예제 #1
0
        /// <exception cref="Org.Apache.Hadoop.Security.AccessControlException"/>
        private void Check(INodeAttributes inode, string path, FsAction access)
        {
            if (inode == null)
            {
                return;
            }
            FsPermission mode       = inode.GetFsPermission();
            AclFeature   aclFeature = inode.GetAclFeature();

            if (aclFeature != null)
            {
                // It's possible that the inode has a default ACL but no access ACL.
                int firstEntry = aclFeature.GetEntryAt(0);
                if (AclEntryStatusFormat.GetScope(firstEntry) == AclEntryScope.Access)
                {
                    CheckAccessAcl(inode, path, access, mode, aclFeature);
                    return;
                }
            }
            if (GetUser().Equals(inode.GetUserName()))
            {
                //user class
                if (mode.GetUserAction().Implies(access))
                {
                    return;
                }
            }
            else
            {
                if (GetGroups().Contains(inode.GetGroupName()))
                {
                    //group class
                    if (mode.GetGroupAction().Implies(access))
                    {
                        return;
                    }
                }
                else
                {
                    //other class
                    if (mode.GetOtherAction().Implies(access))
                    {
                        return;
                    }
                }
            }
            throw new AccessControlException(ToAccessControlString(inode, path, access, mode)
                                             );
        }
예제 #2
0
 internal static ImmutableList <AclEntry> GetEntriesFromAclFeature(AclFeature aclFeature
                                                                   )
 {
     if (aclFeature == null)
     {
         return(ImmutableList.Of <AclEntry>());
     }
     ImmutableList.Builder <AclEntry> b = new ImmutableList.Builder <AclEntry>();
     for (int pos = 0; pos < aclFeature.GetEntriesSize(); pos++)
     {
         entry = aclFeature.GetEntryAt(pos);
         b.Add(AclEntryStatusFormat.ToAclEntry(entry));
     }
     return((ImmutableList <AclEntry>)b.Build());
 }
예제 #3
0
 private static FsImageProto.INodeSection.AclFeatureProto.Builder BuildAclEntries(
     AclFeature f, FSImageFormatProtobuf.SaverContext.DeduplicationMap <string> map)
 {
     FsImageProto.INodeSection.AclFeatureProto.Builder b = FsImageProto.INodeSection.AclFeatureProto
                                                           .NewBuilder();
     for (int pos = 0; pos < f.GetEntriesSize(); pos++)
     {
         e = f.GetEntryAt(pos);
         int nameId = map.GetId(AclEntryStatusFormat.GetName(e));
         int v      = ((nameId & AclEntryNameMask) << AclEntryNameOffset) | ((int)(AclEntryStatusFormat
                                                                                   .GetType(e)) << AclEntryTypeOffset) | ((int)(AclEntryStatusFormat.GetScope(e)) <<
                                                                                                                     AclEntryScopeOffset) | ((int)(AclEntryStatusFormat.GetPermission(e)));
         b.AddEntries(v);
     }
     return(b);
 }
예제 #4
0
                public override AclFeature GetAclFeature()
                {
                    AclFeature f;

                    if (useDefault)
                    {
                        f = inode.GetAclFeature();
                    }
                    else
                    {
                        AclEntry acl = new AclEntry.Builder().SetType(AclEntryType.Group).SetPermission(FsAction
                                                                                                        .All).SetName("xxx").Build();
                        f = new AclFeature(AclEntryStatusFormat.ToInt(Lists.NewArrayList(acl)));
                    }
                    return(f);
                }
예제 #5
0
            private INodeFile LoadINodeFile(FsImageProto.INodeSection.INode n)
            {
                System.Diagnostics.Debug.Assert(n.GetType() == FsImageProto.INodeSection.INode.Type
                                                .File);
                FsImageProto.INodeSection.INodeFile f  = n.GetFile();
                IList <HdfsProtos.BlockProto>       bp = f.GetBlocksList();
                short replication = (short)f.GetReplication();

                FSImageFormatProtobuf.LoaderContext state = parent.GetLoaderContext();
                BlockInfoContiguous[] blocks = new BlockInfoContiguous[bp.Count];
                for (int i = 0; i < e; ++i)
                {
                    blocks[i] = new BlockInfoContiguous(PBHelper.Convert(bp[i]), replication);
                }
                PermissionStatus permissions = LoadPermission(f.GetPermission(), parent.GetLoaderContext
                                                                  ().GetStringTable());
                INodeFile file = new INodeFile(n.GetId(), n.GetName().ToByteArray(), permissions,
                                               f.GetModificationTime(), f.GetAccessTime(), blocks, replication, f.GetPreferredBlockSize
                                                   (), unchecked ((byte)f.GetStoragePolicyID()));

                if (f.HasAcl())
                {
                    int[] entries = AclEntryStatusFormat.ToInt(LoadAclEntries(f.GetAcl(), state.GetStringTable
                                                                                  ()));
                    file.AddAclFeature(new AclFeature(entries));
                }
                if (f.HasXAttrs())
                {
                    file.AddXAttrFeature(new XAttrFeature(LoadXAttrs(f.GetXAttrs(), state.GetStringTable
                                                                         ())));
                }
                // under-construction information
                if (f.HasFileUC())
                {
                    FsImageProto.INodeSection.FileUnderConstructionFeature uc = f.GetFileUC();
                    file.ToUnderConstruction(uc.GetClientName(), uc.GetClientMachine());
                    if (blocks.Length > 0)
                    {
                        BlockInfoContiguous lastBlk = file.GetLastBlock();
                        // replace the last block of file
                        file.SetBlock(file.NumBlocks() - 1, new BlockInfoContiguousUnderConstruction(lastBlk
                                                                                                     , replication));
                    }
                }
                return(file);
            }
예제 #6
0
        /// <summary>Creates an AclFeature from the given ACL entries.</summary>
        /// <param name="accessEntries">List<AclEntry> access ACL entries</param>
        /// <param name="defaultEntries">List<AclEntry> default ACL entries</param>
        /// <returns>AclFeature containing the required ACL entries</returns>
        private static AclFeature CreateAclFeature(IList <AclEntry> accessEntries, IList <AclEntry
                                                                                          > defaultEntries)
        {
            // Pre-allocate list size for the explicit entries stored in the feature,
            // which is all entries minus the 3 entries implicitly stored in the
            // permission bits.
            IList <AclEntry> featureEntries = Lists.NewArrayListWithCapacity((accessEntries.Count
                                                                              - 3) + defaultEntries.Count);

            // For the access ACL, the feature only needs to hold the named user and
            // group entries.  For a correctly sorted ACL, these will be in a
            // predictable range.
            if (!AclUtil.IsMinimalAcl(accessEntries))
            {
                Sharpen.Collections.AddAll(featureEntries, accessEntries.SubList(1, accessEntries
                                                                                 .Count - 2));
            }
            // Add all default entries to the feature.
            Sharpen.Collections.AddAll(featureEntries, defaultEntries);
            return(new AclFeature(AclEntryStatusFormat.ToInt(featureEntries)));
        }
예제 #7
0
            public static INodeDirectory LoadINodeDirectory(FsImageProto.INodeSection.INode n
                                                            , FSImageFormatProtobuf.LoaderContext state)
            {
                System.Diagnostics.Debug.Assert(n.GetType() == FsImageProto.INodeSection.INode.Type
                                                .Directory);
                FsImageProto.INodeSection.INodeDirectory d = n.GetDirectory();
                PermissionStatus permissions = LoadPermission(d.GetPermission(), state.GetStringTable
                                                                  ());
                INodeDirectory dir = new INodeDirectory(n.GetId(), n.GetName().ToByteArray(), permissions
                                                        , d.GetModificationTime());
                long nsQuota = d.GetNsQuota();
                long dsQuota = d.GetDsQuota();

                if (nsQuota >= 0 || dsQuota >= 0)
                {
                    dir.AddDirectoryWithQuotaFeature(new DirectoryWithQuotaFeature.Builder().NameSpaceQuota
                                                         (nsQuota).StorageSpaceQuota(dsQuota).Build());
                }
                EnumCounters <StorageType> typeQuotas = null;

                if (d.HasTypeQuotas())
                {
                    ImmutableList <QuotaByStorageTypeEntry> qes = LoadQuotaByStorageTypeEntries(d.GetTypeQuotas
                                                                                                    ());
                    typeQuotas = new EnumCounters <StorageType>(typeof(StorageType), HdfsConstants.QuotaReset
                                                                );
                    foreach (QuotaByStorageTypeEntry qe in qes)
                    {
                        if (qe.GetQuota() >= 0 && qe.GetStorageType() != null && qe.GetStorageType().SupportTypeQuota
                                ())
                        {
                            typeQuotas.Set(qe.GetStorageType(), qe.GetQuota());
                        }
                    }
                    if (typeQuotas.AnyGreaterOrEqual(0))
                    {
                        DirectoryWithQuotaFeature q = dir.GetDirectoryWithQuotaFeature();
                        if (q == null)
                        {
                            dir.AddDirectoryWithQuotaFeature(new DirectoryWithQuotaFeature.Builder().TypeQuotas
                                                                 (typeQuotas).Build());
                        }
                        else
                        {
                            q.SetQuota(typeQuotas);
                        }
                    }
                }
                if (d.HasAcl())
                {
                    int[] entries = AclEntryStatusFormat.ToInt(LoadAclEntries(d.GetAcl(), state.GetStringTable
                                                                                  ()));
                    dir.AddAclFeature(new AclFeature(entries));
                }
                if (d.HasXAttrs())
                {
                    dir.AddXAttrFeature(new XAttrFeature(LoadXAttrs(d.GetXAttrs(), state.GetStringTable
                                                                        ())));
                }
                return(dir);
            }
예제 #8
0
        /// <summary>Checks requested access against an Access Control List.</summary>
        /// <remarks>
        /// Checks requested access against an Access Control List.  This method relies
        /// on finding the ACL data in the relevant portions of
        /// <see cref="Org.Apache.Hadoop.FS.Permission.FsPermission"/>
        /// and
        /// <see cref="AclFeature"/>
        /// as implemented in the logic of
        /// <see cref="AclStorage"/>
        /// .  This
        /// method also relies on receiving the ACL entries in sorted order.  This is
        /// assumed to be true, because the ACL modification methods in
        /// <see cref="AclTransformation"/>
        /// sort the resulting entries.
        /// More specifically, this method depends on these invariants in an ACL:
        /// - The list must be sorted.
        /// - Each entry in the list must be unique by scope + type + name.
        /// - There is exactly one each of the unnamed user/group/other entries.
        /// - The mask entry must not have a name.
        /// - The other entry must not have a name.
        /// - Default entries may be present, but they are ignored during enforcement.
        /// </remarks>
        /// <param name="inode">INodeAttributes accessed inode</param>
        /// <param name="snapshotId">int snapshot ID</param>
        /// <param name="access">FsAction requested permission</param>
        /// <param name="mode">FsPermission mode from inode</param>
        /// <param name="aclFeature">AclFeature of inode</param>
        /// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the ACL denies permission
        ///     </exception>
        private void CheckAccessAcl(INodeAttributes inode, string path, FsAction access,
                                    FsPermission mode, AclFeature aclFeature)
        {
            bool foundMatch = false;

            // Use owner entry from permission bits if user is owner.
            if (GetUser().Equals(inode.GetUserName()))
            {
                if (mode.GetUserAction().Implies(access))
                {
                    return;
                }
                foundMatch = true;
            }
            // Check named user and group entries if user was not denied by owner entry.
            if (!foundMatch)
            {
                for (int pos = 0; pos < aclFeature.GetEntriesSize(); pos++)
                {
                    entry = aclFeature.GetEntryAt(pos);
                    if (AclEntryStatusFormat.GetScope(entry) == AclEntryScope.Default)
                    {
                        break;
                    }
                    AclEntryType type = AclEntryStatusFormat.GetType(entry);
                    string       name = AclEntryStatusFormat.GetName(entry);
                    if (type == AclEntryType.User)
                    {
                        // Use named user entry with mask from permission bits applied if user
                        // matches name.
                        if (GetUser().Equals(name))
                        {
                            FsAction masked = AclEntryStatusFormat.GetPermission(entry).And(mode.GetGroupAction
                                                                                                ());
                            if (masked.Implies(access))
                            {
                                return;
                            }
                            foundMatch = true;
                            break;
                        }
                    }
                    else
                    {
                        if (type == AclEntryType.Group)
                        {
                            // Use group entry (unnamed or named) with mask from permission bits
                            // applied if user is a member and entry grants access.  If user is a
                            // member of multiple groups that have entries that grant access, then
                            // it doesn't matter which is chosen, so exit early after first match.
                            string group = name == null?inode.GetGroupName() : name;

                            if (GetGroups().Contains(group))
                            {
                                FsAction masked = AclEntryStatusFormat.GetPermission(entry).And(mode.GetGroupAction
                                                                                                    ());
                                if (masked.Implies(access))
                                {
                                    return;
                                }
                                foundMatch = true;
                            }
                        }
                    }
                }
            }
            // Use other entry if user was not denied by an earlier match.
            if (!foundMatch && mode.GetOtherAction().Implies(access))
            {
                return;
            }
            throw new AccessControlException(ToAccessControlString(inode, path, access, mode)
                                             );
        }