/// <summary>
/// Checks for a given path whether the Other permissions on it
/// imply the permission in the passed FsAction
/// </summary>
/// <param name="fs"/>
/// <param name="path"/>
/// <param name="action"/>
/// <returns>true if the path in the uri is visible to all, false otherwise</returns>
/// <exception cref="System.IO.IOException"/>
private static bool CheckPermissionOfOther(FileSystem fs, Path path, FsAction action
, LoadingCache <Path, Future <FileStatus> > statCache)
{
FileStatus status = GetFileStatus(fs, path, statCache);
FsPermission perms = status.GetPermission();
FsAction otherAction = perms.GetOtherAction();
return(otherAction.Implies(action));
}
/// <summary>
/// Checks for a given path whether the Other permissions on it
/// imply the permission in the passed FsAction
/// </summary>
/// <param name="fs"/>
/// <param name="path"/>
/// <param name="action"/>
/// <returns>true if the path in the uri is visible to all, false otherwise</returns>
/// <exception cref="System.IO.IOException"/>
private static bool CheckPermissionOfOther(FileSystem fs, Path path, FsAction action
, IDictionary <URI, FileStatus> statCache)
{
FileStatus status = GetFileStatus(fs, path.ToUri(), statCache);
FsPermission perms = status.GetPermission();
FsAction otherAction = perms.GetOtherAction();
if (otherAction.Implies(action))
{
return(true);
}
return(false);
}
/// <exception cref="System.IO.IOException"/>
private static bool CheckPublicPermsForAll(FileSystem fs, FileStatus status, FsAction
dir, FsAction file)
{
FsPermission perms = status.GetPermission();
FsAction otherAction = perms.GetOtherAction();
if (status.IsDirectory())
{
if (!otherAction.Implies(dir))
{
return(false);
}
foreach (FileStatus child in fs.ListStatus(status.GetPath()))
{
if (!CheckPublicPermsForAll(fs, child, dir, file))
{
return(false);
}
}
return(true);
}
return(otherAction.Implies(file));
}
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException"/>
public virtual void CheckPermission(string fsOwner, string supergroup, UserGroupInformation
callerUgi, INodeAttributes[] inodeAttrs, INode[] inodes, byte[][] pathByNameArr
, int snapshotId, string path, int ancestorIndex, bool doCheckOwner, FsAction ancestorAccess
, FsAction parentAccess, FsAction access, FsAction subAccess, bool ignoreEmptyDir
)
{
for (; ancestorIndex >= 0 && inodes[ancestorIndex] == null; ancestorIndex--)
{
}
CheckTraverse(inodeAttrs, path, ancestorIndex);
INodeAttributes last = inodeAttrs[inodeAttrs.Length - 1];
if (parentAccess != null && parentAccess.Implies(FsAction.Write) && inodeAttrs.Length
> 1 && last != null)
{
CheckStickyBit(inodeAttrs[inodeAttrs.Length - 2], last);
}
if (ancestorAccess != null && inodeAttrs.Length > 1)
{
Check(inodeAttrs, path, ancestorIndex, ancestorAccess);
}
if (parentAccess != null && inodeAttrs.Length > 1)
{
Check(inodeAttrs, path, inodeAttrs.Length - 2, parentAccess);
}
if (access != null)
{
Check(last, path, access);
}
if (subAccess != null)
{
INode rawLast = inodes[inodeAttrs.Length - 1];
CheckSubAccess(pathByNameArr, inodeAttrs.Length - 1, rawLast, snapshotId, subAccess
, ignoreEmptyDir);
}
if (doCheckOwner)
{
CheckOwner(last);
}
}
/// <summary>Checks requested access against an Access Control List.</summary>
/// <remarks>
/// Checks requested access against an Access Control List. This method relies
/// on finding the ACL data in the relevant portions of
/// <see cref="Org.Apache.Hadoop.FS.Permission.FsPermission"/>
/// and
/// <see cref="AclFeature"/>
/// as implemented in the logic of
/// <see cref="AclStorage"/>
/// . This
/// method also relies on receiving the ACL entries in sorted order. This is
/// assumed to be true, because the ACL modification methods in
/// <see cref="AclTransformation"/>
/// sort the resulting entries.
/// More specifically, this method depends on these invariants in an ACL:
/// - The list must be sorted.
/// - Each entry in the list must be unique by scope + type + name.
/// - There is exactly one each of the unnamed user/group/other entries.
/// - The mask entry must not have a name.
/// - The other entry must not have a name.
/// - Default entries may be present, but they are ignored during enforcement.
/// </remarks>
/// <param name="inode">INodeAttributes accessed inode</param>
/// <param name="snapshotId">int snapshot ID</param>
/// <param name="access">FsAction requested permission</param>
/// <param name="mode">FsPermission mode from inode</param>
/// <param name="aclFeature">AclFeature of inode</param>
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the ACL denies permission
/// </exception>
private void CheckAccessAcl(INodeAttributes inode, string path, FsAction access,
FsPermission mode, AclFeature aclFeature)
{
bool foundMatch = false;
// Use owner entry from permission bits if user is owner.
if (GetUser().Equals(inode.GetUserName()))
{
if (mode.GetUserAction().Implies(access))
{
return;
}
foundMatch = true;
}
// Check named user and group entries if user was not denied by owner entry.
if (!foundMatch)
{
for (int pos = 0; pos < aclFeature.GetEntriesSize(); pos++)
{
entry = aclFeature.GetEntryAt(pos);
if (AclEntryStatusFormat.GetScope(entry) == AclEntryScope.Default)
{
break;
}
AclEntryType type = AclEntryStatusFormat.GetType(entry);
string name = AclEntryStatusFormat.GetName(entry);
if (type == AclEntryType.User)
{
// Use named user entry with mask from permission bits applied if user
// matches name.
if (GetUser().Equals(name))
{
FsAction masked = AclEntryStatusFormat.GetPermission(entry).And(mode.GetGroupAction
());
if (masked.Implies(access))
{
return;
}
foundMatch = true;
break;
}
}
else
{
if (type == AclEntryType.Group)
{
// Use group entry (unnamed or named) with mask from permission bits
// applied if user is a member and entry grants access. If user is a
// member of multiple groups that have entries that grant access, then
// it doesn't matter which is chosen, so exit early after first match.
string group = name == null?inode.GetGroupName() : name;
if (GetGroups().Contains(group))
{
FsAction masked = AclEntryStatusFormat.GetPermission(entry).And(mode.GetGroupAction
());
if (masked.Implies(access))
{
return;
}
foundMatch = true;
}
}
}
}
}
// Use other entry if user was not denied by an earlier match.
if (!foundMatch && mode.GetOtherAction().Implies(access))
{
return;
}
throw new AccessControlException(ToAccessControlString(inode, path, access, mode)
);
}
