internal static string GetName(int aclEntry)
            int nameExists = (int)Org.Apache.Hadoop.Hdfs.Server.Namenode.AclEntryStatusFormat

            if (nameExists == 0)
            int id = (int)Org.Apache.Hadoop.Hdfs.Server.Namenode.AclEntryStatusFormat.Name.Bits
            AclEntryType type = GetType(aclEntry);

            if (type == AclEntryType.User)
                if (type == AclEntryType.Group)
Esempio n. 2
 // private constructor
 private AclEntry(AclEntryType type, UserPrincipal who, Set <AclEntryPermission> perms, Set <AclEntryFlag> flags)
     this.Type_Renamed  = type;
     this.Who           = who;
     this.Perms         = perms;
     this.Flags_Renamed = flags;
        internal static AclEntryType GetType(int aclEntry)
            int ordinal = (int)Org.Apache.Hadoop.Hdfs.Server.Namenode.AclEntryStatusFormat.Type

Esempio n. 4
 internal Builder(AclEntryType type, UserPrincipal who, Set <AclEntryPermission> perms, Set <AclEntryFlag> flags)
     Debug.Assert(perms != null && flags != null);
     this.Type_Renamed  = type;
     this.Who           = who;
     this.Perms         = perms;
     this.Flags_Renamed = flags;
Esempio n. 5
 /// <summary>Private constructor.</summary>
 /// <param name="type">AclEntryType ACL entry type</param>
 /// <param name="name">String optional ACL entry name</param>
 /// <param name="permission">FsAction set of permissions in the ACL entry</param>
 /// <param name="scope">AclEntryScope scope of the ACL entry</param>
 private AclEntry(AclEntryType type, string name, FsAction permission, AclEntryScope
     this.type       = type;       = name;
     this.permission = permission;
     this.scope      = scope;
Esempio n. 6
 /// <summary>
 /// Sets the type component of this builder.
 /// </summary>
 /// <param name="type">  the component type </param>
 /// <returns>  this builder </returns>
 public Builder SetType(AclEntryType type)
     if (type == null)
         throw new NullPointerException();
     this.Type_Renamed = type;
Esempio n. 7
        /// <summary>
        /// If a default ACL is defined on a parent directory, then copies that default
        /// ACL to a newly created child file or directory.
        /// </summary>
        /// <param name="child">INode newly created child</param>
        public static void CopyINodeDefaultAcl(INode child)
            INodeDirectory parent           = child.GetParent();
            AclFeature     parentAclFeature = parent.GetAclFeature();

            if (parentAclFeature == null || !(child.IsFile() || child.IsDirectory()))
            // Split parent's entries into access vs. default.
            IList <AclEntry> featureEntries       = GetEntriesFromAclFeature(parent.GetAclFeature());
            ScopedAclEntries scopedEntries        = new ScopedAclEntries(featureEntries);
            IList <AclEntry> parentDefaultEntries = scopedEntries.GetDefaultEntries();

            // The parent may have an access ACL but no default ACL.  If so, exit.
            if (parentDefaultEntries.IsEmpty())
            // Pre-allocate list size for access entries to copy from parent.
            IList <AclEntry> accessEntries = Lists.NewArrayListWithCapacity(parentDefaultEntries
            FsPermission childPerm = child.GetFsPermission();
            // Copy each default ACL entry from parent to new child's access ACL.
            bool parentDefaultIsMinimal = AclUtil.IsMinimalAcl(parentDefaultEntries);

            foreach (AclEntry entry in parentDefaultEntries)
                AclEntryType     type    = entry.GetType();
                string           name    = entry.GetName();
                AclEntry.Builder builder = new AclEntry.Builder().SetScope(AclEntryScope.Access).
                // The child's initial permission bits are treated as the mode parameter,
                // which can filter copied permission values for owner, mask and other.
                FsAction permission;
                if (type == AclEntryType.User && name == null)
                    permission = entry.GetPermission().And(childPerm.GetUserAction());
                    if (type == AclEntryType.Group && parentDefaultIsMinimal)
                        // This only happens if the default ACL is a minimal ACL: exactly 3
                        // entries corresponding to owner, group and other.  In this case,
                        // filter the group permissions.
                        permission = entry.GetPermission().And(childPerm.GetGroupAction());
                        if (type == AclEntryType.Mask)
                            // Group bits from mode parameter filter permission of mask entry.
                            permission = entry.GetPermission().And(childPerm.GetGroupAction());
                            if (type == AclEntryType.Other)
                                permission = entry.GetPermission().And(childPerm.GetOtherAction());
                                permission = entry.GetPermission();
            // A new directory also receives a copy of the parent's default ACL.
            IList <AclEntry> defaultEntries = child.IsDirectory() ? parentDefaultEntries : Sharpen.Collections
                                              .EmptyList <AclEntry>();
            FsPermission newPerm;

            if (!AclUtil.IsMinimalAcl(accessEntries) || !defaultEntries.IsEmpty())
                // Save the new ACL to the child.
                child.AddAclFeature(CreateAclFeature(accessEntries, defaultEntries));
                newPerm = CreateFsPermissionForExtendedAcl(accessEntries, childPerm);
                // The child is receiving a minimal ACL.
                newPerm = CreateFsPermissionForMinimalAcl(accessEntries, childPerm);
Esempio n. 8
 /// <summary>Create a new AclEntry with scope and type (no name or permission).</summary>
 /// <param name="scope">AclEntryScope scope of the ACL entry</param>
 /// <param name="type">AclEntryType ACL entry type</param>
 /// <returns>AclEntry new AclEntry</returns>
 public static Org.Apache.Hadoop.FS.Permission.AclEntry AclEntry(AclEntryScope scope
                                                                 , AclEntryType type)
     return(new AclEntry.Builder().SetScope(scope).SetType(type).Build());
Esempio n. 9
 /// <summary>Create a new AclEntry with scope, type, name and permission.</summary>
 /// <param name="scope">AclEntryScope scope of the ACL entry</param>
 /// <param name="type">AclEntryType ACL entry type</param>
 /// <param name="name">String optional ACL entry name</param>
 /// <param name="permission">FsAction set of permissions in the ACL entry</param>
 /// <returns>AclEntry new AclEntry</returns>
 public static Org.Apache.Hadoop.FS.Permission.AclEntry AclEntry(AclEntryScope scope
                                                                 , AclEntryType type, string name, FsAction permission)
     return(new AclEntry.Builder().SetScope(scope).SetType(type).SetName(name).SetPermission
Esempio n. 10
        /// <summary>Parses a string representation of an ACL into a AclEntry object.<br /></summary>
        /// <param name="aclStr">
        /// String representation of an ACL.<br />
        /// Example: "user:foo:rw-"
        /// </param>
        /// <param name="includePermission">
        /// for setAcl operations this will be true. i.e. Acl should include
        /// permissions.<br />
        /// But for removeAcl operation it will be false. i.e. Acl should not
        /// contain permissions.<br />
        /// Example: "user:foo,group:bar,mask::"
        /// </param>
        /// <returns>
        /// Returns an
        /// <see cref="AclEntry"/>
        /// object
        /// </returns>
        public static AclEntry ParseAclEntry(string aclStr, bool includePermission)
            AclEntry.Builder builder = new AclEntry.Builder();
            // Here "::" represent one empty string.
            // StringUtils.getStringCollection() will ignore this.
            string[] split = aclStr.Split(":");
            if (split.Length == 0)
                throw new HadoopIllegalArgumentException("Invalid <aclSpec> : " + aclStr);
            int index = 0;

            if ("default".Equals(split[0]))
                // default entry
            if (split.Length <= index)
                throw new HadoopIllegalArgumentException("Invalid <aclSpec> : " + aclStr);
            AclEntryType aclType = null;

                aclType = Enum.ValueOf <AclEntryType>(StringUtils.ToUpperCase(split[index]));
            catch (ArgumentException)
                throw new HadoopIllegalArgumentException("Invalid type of acl in <aclSpec> :" + aclStr
            if (split.Length > index)
                string name = split[index];
                if (!name.IsEmpty())
            if (includePermission)
                if (split.Length <= index)
                    throw new HadoopIllegalArgumentException("Invalid <aclSpec> : " + aclStr);
                string   permission = split[index];
                FsAction fsAction   = FsAction.GetFsAction(permission);
                if (null == fsAction)
                    throw new HadoopIllegalArgumentException("Invalid permission in <aclSpec> : " + aclStr
            if (split.Length > index)
                throw new HadoopIllegalArgumentException("Invalid <aclSpec> : " + aclStr);
            AclEntry aclEntry = builder.Build();

Esempio n. 11
 /// <summary>Sets the ACL entry type.</summary>
 /// <param name="type">AclEntryType ACL entry type</param>
 /// <returns>Builder this builder, for call chaining</returns>
 public virtual AclEntry.Builder SetType(AclEntryType type)
     this.type = type;
Esempio n. 12
        /// <summary>Checks requested access against an Access Control List.</summary>
        /// <remarks>
        /// Checks requested access against an Access Control List.  This method relies
        /// on finding the ACL data in the relevant portions of
        /// <see cref="Org.Apache.Hadoop.FS.Permission.FsPermission"/>
        /// and
        /// <see cref="AclFeature"/>
        /// as implemented in the logic of
        /// <see cref="AclStorage"/>
        /// .  This
        /// method also relies on receiving the ACL entries in sorted order.  This is
        /// assumed to be true, because the ACL modification methods in
        /// <see cref="AclTransformation"/>
        /// sort the resulting entries.
        /// More specifically, this method depends on these invariants in an ACL:
        /// - The list must be sorted.
        /// - Each entry in the list must be unique by scope + type + name.
        /// - There is exactly one each of the unnamed user/group/other entries.
        /// - The mask entry must not have a name.
        /// - The other entry must not have a name.
        /// - Default entries may be present, but they are ignored during enforcement.
        /// </remarks>
        /// <param name="inode">INodeAttributes accessed inode</param>
        /// <param name="snapshotId">int snapshot ID</param>
        /// <param name="access">FsAction requested permission</param>
        /// <param name="mode">FsPermission mode from inode</param>
        /// <param name="aclFeature">AclFeature of inode</param>
        /// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the ACL denies permission
        ///     </exception>
        private void CheckAccessAcl(INodeAttributes inode, string path, FsAction access,
                                    FsPermission mode, AclFeature aclFeature)
            bool foundMatch = false;

            // Use owner entry from permission bits if user is owner.
            if (GetUser().Equals(inode.GetUserName()))
                if (mode.GetUserAction().Implies(access))
                foundMatch = true;
            // Check named user and group entries if user was not denied by owner entry.
            if (!foundMatch)
                for (int pos = 0; pos < aclFeature.GetEntriesSize(); pos++)
                    entry = aclFeature.GetEntryAt(pos);
                    if (AclEntryStatusFormat.GetScope(entry) == AclEntryScope.Default)
                    AclEntryType type = AclEntryStatusFormat.GetType(entry);
                    string       name = AclEntryStatusFormat.GetName(entry);
                    if (type == AclEntryType.User)
                        // Use named user entry with mask from permission bits applied if user
                        // matches name.
                        if (GetUser().Equals(name))
                            FsAction masked = AclEntryStatusFormat.GetPermission(entry).And(mode.GetGroupAction
                            if (masked.Implies(access))
                            foundMatch = true;
                        if (type == AclEntryType.Group)
                            // Use group entry (unnamed or named) with mask from permission bits
                            // applied if user is a member and entry grants access.  If user is a
                            // member of multiple groups that have entries that grant access, then
                            // it doesn't matter which is chosen, so exit early after first match.
                            string group = name == null?inode.GetGroupName() : name;

                            if (GetGroups().Contains(group))
                                FsAction masked = AclEntryStatusFormat.GetPermission(entry).And(mode.GetGroupAction
                                if (masked.Implies(access))
                                foundMatch = true;
            // Use other entry if user was not denied by an earlier match.
            if (!foundMatch && mode.GetOtherAction().Implies(access))
            throw new AccessControlException(ToAccessControlString(inode, path, access, mode)