コード例 #1
0
        /// <exception cref="Org.Apache.Hadoop.Security.AccessControlException"/>
        private void Check(INodeAttributes inode, string path, FsAction access)
        {
            if (inode == null)
            {
                return;
            }
            FsPermission mode       = inode.GetFsPermission();
            AclFeature   aclFeature = inode.GetAclFeature();

            if (aclFeature != null)
            {
                // It's possible that the inode has a default ACL but no access ACL.
                int firstEntry = aclFeature.GetEntryAt(0);
                if (AclEntryStatusFormat.GetScope(firstEntry) == AclEntryScope.Access)
                {
                    CheckAccessAcl(inode, path, access, mode, aclFeature);
                    return;
                }
            }
            if (GetUser().Equals(inode.GetUserName()))
            {
                //user class
                if (mode.GetUserAction().Implies(access))
                {
                    return;
                }
            }
            else
            {
                if (GetGroups().Contains(inode.GetGroupName()))
                {
                    //group class
                    if (mode.GetGroupAction().Implies(access))
                    {
                        return;
                    }
                }
                else
                {
                    //other class
                    if (mode.GetOtherAction().Implies(access))
                    {
                        return;
                    }
                }
            }
            throw new AccessControlException(ToAccessControlString(inode, path, access, mode)
                                             );
        }
コード例 #2
0
ファイル: AclStorage.cs プロジェクト: orf53975/hadoop.net
 internal static ImmutableList <AclEntry> GetEntriesFromAclFeature(AclFeature aclFeature
                                                                   )
 {
     if (aclFeature == null)
     {
         return(ImmutableList.Of <AclEntry>());
     }
     ImmutableList.Builder <AclEntry> b = new ImmutableList.Builder <AclEntry>();
     for (int pos = 0; pos < aclFeature.GetEntriesSize(); pos++)
     {
         entry = aclFeature.GetEntryAt(pos);
         b.Add(AclEntryStatusFormat.ToAclEntry(entry));
     }
     return((ImmutableList <AclEntry>)b.Build());
 }
コード例 #3
0
 private static FsImageProto.INodeSection.AclFeatureProto.Builder BuildAclEntries(
     AclFeature f, FSImageFormatProtobuf.SaverContext.DeduplicationMap <string> map)
 {
     FsImageProto.INodeSection.AclFeatureProto.Builder b = FsImageProto.INodeSection.AclFeatureProto
                                                           .NewBuilder();
     for (int pos = 0; pos < f.GetEntriesSize(); pos++)
     {
         e = f.GetEntryAt(pos);
         int nameId = map.GetId(AclEntryStatusFormat.GetName(e));
         int v      = ((nameId & AclEntryNameMask) << AclEntryNameOffset) | ((int)(AclEntryStatusFormat
                                                                                   .GetType(e)) << AclEntryTypeOffset) | ((int)(AclEntryStatusFormat.GetScope(e)) <<
                                                                                                                     AclEntryScopeOffset) | ((int)(AclEntryStatusFormat.GetPermission(e)));
         b.AddEntries(v);
     }
     return(b);
 }
コード例 #4
0
        /// <summary>Checks requested access against an Access Control List.</summary>
        /// <remarks>
        /// Checks requested access against an Access Control List.  This method relies
        /// on finding the ACL data in the relevant portions of
        /// <see cref="Org.Apache.Hadoop.FS.Permission.FsPermission"/>
        /// and
        /// <see cref="AclFeature"/>
        /// as implemented in the logic of
        /// <see cref="AclStorage"/>
        /// .  This
        /// method also relies on receiving the ACL entries in sorted order.  This is
        /// assumed to be true, because the ACL modification methods in
        /// <see cref="AclTransformation"/>
        /// sort the resulting entries.
        /// More specifically, this method depends on these invariants in an ACL:
        /// - The list must be sorted.
        /// - Each entry in the list must be unique by scope + type + name.
        /// - There is exactly one each of the unnamed user/group/other entries.
        /// - The mask entry must not have a name.
        /// - The other entry must not have a name.
        /// - Default entries may be present, but they are ignored during enforcement.
        /// </remarks>
        /// <param name="inode">INodeAttributes accessed inode</param>
        /// <param name="snapshotId">int snapshot ID</param>
        /// <param name="access">FsAction requested permission</param>
        /// <param name="mode">FsPermission mode from inode</param>
        /// <param name="aclFeature">AclFeature of inode</param>
        /// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the ACL denies permission
        ///     </exception>
        private void CheckAccessAcl(INodeAttributes inode, string path, FsAction access,
                                    FsPermission mode, AclFeature aclFeature)
        {
            bool foundMatch = false;

            // Use owner entry from permission bits if user is owner.
            if (GetUser().Equals(inode.GetUserName()))
            {
                if (mode.GetUserAction().Implies(access))
                {
                    return;
                }
                foundMatch = true;
            }
            // Check named user and group entries if user was not denied by owner entry.
            if (!foundMatch)
            {
                for (int pos = 0; pos < aclFeature.GetEntriesSize(); pos++)
                {
                    entry = aclFeature.GetEntryAt(pos);
                    if (AclEntryStatusFormat.GetScope(entry) == AclEntryScope.Default)
                    {
                        break;
                    }
                    AclEntryType type = AclEntryStatusFormat.GetType(entry);
                    string       name = AclEntryStatusFormat.GetName(entry);
                    if (type == AclEntryType.User)
                    {
                        // Use named user entry with mask from permission bits applied if user
                        // matches name.
                        if (GetUser().Equals(name))
                        {
                            FsAction masked = AclEntryStatusFormat.GetPermission(entry).And(mode.GetGroupAction
                                                                                                ());
                            if (masked.Implies(access))
                            {
                                return;
                            }
                            foundMatch = true;
                            break;
                        }
                    }
                    else
                    {
                        if (type == AclEntryType.Group)
                        {
                            // Use group entry (unnamed or named) with mask from permission bits
                            // applied if user is a member and entry grants access.  If user is a
                            // member of multiple groups that have entries that grant access, then
                            // it doesn't matter which is chosen, so exit early after first match.
                            string group = name == null?inode.GetGroupName() : name;

                            if (GetGroups().Contains(group))
                            {
                                FsAction masked = AclEntryStatusFormat.GetPermission(entry).And(mode.GetGroupAction
                                                                                                    ());
                                if (masked.Implies(access))
                                {
                                    return;
                                }
                                foundMatch = true;
                            }
                        }
                    }
                }
            }
            // Use other entry if user was not denied by an earlier match.
            if (!foundMatch && mode.GetOtherAction().Implies(access))
            {
                return;
            }
            throw new AccessControlException(ToAccessControlString(inode, path, access, mode)
                                             );
        }