/// <summary>Check whether current user have permissions to access the path.</summary>
/// <remarks>
/// Check whether current user have permissions to access the path.
/// Traverse is always checked.
/// Parent path means the parent directory for the path.
/// Ancestor path means the last (the closest) existing ancestor directory
/// of the path.
/// Note that if the parent path exists,
/// then the parent path and the ancestor path are the same.
/// For example, suppose the path is "/foo/bar/baz".
/// No matter baz is a file or a directory,
/// the parent path is "/foo/bar".
/// If bar exists, then the ancestor path is also "/foo/bar".
/// If bar does not exist and foo exists,
/// then the ancestor path is "/foo".
/// Further, if both foo and bar do not exist,
/// then the ancestor path is "/".
/// </remarks>
/// <param name="doCheckOwner">Require user to be the owner of the path?</param>
/// <param name="ancestorAccess">The access required by the ancestor of the path.</param>
/// <param name="parentAccess">The access required by the parent of the path.</param>
/// <param name="access">The access required by the path.</param>
/// <param name="subAccess">
/// If path is a directory,
/// it is the access required of the path and all the sub-directories.
/// If path is not a directory, there is no effect.
/// </param>
/// <param name="ignoreEmptyDir">Ignore permission checking for empty directory?</param>
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">
/// Guarded by
/// <see cref="FSNamesystem.ReadLock()"/>
/// Caller of this method must hold that lock.
/// </exception>
internal virtual void CheckPermission(INodesInPath inodesInPath, bool doCheckOwner
, FsAction ancestorAccess, FsAction parentAccess, FsAction access, FsAction subAccess
, bool ignoreEmptyDir)
{
if (Log.IsDebugEnabled())
{
Log.Debug("ACCESS CHECK: " + this + ", doCheckOwner=" + doCheckOwner + ", ancestorAccess="
+ ancestorAccess + ", parentAccess=" + parentAccess + ", access=" + access + ", subAccess="
+ subAccess + ", ignoreEmptyDir=" + ignoreEmptyDir);
}
// check if (parentAccess != null) && file exists, then check sb
// If resolveLink, the check is performed on the link target.
int snapshotId = inodesInPath.GetPathSnapshotId();
INode[] inodes = inodesInPath.GetINodesArray();
INodeAttributes[] inodeAttrs = new INodeAttributes[inodes.Length];
byte[][] pathByNameArr = new byte[inodes.Length][];
for (int i = 0; i < inodes.Length && inodes[i] != null; i++)
{
if (inodes[i] != null)
{
pathByNameArr[i] = inodes[i].GetLocalNameBytes();
inodeAttrs[i] = GetINodeAttrs(pathByNameArr, i, inodes[i], snapshotId);
}
}
string path = inodesInPath.GetPath();
int ancestorIndex = inodes.Length - 2;
INodeAttributeProvider.AccessControlEnforcer enforcer = GetAttributesProvider().GetExternalAccessControlEnforcer
(this);
enforcer.CheckPermission(fsOwner, supergroup, callerUgi, inodeAttrs, inodes, pathByNameArr
, snapshotId, path, ancestorIndex, doCheckOwner, ancestorAccess, parentAccess, access
, subAccess, ignoreEmptyDir);
}
/// <summary>
/// Can be over-ridden by implementations to provide a custom Access Control
/// Enforcer that can provide an alternate implementation of the
/// default permission checking logic.
/// </summary>
/// <param name="defaultEnforcer">The Default AccessControlEnforcer</param>
/// <returns>The AccessControlEnforcer to use</returns>
public virtual INodeAttributeProvider.AccessControlEnforcer GetExternalAccessControlEnforcer
(INodeAttributeProvider.AccessControlEnforcer defaultEnforcer)
{
return(defaultEnforcer);
}
public override INodeAttributeProvider.AccessControlEnforcer GetExternalAccessControlEnforcer
(INodeAttributeProvider.AccessControlEnforcer deafultEnforcer)
{
return(new TestINodeAttributeProvider.MyAuthorizationProvider.MyAccessControlEnforcer
());
}
