/// <summary>Check whether current user have permissions to access the path.</summary> /// <remarks> /// Check whether current user have permissions to access the path. /// Traverse is always checked. /// Parent path means the parent directory for the path. /// Ancestor path means the last (the closest) existing ancestor directory /// of the path. /// Note that if the parent path exists, /// then the parent path and the ancestor path are the same. /// For example, suppose the path is "/foo/bar/baz". /// No matter baz is a file or a directory, /// the parent path is "/foo/bar". /// If bar exists, then the ancestor path is also "/foo/bar". /// If bar does not exist and foo exists, /// then the ancestor path is "/foo". /// Further, if both foo and bar do not exist, /// then the ancestor path is "/". /// </remarks> /// <param name="doCheckOwner">Require user to be the owner of the path?</param> /// <param name="ancestorAccess">The access required by the ancestor of the path.</param> /// <param name="parentAccess">The access required by the parent of the path.</param> /// <param name="access">The access required by the path.</param> /// <param name="subAccess"> /// If path is a directory, /// it is the access required of the path and all the sub-directories. /// If path is not a directory, there is no effect. /// </param> /// <param name="ignoreEmptyDir">Ignore permission checking for empty directory?</param> /// <exception cref="Org.Apache.Hadoop.Security.AccessControlException"> /// Guarded by /// <see cref="FSNamesystem.ReadLock()"/> /// Caller of this method must hold that lock. /// </exception> internal virtual void CheckPermission(INodesInPath inodesInPath, bool doCheckOwner , FsAction ancestorAccess, FsAction parentAccess, FsAction access, FsAction subAccess , bool ignoreEmptyDir) { if (Log.IsDebugEnabled()) { Log.Debug("ACCESS CHECK: " + this + ", doCheckOwner=" + doCheckOwner + ", ancestorAccess=" + ancestorAccess + ", parentAccess=" + parentAccess + ", access=" + access + ", subAccess=" + subAccess + ", ignoreEmptyDir=" + ignoreEmptyDir); } // check if (parentAccess != null) && file exists, then check sb // If resolveLink, the check is performed on the link target. int snapshotId = inodesInPath.GetPathSnapshotId(); INode[] inodes = inodesInPath.GetINodesArray(); INodeAttributes[] inodeAttrs = new INodeAttributes[inodes.Length]; byte[][] pathByNameArr = new byte[inodes.Length][]; for (int i = 0; i < inodes.Length && inodes[i] != null; i++) { if (inodes[i] != null) { pathByNameArr[i] = inodes[i].GetLocalNameBytes(); inodeAttrs[i] = GetINodeAttrs(pathByNameArr, i, inodes[i], snapshotId); } } string path = inodesInPath.GetPath(); int ancestorIndex = inodes.Length - 2; INodeAttributeProvider.AccessControlEnforcer enforcer = GetAttributesProvider().GetExternalAccessControlEnforcer (this); enforcer.CheckPermission(fsOwner, supergroup, callerUgi, inodeAttrs, inodes, pathByNameArr , snapshotId, path, ancestorIndex, doCheckOwner, ancestorAccess, parentAccess, access , subAccess, ignoreEmptyDir); }
/// <summary> /// Can be over-ridden by implementations to provide a custom Access Control /// Enforcer that can provide an alternate implementation of the /// default permission checking logic. /// </summary> /// <param name="defaultEnforcer">The Default AccessControlEnforcer</param> /// <returns>The AccessControlEnforcer to use</returns> public virtual INodeAttributeProvider.AccessControlEnforcer GetExternalAccessControlEnforcer (INodeAttributeProvider.AccessControlEnforcer defaultEnforcer) { return(defaultEnforcer); }
public override INodeAttributeProvider.AccessControlEnforcer GetExternalAccessControlEnforcer (INodeAttributeProvider.AccessControlEnforcer deafultEnforcer) { return(new TestINodeAttributeProvider.MyAuthorizationProvider.MyAccessControlEnforcer ()); }