replication, blocksize, node. GetModificationTime(snapshot), node.GetAccessTime(snapshot), GetPermissionForFileStatus (nodeAttrs, isEncrypted), nodeAttrs.GetUserName(), nodeAttrs.GetGroupName(), node .IsSymlink() ? node.AsSymlink().GetSymlink() : null, path, node.GetId(), childrenNum , feInfo, storagePolicy)); }
/// <summary>Checks requested access against an Access Control List.</summary> /// <remarks> /// Checks requested access against an Access Control List. This method relies /// on finding the ACL data in the relevant portions of /// <see cref="Org.Apache.Hadoop.FS.Permission.FsPermission"/> /// and /// <see cref="AclFeature"/> /// as implemented in the logic of /// <see cref="AclStorage"/> /// . This /// method also relies on receiving the ACL entries in sorted order. This is /// assumed to be true, because the ACL modification methods in /// <see cref="AclTransformation"/> /// sort the resulting entries. /// More specifically, this method depends on these invariants in an ACL: /// - The list must be sorted. /// - Each entry in the list must be unique by scope + type + name. /// - There is exactly one each of the unnamed user/group/other entries. /// - The mask entry must not have a name. /// - The other entry must not have a name. /// - Default entries may be present, but they are ignored during enforcement. /// </remarks> /// <param name="inode">INodeAttributes accessed inode</param> /// <param name="snapshotId">int snapshot ID</param> /// <param name="access">FsAction requested permission</param> /// <param name="mode">FsPermission mode from inode</param> /// <param name="aclFeature">AclFeature of inode</param> /// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the ACL denies permission /// </exception> private void CheckAccessAcl(INodeAttributes inode, string path, FsAction access, FsPermission mode, AclFeature aclFeature) { bool foundMatch = false; // Use owner entry from permission bits if user is owner. if (GetUser().Equals(inode.GetUserName())) { if (mode.GetUserAction().Implies(access)) { return; } foundMatch = true; } // Check named user and group entries if user was not denied by owner entry. if (!foundMatch) { for (int pos = 0; pos < aclFeature.GetEntriesSize(); pos++) { entry = aclFeature.GetEntryAt(pos); if (AclEntryStatusFormat.GetScope(entry) == AclEntryScope.Default) { break; } AclEntryType type = AclEntryStatusFormat.GetType(entry); string name = AclEntryStatusFormat.GetName(entry); if (type == AclEntryType.User) { // Use named user entry with mask from permission bits applied if user // matches name. if (GetUser().Equals(name)) { FsAction masked = AclEntryStatusFormat.GetPermission(entry).And(mode.GetGroupAction ()); if (masked.Implies(access)) { return; } foundMatch = true; break; } } else { if (type == AclEntryType.Group) { // Use group entry (unnamed or named) with mask from permission bits // applied if user is a member and entry grants access. If user is a // member of multiple groups that have entries that grant access, then // it doesn't matter which is chosen, so exit early after first match. string group = name == null?inode.GetGroupName() : name; if (GetGroups().Contains(group)) { FsAction masked = AclEntryStatusFormat.GetPermission(entry).And(mode.GetGroupAction ()); if (masked.Implies(access)) { return; } foundMatch = true; } } } } } // Use other entry if user was not denied by an earlier match. if (!foundMatch && mode.GetOtherAction().Implies(access)) { return; } throw new AccessControlException(ToAccessControlString(inode, path, access, mode) ); }