internal static string GetName(int aclEntry)
{
int nameExists = (int)Org.Apache.Hadoop.Hdfs.Server.Namenode.AclEntryStatusFormat
.NamedEntryCheck.Bits.Retrieve(aclEntry);
if (nameExists == 0)
{
return(null);
}
int id = (int)Org.Apache.Hadoop.Hdfs.Server.Namenode.AclEntryStatusFormat.Name.Bits
.Retrieve(aclEntry);
AclEntryType type = GetType(aclEntry);
if (type == AclEntryType.User)
{
return(SerialNumberManager.Instance.GetUser(id));
}
else
{
if (type == AclEntryType.Group)
{
return(SerialNumberManager.Instance.GetGroup(id));
}
}
return(null);
}
// private constructor
private AclEntry(AclEntryType type, UserPrincipal who, Set <AclEntryPermission> perms, Set <AclEntryFlag> flags)
{
this.Type_Renamed = type;
this.Who = who;
this.Perms = perms;
this.Flags_Renamed = flags;
}
internal static AclEntryType GetType(int aclEntry)
{
int ordinal = (int)Org.Apache.Hadoop.Hdfs.Server.Namenode.AclEntryStatusFormat.Type
.Bits.Retrieve(aclEntry);
return(AclEntryType.Values()[ordinal]);
}
internal Builder(AclEntryType type, UserPrincipal who, Set <AclEntryPermission> perms, Set <AclEntryFlag> flags)
{
Debug.Assert(perms != null && flags != null);
this.Type_Renamed = type;
this.Who = who;
this.Perms = perms;
this.Flags_Renamed = flags;
}
/// <summary>Private constructor.</summary>
/// <param name="type">AclEntryType ACL entry type</param>
/// <param name="name">String optional ACL entry name</param>
/// <param name="permission">FsAction set of permissions in the ACL entry</param>
/// <param name="scope">AclEntryScope scope of the ACL entry</param>
private AclEntry(AclEntryType type, string name, FsAction permission, AclEntryScope
scope)
{
this.type = type;
this.name = name;
this.permission = permission;
this.scope = scope;
}
/// <summary>
/// Sets the type component of this builder.
/// </summary>
/// <param name="type"> the component type </param>
/// <returns> this builder </returns>
public Builder SetType(AclEntryType type)
{
if (type == null)
{
throw new NullPointerException();
}
this.Type_Renamed = type;
return(this);
}
/// <summary>
/// If a default ACL is defined on a parent directory, then copies that default
/// ACL to a newly created child file or directory.
/// </summary>
/// <param name="child">INode newly created child</param>
public static void CopyINodeDefaultAcl(INode child)
{
INodeDirectory parent = child.GetParent();
AclFeature parentAclFeature = parent.GetAclFeature();
if (parentAclFeature == null || !(child.IsFile() || child.IsDirectory()))
{
return;
}
// Split parent's entries into access vs. default.
IList <AclEntry> featureEntries = GetEntriesFromAclFeature(parent.GetAclFeature());
ScopedAclEntries scopedEntries = new ScopedAclEntries(featureEntries);
IList <AclEntry> parentDefaultEntries = scopedEntries.GetDefaultEntries();
// The parent may have an access ACL but no default ACL. If so, exit.
if (parentDefaultEntries.IsEmpty())
{
return;
}
// Pre-allocate list size for access entries to copy from parent.
IList <AclEntry> accessEntries = Lists.NewArrayListWithCapacity(parentDefaultEntries
.Count);
FsPermission childPerm = child.GetFsPermission();
// Copy each default ACL entry from parent to new child's access ACL.
bool parentDefaultIsMinimal = AclUtil.IsMinimalAcl(parentDefaultEntries);
foreach (AclEntry entry in parentDefaultEntries)
{
AclEntryType type = entry.GetType();
string name = entry.GetName();
AclEntry.Builder builder = new AclEntry.Builder().SetScope(AclEntryScope.Access).
SetType(type).SetName(name);
// The child's initial permission bits are treated as the mode parameter,
// which can filter copied permission values for owner, mask and other.
FsAction permission;
if (type == AclEntryType.User && name == null)
{
permission = entry.GetPermission().And(childPerm.GetUserAction());
}
else
{
if (type == AclEntryType.Group && parentDefaultIsMinimal)
{
// This only happens if the default ACL is a minimal ACL: exactly 3
// entries corresponding to owner, group and other. In this case,
// filter the group permissions.
permission = entry.GetPermission().And(childPerm.GetGroupAction());
}
else
{
if (type == AclEntryType.Mask)
{
// Group bits from mode parameter filter permission of mask entry.
permission = entry.GetPermission().And(childPerm.GetGroupAction());
}
else
{
if (type == AclEntryType.Other)
{
permission = entry.GetPermission().And(childPerm.GetOtherAction());
}
else
{
permission = entry.GetPermission();
}
}
}
}
builder.SetPermission(permission);
accessEntries.AddItem(builder.Build());
}
// A new directory also receives a copy of the parent's default ACL.
IList <AclEntry> defaultEntries = child.IsDirectory() ? parentDefaultEntries : Sharpen.Collections
.EmptyList <AclEntry>();
FsPermission newPerm;
if (!AclUtil.IsMinimalAcl(accessEntries) || !defaultEntries.IsEmpty())
{
// Save the new ACL to the child.
child.AddAclFeature(CreateAclFeature(accessEntries, defaultEntries));
newPerm = CreateFsPermissionForExtendedAcl(accessEntries, childPerm);
}
else
{
// The child is receiving a minimal ACL.
newPerm = CreateFsPermissionForMinimalAcl(accessEntries, childPerm);
}
child.SetPermission(newPerm);
}
/// <summary>Create a new AclEntry with scope and type (no name or permission).</summary>
/// <param name="scope">AclEntryScope scope of the ACL entry</param>
/// <param name="type">AclEntryType ACL entry type</param>
/// <returns>AclEntry new AclEntry</returns>
public static Org.Apache.Hadoop.FS.Permission.AclEntry AclEntry(AclEntryScope scope
, AclEntryType type)
{
return(new AclEntry.Builder().SetScope(scope).SetType(type).Build());
}
/// <summary>Create a new AclEntry with scope, type, name and permission.</summary>
/// <param name="scope">AclEntryScope scope of the ACL entry</param>
/// <param name="type">AclEntryType ACL entry type</param>
/// <param name="name">String optional ACL entry name</param>
/// <param name="permission">FsAction set of permissions in the ACL entry</param>
/// <returns>AclEntry new AclEntry</returns>
public static Org.Apache.Hadoop.FS.Permission.AclEntry AclEntry(AclEntryScope scope
, AclEntryType type, string name, FsAction permission)
{
return(new AclEntry.Builder().SetScope(scope).SetType(type).SetName(name).SetPermission
(permission).Build());
}
/// <summary>Parses a string representation of an ACL into a AclEntry object.<br /></summary>
/// <param name="aclStr">
/// String representation of an ACL.<br />
/// Example: "user:foo:rw-"
/// </param>
/// <param name="includePermission">
/// for setAcl operations this will be true. i.e. Acl should include
/// permissions.<br />
/// But for removeAcl operation it will be false. i.e. Acl should not
/// contain permissions.<br />
/// Example: "user:foo,group:bar,mask::"
/// </param>
/// <returns>
/// Returns an
/// <see cref="AclEntry"/>
/// object
/// </returns>
public static AclEntry ParseAclEntry(string aclStr, bool includePermission)
{
AclEntry.Builder builder = new AclEntry.Builder();
// Here "::" represent one empty string.
// StringUtils.getStringCollection() will ignore this.
string[] split = aclStr.Split(":");
if (split.Length == 0)
{
throw new HadoopIllegalArgumentException("Invalid <aclSpec> : " + aclStr);
}
int index = 0;
if ("default".Equals(split[0]))
{
// default entry
index++;
builder.SetScope(AclEntryScope.Default);
}
if (split.Length <= index)
{
throw new HadoopIllegalArgumentException("Invalid <aclSpec> : " + aclStr);
}
AclEntryType aclType = null;
try
{
aclType = Enum.ValueOf <AclEntryType>(StringUtils.ToUpperCase(split[index]));
builder.SetType(aclType);
index++;
}
catch (ArgumentException)
{
throw new HadoopIllegalArgumentException("Invalid type of acl in <aclSpec> :" + aclStr
);
}
if (split.Length > index)
{
string name = split[index];
if (!name.IsEmpty())
{
builder.SetName(name);
}
index++;
}
if (includePermission)
{
if (split.Length <= index)
{
throw new HadoopIllegalArgumentException("Invalid <aclSpec> : " + aclStr);
}
string permission = split[index];
FsAction fsAction = FsAction.GetFsAction(permission);
if (null == fsAction)
{
throw new HadoopIllegalArgumentException("Invalid permission in <aclSpec> : " + aclStr
);
}
builder.SetPermission(fsAction);
index++;
}
if (split.Length > index)
{
throw new HadoopIllegalArgumentException("Invalid <aclSpec> : " + aclStr);
}
AclEntry aclEntry = builder.Build();
return(aclEntry);
}
/// <summary>Sets the ACL entry type.</summary>
/// <param name="type">AclEntryType ACL entry type</param>
/// <returns>Builder this builder, for call chaining</returns>
public virtual AclEntry.Builder SetType(AclEntryType type)
{
this.type = type;
return(this);
}
/// <summary>Checks requested access against an Access Control List.</summary>
/// <remarks>
/// Checks requested access against an Access Control List. This method relies
/// on finding the ACL data in the relevant portions of
/// <see cref="Org.Apache.Hadoop.FS.Permission.FsPermission"/>
/// and
/// <see cref="AclFeature"/>
/// as implemented in the logic of
/// <see cref="AclStorage"/>
/// . This
/// method also relies on receiving the ACL entries in sorted order. This is
/// assumed to be true, because the ACL modification methods in
/// <see cref="AclTransformation"/>
/// sort the resulting entries.
/// More specifically, this method depends on these invariants in an ACL:
/// - The list must be sorted.
/// - Each entry in the list must be unique by scope + type + name.
/// - There is exactly one each of the unnamed user/group/other entries.
/// - The mask entry must not have a name.
/// - The other entry must not have a name.
/// - Default entries may be present, but they are ignored during enforcement.
/// </remarks>
/// <param name="inode">INodeAttributes accessed inode</param>
/// <param name="snapshotId">int snapshot ID</param>
/// <param name="access">FsAction requested permission</param>
/// <param name="mode">FsPermission mode from inode</param>
/// <param name="aclFeature">AclFeature of inode</param>
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the ACL denies permission
/// </exception>
private void CheckAccessAcl(INodeAttributes inode, string path, FsAction access,
FsPermission mode, AclFeature aclFeature)
{
bool foundMatch = false;
// Use owner entry from permission bits if user is owner.
if (GetUser().Equals(inode.GetUserName()))
{
if (mode.GetUserAction().Implies(access))
{
return;
}
foundMatch = true;
}
// Check named user and group entries if user was not denied by owner entry.
if (!foundMatch)
{
for (int pos = 0; pos < aclFeature.GetEntriesSize(); pos++)
{
entry = aclFeature.GetEntryAt(pos);
if (AclEntryStatusFormat.GetScope(entry) == AclEntryScope.Default)
{
break;
}
AclEntryType type = AclEntryStatusFormat.GetType(entry);
string name = AclEntryStatusFormat.GetName(entry);
if (type == AclEntryType.User)
{
// Use named user entry with mask from permission bits applied if user
// matches name.
if (GetUser().Equals(name))
{
FsAction masked = AclEntryStatusFormat.GetPermission(entry).And(mode.GetGroupAction
());
if (masked.Implies(access))
{
return;
}
foundMatch = true;
break;
}
}
else
{
if (type == AclEntryType.Group)
{
// Use group entry (unnamed or named) with mask from permission bits
// applied if user is a member and entry grants access. If user is a
// member of multiple groups that have entries that grant access, then
// it doesn't matter which is chosen, so exit early after first match.
string group = name == null?inode.GetGroupName() : name;
if (GetGroups().Contains(group))
{
FsAction masked = AclEntryStatusFormat.GetPermission(entry).And(mode.GetGroupAction
());
if (masked.Implies(access))
{
return;
}
foundMatch = true;
}
}
}
}
}
// Use other entry if user was not denied by an earlier match.
if (!foundMatch && mode.GetOtherAction().Implies(access))
{
return;
}
throw new AccessControlException(ToAccessControlString(inode, path, access, mode)
);
}
