/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException"/>
private void Check(INodeAttributes inode, string path, FsAction access)
{
if (inode == null)
{
return;
}
FsPermission mode = inode.GetFsPermission();
AclFeature aclFeature = inode.GetAclFeature();
if (aclFeature != null)
{
// It's possible that the inode has a default ACL but no access ACL.
int firstEntry = aclFeature.GetEntryAt(0);
if (AclEntryStatusFormat.GetScope(firstEntry) == AclEntryScope.Access)
{
CheckAccessAcl(inode, path, access, mode, aclFeature);
return;
}
}
if (GetUser().Equals(inode.GetUserName()))
{
//user class
if (mode.GetUserAction().Implies(access))
{
return;
}
}
else
{
if (GetGroups().Contains(inode.GetGroupName()))
{
//group class
if (mode.GetGroupAction().Implies(access))
{
return;
}
}
else
{
//other class
if (mode.GetOtherAction().Implies(access))
{
return;
}
}
}
throw new AccessControlException(ToAccessControlString(inode, path, access, mode)
);
}
internal static ImmutableList <AclEntry> GetEntriesFromAclFeature(AclFeature aclFeature
)
{
if (aclFeature == null)
{
return(ImmutableList.Of <AclEntry>());
}
ImmutableList.Builder <AclEntry> b = new ImmutableList.Builder <AclEntry>();
for (int pos = 0; pos < aclFeature.GetEntriesSize(); pos++)
{
entry = aclFeature.GetEntryAt(pos);
b.Add(AclEntryStatusFormat.ToAclEntry(entry));
}
return((ImmutableList <AclEntry>)b.Build());
}
private static FsImageProto.INodeSection.AclFeatureProto.Builder BuildAclEntries(
AclFeature f, FSImageFormatProtobuf.SaverContext.DeduplicationMap <string> map)
{
FsImageProto.INodeSection.AclFeatureProto.Builder b = FsImageProto.INodeSection.AclFeatureProto
.NewBuilder();
for (int pos = 0; pos < f.GetEntriesSize(); pos++)
{
e = f.GetEntryAt(pos);
int nameId = map.GetId(AclEntryStatusFormat.GetName(e));
int v = ((nameId & AclEntryNameMask) << AclEntryNameOffset) | ((int)(AclEntryStatusFormat
.GetType(e)) << AclEntryTypeOffset) | ((int)(AclEntryStatusFormat.GetScope(e)) <<
AclEntryScopeOffset) | ((int)(AclEntryStatusFormat.GetPermission(e)));
b.AddEntries(v);
}
return(b);
}
public override AclFeature GetAclFeature()
{
AclFeature f;
if (useDefault)
{
f = inode.GetAclFeature();
}
else
{
AclEntry acl = new AclEntry.Builder().SetType(AclEntryType.Group).SetPermission(FsAction
.All).SetName("xxx").Build();
f = new AclFeature(AclEntryStatusFormat.ToInt(Lists.NewArrayList(acl)));
}
return(f);
}
private INodeFile LoadINodeFile(FsImageProto.INodeSection.INode n)
{
System.Diagnostics.Debug.Assert(n.GetType() == FsImageProto.INodeSection.INode.Type
.File);
FsImageProto.INodeSection.INodeFile f = n.GetFile();
IList <HdfsProtos.BlockProto> bp = f.GetBlocksList();
short replication = (short)f.GetReplication();
FSImageFormatProtobuf.LoaderContext state = parent.GetLoaderContext();
BlockInfoContiguous[] blocks = new BlockInfoContiguous[bp.Count];
for (int i = 0; i < e; ++i)
{
blocks[i] = new BlockInfoContiguous(PBHelper.Convert(bp[i]), replication);
}
PermissionStatus permissions = LoadPermission(f.GetPermission(), parent.GetLoaderContext
().GetStringTable());
INodeFile file = new INodeFile(n.GetId(), n.GetName().ToByteArray(), permissions,
f.GetModificationTime(), f.GetAccessTime(), blocks, replication, f.GetPreferredBlockSize
(), unchecked ((byte)f.GetStoragePolicyID()));
if (f.HasAcl())
{
int[] entries = AclEntryStatusFormat.ToInt(LoadAclEntries(f.GetAcl(), state.GetStringTable
()));
file.AddAclFeature(new AclFeature(entries));
}
if (f.HasXAttrs())
{
file.AddXAttrFeature(new XAttrFeature(LoadXAttrs(f.GetXAttrs(), state.GetStringTable
())));
}
// under-construction information
if (f.HasFileUC())
{
FsImageProto.INodeSection.FileUnderConstructionFeature uc = f.GetFileUC();
file.ToUnderConstruction(uc.GetClientName(), uc.GetClientMachine());
if (blocks.Length > 0)
{
BlockInfoContiguous lastBlk = file.GetLastBlock();
// replace the last block of file
file.SetBlock(file.NumBlocks() - 1, new BlockInfoContiguousUnderConstruction(lastBlk
, replication));
}
}
return(file);
}
/// <summary>Creates an AclFeature from the given ACL entries.</summary>
/// <param name="accessEntries">List<AclEntry> access ACL entries</param>
/// <param name="defaultEntries">List<AclEntry> default ACL entries</param>
/// <returns>AclFeature containing the required ACL entries</returns>
private static AclFeature CreateAclFeature(IList <AclEntry> accessEntries, IList <AclEntry
> defaultEntries)
{
// Pre-allocate list size for the explicit entries stored in the feature,
// which is all entries minus the 3 entries implicitly stored in the
// permission bits.
IList <AclEntry> featureEntries = Lists.NewArrayListWithCapacity((accessEntries.Count
- 3) + defaultEntries.Count);
// For the access ACL, the feature only needs to hold the named user and
// group entries. For a correctly sorted ACL, these will be in a
// predictable range.
if (!AclUtil.IsMinimalAcl(accessEntries))
{
Sharpen.Collections.AddAll(featureEntries, accessEntries.SubList(1, accessEntries
.Count - 2));
}
// Add all default entries to the feature.
Sharpen.Collections.AddAll(featureEntries, defaultEntries);
return(new AclFeature(AclEntryStatusFormat.ToInt(featureEntries)));
}
public static INodeDirectory LoadINodeDirectory(FsImageProto.INodeSection.INode n
, FSImageFormatProtobuf.LoaderContext state)
{
System.Diagnostics.Debug.Assert(n.GetType() == FsImageProto.INodeSection.INode.Type
.Directory);
FsImageProto.INodeSection.INodeDirectory d = n.GetDirectory();
PermissionStatus permissions = LoadPermission(d.GetPermission(), state.GetStringTable
());
INodeDirectory dir = new INodeDirectory(n.GetId(), n.GetName().ToByteArray(), permissions
, d.GetModificationTime());
long nsQuota = d.GetNsQuota();
long dsQuota = d.GetDsQuota();
if (nsQuota >= 0 || dsQuota >= 0)
{
dir.AddDirectoryWithQuotaFeature(new DirectoryWithQuotaFeature.Builder().NameSpaceQuota
(nsQuota).StorageSpaceQuota(dsQuota).Build());
}
EnumCounters <StorageType> typeQuotas = null;
if (d.HasTypeQuotas())
{
ImmutableList <QuotaByStorageTypeEntry> qes = LoadQuotaByStorageTypeEntries(d.GetTypeQuotas
());
typeQuotas = new EnumCounters <StorageType>(typeof(StorageType), HdfsConstants.QuotaReset
);
foreach (QuotaByStorageTypeEntry qe in qes)
{
if (qe.GetQuota() >= 0 && qe.GetStorageType() != null && qe.GetStorageType().SupportTypeQuota
())
{
typeQuotas.Set(qe.GetStorageType(), qe.GetQuota());
}
}
if (typeQuotas.AnyGreaterOrEqual(0))
{
DirectoryWithQuotaFeature q = dir.GetDirectoryWithQuotaFeature();
if (q == null)
{
dir.AddDirectoryWithQuotaFeature(new DirectoryWithQuotaFeature.Builder().TypeQuotas
(typeQuotas).Build());
}
else
{
q.SetQuota(typeQuotas);
}
}
}
if (d.HasAcl())
{
int[] entries = AclEntryStatusFormat.ToInt(LoadAclEntries(d.GetAcl(), state.GetStringTable
()));
dir.AddAclFeature(new AclFeature(entries));
}
if (d.HasXAttrs())
{
dir.AddXAttrFeature(new XAttrFeature(LoadXAttrs(d.GetXAttrs(), state.GetStringTable
())));
}
return(dir);
}
/// <summary>Checks requested access against an Access Control List.</summary>
/// <remarks>
/// Checks requested access against an Access Control List. This method relies
/// on finding the ACL data in the relevant portions of
/// <see cref="Org.Apache.Hadoop.FS.Permission.FsPermission"/>
/// and
/// <see cref="AclFeature"/>
/// as implemented in the logic of
/// <see cref="AclStorage"/>
/// . This
/// method also relies on receiving the ACL entries in sorted order. This is
/// assumed to be true, because the ACL modification methods in
/// <see cref="AclTransformation"/>
/// sort the resulting entries.
/// More specifically, this method depends on these invariants in an ACL:
/// - The list must be sorted.
/// - Each entry in the list must be unique by scope + type + name.
/// - There is exactly one each of the unnamed user/group/other entries.
/// - The mask entry must not have a name.
/// - The other entry must not have a name.
/// - Default entries may be present, but they are ignored during enforcement.
/// </remarks>
/// <param name="inode">INodeAttributes accessed inode</param>
/// <param name="snapshotId">int snapshot ID</param>
/// <param name="access">FsAction requested permission</param>
/// <param name="mode">FsPermission mode from inode</param>
/// <param name="aclFeature">AclFeature of inode</param>
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the ACL denies permission
/// </exception>
private void CheckAccessAcl(INodeAttributes inode, string path, FsAction access,
FsPermission mode, AclFeature aclFeature)
{
bool foundMatch = false;
// Use owner entry from permission bits if user is owner.
if (GetUser().Equals(inode.GetUserName()))
{
if (mode.GetUserAction().Implies(access))
{
return;
}
foundMatch = true;
}
// Check named user and group entries if user was not denied by owner entry.
if (!foundMatch)
{
for (int pos = 0; pos < aclFeature.GetEntriesSize(); pos++)
{
entry = aclFeature.GetEntryAt(pos);
if (AclEntryStatusFormat.GetScope(entry) == AclEntryScope.Default)
{
break;
}
AclEntryType type = AclEntryStatusFormat.GetType(entry);
string name = AclEntryStatusFormat.GetName(entry);
if (type == AclEntryType.User)
{
// Use named user entry with mask from permission bits applied if user
// matches name.
if (GetUser().Equals(name))
{
FsAction masked = AclEntryStatusFormat.GetPermission(entry).And(mode.GetGroupAction
());
if (masked.Implies(access))
{
return;
}
foundMatch = true;
break;
}
}
else
{
if (type == AclEntryType.Group)
{
// Use group entry (unnamed or named) with mask from permission bits
// applied if user is a member and entry grants access. If user is a
// member of multiple groups that have entries that grant access, then
// it doesn't matter which is chosen, so exit early after first match.
string group = name == null?inode.GetGroupName() : name;
if (GetGroups().Contains(group))
{
FsAction masked = AclEntryStatusFormat.GetPermission(entry).And(mode.GetGroupAction
());
if (masked.Implies(access))
{
return;
}
foundMatch = true;
}
}
}
}
}
// Use other entry if user was not denied by an earlier match.
if (!foundMatch && mode.GetOtherAction().Implies(access))
{
return;
}
throw new AccessControlException(ToAccessControlString(inode, path, access, mode)
);
}
