Java Code Examples for org.apache.hadoop.security.AccessControlException

The following examples show how to use org.apache.hadoop.security.AccessControlException. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: hadoop   Source File: DataNode.java    License: Apache License 2.0 6 votes vote down vote up
/** Check whether the current user is in the superuser group. */
private void checkSuperuserPrivilege() throws IOException, AccessControlException {
  if (!isPermissionEnabled) {
    return;
  }
  // Try to get the ugi in the RPC call.
  UserGroupInformation callerUgi = ipcServer.getRemoteUser();
  if (callerUgi == null) {
    // This is not from RPC.
    callerUgi = UserGroupInformation.getCurrentUser();
  }

  // Is this by the DN user itself?
  assert dnUserName != null;
  if (callerUgi.getShortUserName().equals(dnUserName)) {
    return;
  }

  // Is the user a member of the super group?
  List<String> groups = Arrays.asList(callerUgi.getGroupNames());
  if (groups.contains(supergroup)) {
    return;
  }
  // Not a superuser.
  throw new AccessControlException();
}
 
Example 2
Source Project: hadoop   Source File: TestFailoverController.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testFailoverWithoutPermission() throws Exception {
  DummyHAService svc1 = new DummyHAService(HAServiceState.ACTIVE, svc1Addr);
  Mockito.doThrow(new AccessControlException("Access denied"))
      .when(svc1.proxy).getServiceStatus();
  DummyHAService svc2 = new DummyHAService(HAServiceState.STANDBY, svc2Addr);
  Mockito.doThrow(new AccessControlException("Access denied"))
      .when(svc2.proxy).getServiceStatus();
  svc1.fencer = svc2.fencer = setupFencer(AlwaysSucceedFencer.class.getName());

  try {
    doFailover(svc1, svc2, false, false);
    fail("Can't failover when access is denied");
  } catch (FailoverFailedException ffe) {
    assertTrue(ffe.getCause().getMessage().contains("Access denied"));
  }
}
 
Example 3
Source Project: hadoop   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Set replication for an existing file.
 * @param src file name
 * @param replication replication to set the file to
 * 
 * @see ClientProtocol#setReplication(String, short)
 */
public boolean setReplication(String src, short replication)
    throws IOException {
  TraceScope scope = getPathTraceScope("setReplication", src);
  try {
    return namenode.setReplication(src, replication);
  } catch(RemoteException re) {
    throw re.unwrapRemoteException(AccessControlException.class,
                                   FileNotFoundException.class,
                                   SafeModeException.class,
                                   DSQuotaExceededException.class,
                                   UnresolvedPathException.class,
                                   SnapshotAccessControlException.class);
  } finally {
    scope.close();
  }
}
 
Example 4
Source Project: big-c   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Rename file or directory.
 * @see ClientProtocol#rename(String, String)
 * @deprecated Use {@link #rename(String, String, Options.Rename...)} instead.
 */
@Deprecated
public boolean rename(String src, String dst) throws IOException {
  checkOpen();
  TraceScope scope = getSrcDstTraceScope("rename", src, dst);
  try {
    return namenode.rename(src, dst);
  } catch(RemoteException re) {
    throw re.unwrapRemoteException(AccessControlException.class,
                                   NSQuotaExceededException.class,
                                   DSQuotaExceededException.class,
                                   UnresolvedPathException.class,
                                   SnapshotAccessControlException.class);
  } finally {
    scope.close();
  }
}
 
Example 5
Source Project: RDFS   Source File: PermissionChecker.java    License: Apache License 2.0 6 votes vote down vote up
private void check(INode inode, FsAction access
    ) throws AccessControlException {
  if (inode == null) {
    return;
  }
  FsPermission mode = inode.getFsPermission();

  if (user.equals(inode.getUserName())) { //user class
    if (mode.getUserAction().implies(access)) { return; }
  }
  else if (groups.contains(inode.getGroupName())) { //group class
    if (mode.getGroupAction().implies(access)) { return; }
  }
  else { //other class
    if (mode.getOtherAction().implies(access)) { return; }
  }
  throw new AccessControlException("Permission denied: user=" + user
      + ", access=" + access + ", inode=" + inode);
}
 
Example 6
Source Project: hadoop   Source File: XAttrPermissionFilter.java    License: Apache License 2.0 6 votes vote down vote up
static void checkPermissionForApi(FSPermissionChecker pc, XAttr xAttr,
    boolean isRawPath)
    throws AccessControlException {
  final boolean isSuperUser = pc.isSuperUser();
  if (xAttr.getNameSpace() == XAttr.NameSpace.USER || 
      (xAttr.getNameSpace() == XAttr.NameSpace.TRUSTED && isSuperUser)) {
    return;
  }
  if (xAttr.getNameSpace() == XAttr.NameSpace.RAW &&
      isRawPath && isSuperUser) {
    return;
  }
  if (XAttrHelper.getPrefixName(xAttr).
      equals(SECURITY_XATTR_UNREADABLE_BY_SUPERUSER)) {
    if (xAttr.getValue() != null) {
      throw new AccessControlException("Attempt to set a value for '" +
          SECURITY_XATTR_UNREADABLE_BY_SUPERUSER +
          "'. Values are not allowed for this xattr.");
    }
    return;
  }
  throw new AccessControlException("User doesn't have permission for xattr: "
      + XAttrHelper.getPrefixName(xAttr));
}
 
Example 7
Source Project: hadoop   Source File: ClientNamenodeProtocolTranslatorPB.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public LocatedBlock addBlock(String src, String clientName,
    ExtendedBlock previous, DatanodeInfo[] excludeNodes, long fileId,
    String[] favoredNodes)
    throws AccessControlException, FileNotFoundException,
    NotReplicatedYetException, SafeModeException, UnresolvedLinkException,
    IOException {
  AddBlockRequestProto.Builder req = AddBlockRequestProto.newBuilder()
      .setSrc(src).setClientName(clientName).setFileId(fileId);
  if (previous != null) 
    req.setPrevious(PBHelper.convert(previous)); 
  if (excludeNodes != null) 
    req.addAllExcludeNodes(PBHelper.convert(excludeNodes));
  if (favoredNodes != null) {
    req.addAllFavoredNodes(Arrays.asList(favoredNodes));
  }
  try {
    return PBHelper.convert(rpcProxy.addBlock(null, req.build()).getBlock());
  } catch (ServiceException e) {
    throw ProtobufHelper.getRemoteException(e);
  }
}
 
Example 8
Source Project: big-c   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
public void removeXAttr(String src, String name) throws IOException {
  checkOpen();
  TraceScope scope = getPathTraceScope("removeXAttr", src);
  try {
    namenode.removeXAttr(src, XAttrHelper.buildXAttr(name));
  } catch(RemoteException re) {
    throw re.unwrapRemoteException(AccessControlException.class,
                                   FileNotFoundException.class,
                                   NSQuotaExceededException.class,
                                   SafeModeException.class,
                                   SnapshotAccessControlException.class,
                                   UnresolvedPathException.class);
  } finally {
    scope.close();
  }
}
 
Example 9
Source Project: big-c   Source File: ViewFs.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public FileStatus[] listStatus(final Path f) throws AccessControlException,
    FileNotFoundException, UnresolvedLinkException, IOException {
  InodeTree.ResolveResult<AbstractFileSystem> res =
    fsState.resolve(getUriPath(f), true);
  
  FileStatus[] statusLst = res.targetFileSystem.listStatus(res.remainingPath);
  if (!res.isInternalDir()) {
    // We need to change the name in the FileStatus as described in
    // {@link #getFileStatus }
    ChRootedFs targetFs;
    targetFs = (ChRootedFs) res.targetFileSystem;
    int i = 0;
    for (FileStatus status : statusLst) {
        String suffix = targetFs.stripOutRoot(status.getPath());
        statusLst[i++] = new ViewFsFileStatus(status, this.makeQualified(
            suffix.length() == 0 ? f : new Path(res.resolvedPath, suffix)));
    }
  }
  return statusLst;
}
 
Example 10
Source Project: hadoop   Source File: FSDirAttrOp.java    License: Apache License 2.0 6 votes vote down vote up
static HdfsFileStatus setOwner(
    FSDirectory fsd, String src, String username, String group)
    throws IOException {
  FSPermissionChecker pc = fsd.getPermissionChecker();
  byte[][] pathComponents = FSDirectory.getPathComponentsForReservedPath(src);
  INodesInPath iip;
  fsd.writeLock();
  try {
    src = fsd.resolvePath(pc, src, pathComponents);
    iip = fsd.getINodesInPath4Write(src);
    fsd.checkOwner(pc, iip);
    if (!pc.isSuperUser()) {
      if (username != null && !pc.getUser().equals(username)) {
        throw new AccessControlException("Non-super user cannot change owner");
      }
      if (group != null && !pc.containsGroup(group)) {
        throw new AccessControlException("User does not belong to " + group);
      }
    }
    unprotectedSetOwner(fsd, src, username, group);
  } finally {
    fsd.writeUnlock();
  }
  fsd.getEditLog().logSetOwner(src, username, group);
  return fsd.getAuditFileInfo(iip);
}
 
Example 11
Source Project: hadoop   Source File: FSPermissionChecker.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Whether a cache pool can be accessed by the current context
 *
 * @param pool CachePool being accessed
 * @param access type of action being performed on the cache pool
 * @throws AccessControlException if pool cannot be accessed
 */
public void checkPermission(CachePool pool, FsAction access)
    throws AccessControlException {
  FsPermission mode = pool.getMode();
  if (isSuperUser()) {
    return;
  }
  if (getUser().equals(pool.getOwnerName())
      && mode.getUserAction().implies(access)) {
    return;
  }
  if (getGroups().contains(pool.getGroupName())
      && mode.getGroupAction().implies(access)) {
    return;
  }
  if (mode.getOtherAction().implies(access)) {
    return;
  }
  throw new AccessControlException("Permission denied while accessing pool "
      + pool.getPoolName() + ": user " + getUser() + " does not have "
      + access.toString() + " permissions.");
}
 
Example 12
Source Project: big-c   Source File: ViewFsBaseTest.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testGetFileChecksum() throws AccessControlException
  , UnresolvedLinkException, IOException {
  AbstractFileSystem mockAFS = Mockito.mock(AbstractFileSystem.class);
  InodeTree.ResolveResult<AbstractFileSystem> res =
    new InodeTree.ResolveResult<AbstractFileSystem>(null, mockAFS , null,
      new Path("someFile"));
  @SuppressWarnings("unchecked")
  InodeTree<AbstractFileSystem> fsState = Mockito.mock(InodeTree.class);
  Mockito.when(fsState.resolve(Mockito.anyString()
    , Mockito.anyBoolean())).thenReturn(res);
  ViewFs vfs = Mockito.mock(ViewFs.class);
  vfs.fsState = fsState;

  Mockito.when(vfs.getFileChecksum(new Path("/tmp/someFile")))
    .thenCallRealMethod();
  vfs.getFileChecksum(new Path("/tmp/someFile"));

  Mockito.verify(mockAFS).getFileChecksum(new Path("someFile"));
}
 
Example 13
Source Project: hadoop   Source File: ClientNamenodeProtocolTranslatorPB.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public void rename2(String src, String dst, Rename... options)
    throws AccessControlException, DSQuotaExceededException,
    FileAlreadyExistsException, FileNotFoundException,
    NSQuotaExceededException, ParentNotDirectoryException, SafeModeException,
    UnresolvedLinkException, IOException {
  boolean overwrite = false;
  if (options != null) {
    for (Rename option : options) {
      if (option == Rename.OVERWRITE) {
        overwrite = true;
      }
    }
  }
  Rename2RequestProto req = Rename2RequestProto.newBuilder().
      setSrc(src).
      setDst(dst).setOverwriteDest(overwrite).
      build();
  try {
    rpcProxy.rename2(null, req);
  } catch (ServiceException e) {
    throw ProtobufHelper.getRemoteException(e);
  }

}
 
Example 14
Source Project: hadoop   Source File: ViewFs.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public Path resolvePath(final Path f) throws FileNotFoundException,
        AccessControlException, UnresolvedLinkException, IOException {
  final InodeTree.ResolveResult<AbstractFileSystem> res;
    res = fsState.resolve(getUriPath(f), true);
  if (res.isInternalDir()) {
    return f;
  }
  return res.targetFileSystem.resolvePath(res.remainingPath);

}
 
Example 15
Source Project: big-c   Source File: AclTestHelpers.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Asserts that permission is granted to the given fs/user for the given file.
 *
 * @param fs FileSystem to check
 * @param user UserGroupInformation owner of fs
 * @param pathToCheck Path file to check
 * @throws Exception if there is an unexpected error
 */
public static void assertFilePermissionGranted(FileSystem fs,
    UserGroupInformation user, Path pathToCheck) throws Exception {
  try {
    DFSTestUtil.readFileBuffer(fs, pathToCheck);
  } catch (AccessControlException e) {
    fail("expected permission granted for user " + user + ", path = " +
      pathToCheck);
  }
}
 
Example 16
Source Project: big-c   Source File: ViewFs.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public Path resolvePath(final Path f) throws FileNotFoundException,
        AccessControlException, UnresolvedLinkException, IOException {
  final InodeTree.ResolveResult<AbstractFileSystem> res;
    res = fsState.resolve(getUriPath(f), true);
  if (res.isInternalDir()) {
    return f;
  }
  return res.targetFileSystem.resolvePath(res.remainingPath);

}
 
Example 17
Source Project: hadoop   Source File: FilterFileSystem.java    License: Apache License 2.0 5 votes vote down vote up
public void createSymlink(final Path target, final Path link,
    final boolean createParent) throws AccessControlException,
    FileAlreadyExistsException, FileNotFoundException,
    ParentNotDirectoryException, UnsupportedFileSystemException, 
    IOException {
  fs.createSymlink(target, link, createParent);
}
 
Example 18
Source Project: hadoop   Source File: AbstractFileSystem.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * The specification of this method matches that of
 * {@link #create(Path, EnumSet, Options.CreateOpts...)} except that the opts
 * have been declared explicitly.
 */
public abstract FSDataOutputStream createInternal(Path f,
    EnumSet<CreateFlag> flag, FsPermission absolutePermission,
    int bufferSize, short replication, long blockSize, Progressable progress,
    ChecksumOpt checksumOpt, boolean createParent)
    throws AccessControlException, FileAlreadyExistsException,
    FileNotFoundException, ParentNotDirectoryException,
    UnsupportedFileSystemException, UnresolvedLinkException, IOException;
 
Example 19
Source Project: big-c   Source File: ViewFileSystem.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public boolean delete(final Path f, final boolean recursive)
    throws AccessControlException, FileNotFoundException,
    IOException {
  InodeTree.ResolveResult<FileSystem> res = 
    fsState.resolve(getUriPath(f), true);
  // If internal dir or target is a mount link (ie remainingPath is Slash)
  if (res.isInternalDir() || res.remainingPath == InodeTree.SlashPath) {
    throw readOnlyMountTable("delete", f);
  }
  return res.targetFileSystem.delete(res.remainingPath, recursive);
}
 
Example 20
Source Project: big-c   Source File: ClientNamenodeProtocolTranslatorPB.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public long rollEdits() throws AccessControlException, IOException {
  try {
    RollEditsResponseProto resp = rpcProxy.rollEdits(null,
        VOID_ROLLEDITS_REQUEST);
    return resp.getNewSegmentTxId();
  } catch (ServiceException se) {
    throw ProtobufHelper.getRemoteException(se);
  }
}
 
Example 21
Source Project: big-c   Source File: TestFsck.java    License: Apache License 2.0 5 votes vote down vote up
public void removeBlocks(MiniDFSCluster cluster)
    throws AccessControlException, FileNotFoundException,
    UnresolvedLinkException, IOException {
  for (int corruptIdx : blocksToCorrupt) {
    // Corrupt a block by deleting it
    ExtendedBlock block = dfsClient.getNamenode().getBlockLocations(
        name, blockSize * corruptIdx, Long.MAX_VALUE).get(0).getBlock();
    for (int i = 0; i < numDataNodes; i++) {
      File blockFile = cluster.getBlockFile(i, block);
      if(blockFile != null && blockFile.exists()) {
        assertTrue(blockFile.delete());
      }
    }
  }
}
 
Example 22
Source Project: hadoop   Source File: CapacityScheduler.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public synchronized String moveApplication(ApplicationId appId,
    String targetQueueName) throws YarnException {
  FiCaSchedulerApp app =
      getApplicationAttempt(ApplicationAttemptId.newInstance(appId, 0));
  String sourceQueueName = app.getQueue().getQueueName();
  LeafQueue source = getAndCheckLeafQueue(sourceQueueName);
  String destQueueName = handleMoveToPlanQueue(targetQueueName);
  LeafQueue dest = getAndCheckLeafQueue(destQueueName);
  // Validation check - ACLs, submission limits for user & queue
  String user = app.getUser();
  try {
    dest.submitApplication(appId, user, destQueueName);
  } catch (AccessControlException e) {
    throw new YarnException(e);
  }
  // Move all live containers
  for (RMContainer rmContainer : app.getLiveContainers()) {
    source.detachContainer(clusterResource, app, rmContainer);
    // attach the Container to another queue
    dest.attachContainer(clusterResource, app, rmContainer);
  }
  // Detach the application..
  source.finishApplicationAttempt(app, sourceQueueName);
  source.getParent().finishApplication(appId, app.getUser());
  // Finish app & update metrics
  app.move(dest);
  // Submit to a new queue
  dest.submitApplicationAttempt(app, user);
  applications.get(appId).setQueue(dest);
  LOG.info("App: " + app.getApplicationId() + " successfully moved from "
      + sourceQueueName + " to: " + destQueueName);
  return targetQueueName;
}
 
Example 23
Source Project: crail   Source File: CrailHDFS.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void renameInternal(Path src, Path dst) throws AccessControlException, FileAlreadyExistsException, FileNotFoundException, ParentNotDirectoryException, UnresolvedLinkException, IOException {
	try {
		CrailNode file = dfs.rename(src.toUri().getRawPath(), dst.toUri().getRawPath()).get();
		if (file != null){
			file.syncDir();
		}
	} catch(Exception e){
		throw new IOException(e);
	}
}
 
Example 24
Source Project: hadoop   Source File: ViewFs.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public FileStatus getFileLinkStatus(final Path f)
   throws AccessControlException, FileNotFoundException,
   UnsupportedFileSystemException, IOException {
  InodeTree.ResolveResult<AbstractFileSystem> res = 
    fsState.resolve(getUriPath(f), false); // do not follow mount link
  return res.targetFileSystem.getFileLinkStatus(res.remainingPath);
}
 
Example 25
Source Project: big-c   Source File: ViewFsBaseTest.java    License: Apache License 2.0 5 votes vote down vote up
@Test(expected=AccessControlException.class) 
public void testInternalRename2() throws IOException {
  Assert.assertTrue("linkTODir2 should be a dir", 
      fcView.getFileStatus(new Path("/internalDir/linkToDir2")).isDirectory());
  fcView.rename(new Path("/internalDir/linkToDir2"),
      new Path("/internalDir/dir1"));
}
 
Example 26
Source Project: hadoop-gpu   Source File: DFSClient.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Save namespace image.
 * See {@link ClientProtocol#saveNamespace()} 
 * for more details.
 * 
 * @see ClientProtocol#saveNamespace()
 */
void saveNamespace() throws AccessControlException, IOException {
  try {
    namenode.saveNamespace();
  } catch(RemoteException re) {
    throw re.unwrapRemoteException(AccessControlException.class);
  }
}
 
Example 27
Source Project: hadoop   Source File: FSAclBaseTest.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testModifyAclEntriesMustBeOwnerOrSuper() throws Exception {
  Path bruceDir = new Path(path, "bruce");
  Path bruceFile = new Path(bruceDir, "file");
  fs.mkdirs(bruceDir);
  fs.setOwner(bruceDir, "bruce", null);
  fsAsBruce.create(bruceFile).close();
  List<AclEntry> aclSpec = Lists.newArrayList(
    aclEntry(ACCESS, USER, "diana", ALL));
  fsAsBruce.modifyAclEntries(bruceFile, aclSpec);
  fs.modifyAclEntries(bruceFile, aclSpec);
  fsAsSupergroupMember.modifyAclEntries(bruceFile, aclSpec);
  exception.expect(AccessControlException.class);
  fsAsDiana.modifyAclEntries(bruceFile, aclSpec);
}
 
Example 28
Source Project: big-c   Source File: ViewFs.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public RemoteIterator<FileStatus> listStatusIterator(final Path f)
  throws AccessControlException, FileNotFoundException,
  UnresolvedLinkException, IOException {
  final InodeTree.ResolveResult<AbstractFileSystem> res =
    fsState.resolve(getUriPath(f), true);
  final RemoteIterator<FileStatus> fsIter =
    res.targetFileSystem.listStatusIterator(res.remainingPath);
  if (res.isInternalDir()) {
    return fsIter;
  }
  
  return new RemoteIterator<FileStatus>() {
    final RemoteIterator<FileStatus> myIter;
    final ChRootedFs targetFs;
    { // Init
        myIter = fsIter;
        targetFs = (ChRootedFs) res.targetFileSystem;
    }
    
    @Override
    public boolean hasNext() throws IOException {
      return myIter.hasNext();
    }
    
    @Override
    public FileStatus next() throws IOException {
      FileStatus status =  myIter.next();
      String suffix = targetFs.stripOutRoot(status.getPath());
      return new ViewFsFileStatus(status, makeQualified(
          suffix.length() == 0 ? f : new Path(res.resolvedPath, suffix)));
    }
  };
}
 
Example 29
Source Project: big-c   Source File: AclTestHelpers.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Asserts that permission is denied to the given fs/user for the given file.
 *
 * @param fs FileSystem to check
 * @param user UserGroupInformation owner of fs
 * @param pathToCheck Path file to check
 * @throws Exception if there is an unexpected error
 */
public static void assertFilePermissionDenied(FileSystem fs,
    UserGroupInformation user, Path pathToCheck) throws Exception {
  try {
    DFSTestUtil.readFileBuffer(fs, pathToCheck);
    fail("expected AccessControlException for user " + user + ", path = " +
      pathToCheck);
  } catch (AccessControlException e) {
    // expected
  }
}
 
Example 30
Source Project: hadoop   Source File: ZKFCProtocolClientSideTranslatorPB.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void gracefulFailover() throws IOException, AccessControlException {
  try {
    rpcProxy.gracefulFailover(NULL_CONTROLLER,
        GracefulFailoverRequestProto.getDefaultInstance());
  } catch (ServiceException e) {
    throw ProtobufHelper.getRemoteException(e);
  }
}