Java Code Examples for org.apache.hadoop.fs.permission.AclEntry#getType()

/**
 * Prints a single extended ACL entry.  If the mask restricts the
 * permissions of the entry, then also prints the restricted version as the
 * effective permissions.  The mask applies to all named entries and also
 * the unnamed group entry.
 * @param aclStatus AclStatus for the path
 * @param fsPerm FsPermission for the path
 * @param entry AclEntry extended ACL entry to print
 */
private void printExtendedAclEntry(AclStatus aclStatus,
    FsPermission fsPerm, AclEntry entry) {
  if (entry.getName() != null || entry.getType() == AclEntryType.GROUP) {
    FsAction entryPerm = entry.getPermission();
    FsAction effectivePerm = aclStatus
        .getEffectivePermission(entry, fsPerm);
    if (entryPerm != effectivePerm) {
      out.println(String.format("%s\t#effective:%s", entry,
        effectivePerm.SYMBOL));
    } else {
      out.println(entry);
    }
  } else {
    out.println(entry);
  }
}
 

/**
 * Prints a single extended ACL entry.  If the mask restricts the
 * permissions of the entry, then also prints the restricted version as the
 * effective permissions.  The mask applies to all named entries and also
 * the unnamed group entry.
 * @param aclStatus AclStatus for the path
 * @param fsPerm FsPermission for the path
 * @param entry AclEntry extended ACL entry to print
 */
private void printExtendedAclEntry(AclStatus aclStatus,
    FsPermission fsPerm, AclEntry entry) {
  if (entry.getName() != null || entry.getType() == AclEntryType.GROUP) {
    FsAction entryPerm = entry.getPermission();
    FsAction effectivePerm = aclStatus
        .getEffectivePermission(entry, fsPerm);
    if (entryPerm != effectivePerm) {
      out.println(String.format("%s\t#effective:%s", entry,
        effectivePerm.SYMBOL));
    } else {
      out.println(entry);
    }
  } else {
    out.println(entry);
  }
}
 

private void addToACLMap(Map<String, AclEntry> map,
    Collection<AclEntry> entries) {
  for (AclEntry ent : entries) {
    String key = (ent.getName() == null ? "" : ent.getName())
        + ent.getScope() + ent.getType();
    AclEntry aclEntry = map.get(key);
    if (aclEntry == null) {
      map.put(key, ent);
    } else {
      map.put(key,
          new AclEntry.Builder().
          setName(ent.getName()).
          setScope(ent.getScope()).
          setType(ent.getType()).
          setPermission(ent.getPermission().or(aclEntry.getPermission())).
          build());
    }
  }
}
 

/**
 * Filters (discards) any existing ACL entries that have the same scope, type
 * and name of any entry in the ACL spec.  If necessary, recalculates the mask
 * entries.  If necessary, default entries may be inferred by copying the
 * permissions of the corresponding access entries.  It is invalid to request
 * removal of the mask entry from an ACL that would otherwise require a mask
 * entry, due to existing named entries or an unnamed group entry.
 *
 * @param existingAcl List<AclEntry> existing ACL
 * @param inAclSpec List<AclEntry> ACL spec describing entries to filter
 * @return List<AclEntry> new ACL
 * @throws AclException if validation fails
 */
public static List<AclEntry> filterAclEntriesByAclSpec(
    List<AclEntry> existingAcl, List<AclEntry> inAclSpec) throws AclException {
  ValidatedAclSpec aclSpec = new ValidatedAclSpec(inAclSpec);
  ArrayList<AclEntry> aclBuilder = Lists.newArrayListWithCapacity(MAX_ENTRIES);
  EnumMap<AclEntryScope, AclEntry> providedMask =
    Maps.newEnumMap(AclEntryScope.class);
  EnumSet<AclEntryScope> maskDirty = EnumSet.noneOf(AclEntryScope.class);
  EnumSet<AclEntryScope> scopeDirty = EnumSet.noneOf(AclEntryScope.class);
  for (AclEntry existingEntry: existingAcl) {
    if (aclSpec.containsKey(existingEntry)) {
      scopeDirty.add(existingEntry.getScope());
      if (existingEntry.getType() == MASK) {
        maskDirty.add(existingEntry.getScope());
      }
    } else {
      if (existingEntry.getType() == MASK) {
        providedMask.put(existingEntry.getScope(), existingEntry);
      } else {
        aclBuilder.add(existingEntry);
      }
    }
  }
  copyDefaultsIfNeeded(aclBuilder);
  calculateMasks(aclBuilder, providedMask, maskDirty, scopeDirty);
  return buildAndValidateAcl(aclBuilder);
}
 

/**
 * Completely replaces the ACL with the entries of the ACL spec.  If
 * necessary, recalculates the mask entries.  If necessary, default entries
 * are inferred by copying the permissions of the corresponding access
 * entries.  Replacement occurs separately for each of the access ACL and the
 * default ACL.  If the ACL spec contains only access entries, then the
 * existing default entries are retained.  If the ACL spec contains only
 * default entries, then the existing access entries are retained.  If the ACL
 * spec contains both access and default entries, then both are replaced.
 *
 * @param existingAcl List<AclEntry> existing ACL
 * @param inAclSpec List<AclEntry> ACL spec containing replacement entries
 * @return List<AclEntry> new ACL
 * @throws AclException if validation fails
 */
public static List<AclEntry> replaceAclEntries(List<AclEntry> existingAcl,
    List<AclEntry> inAclSpec) throws AclException {
  ValidatedAclSpec aclSpec = new ValidatedAclSpec(inAclSpec);
  ArrayList<AclEntry> aclBuilder = Lists.newArrayListWithCapacity(MAX_ENTRIES);
  // Replacement is done separately for each scope: access and default.
  EnumMap<AclEntryScope, AclEntry> providedMask =
    Maps.newEnumMap(AclEntryScope.class);
  EnumSet<AclEntryScope> maskDirty = EnumSet.noneOf(AclEntryScope.class);
  EnumSet<AclEntryScope> scopeDirty = EnumSet.noneOf(AclEntryScope.class);
  for (AclEntry aclSpecEntry: aclSpec) {
    scopeDirty.add(aclSpecEntry.getScope());
    if (aclSpecEntry.getType() == MASK) {
      providedMask.put(aclSpecEntry.getScope(), aclSpecEntry);
      maskDirty.add(aclSpecEntry.getScope());
    } else {
      aclBuilder.add(aclSpecEntry);
    }
  }
  // Copy existing entries if the scope was not replaced.
  for (AclEntry existingEntry: existingAcl) {
    if (!scopeDirty.contains(existingEntry.getScope())) {
      if (existingEntry.getType() == MASK) {
        providedMask.put(existingEntry.getScope(), existingEntry);
      } else {
        aclBuilder.add(existingEntry);
      }
    }
  }
  copyDefaultsIfNeeded(aclBuilder);
  calculateMasks(aclBuilder, providedMask, maskDirty, scopeDirty);
  return buildAndValidateAcl(aclBuilder);
}
 

/**
 * Filters (discards) any existing ACL entries that have the same scope, type
 * and name of any entry in the ACL spec.  If necessary, recalculates the mask
 * entries.  If necessary, default entries may be inferred by copying the
 * permissions of the corresponding access entries.  It is invalid to request
 * removal of the mask entry from an ACL that would otherwise require a mask
 * entry, due to existing named entries or an unnamed group entry.
 *
 * @param existingAcl List<AclEntry> existing ACL
 * @param inAclSpec List<AclEntry> ACL spec describing entries to filter
 * @return List<AclEntry> new ACL
 * @throws AclException if validation fails
 */
public static List<AclEntry> filterAclEntriesByAclSpec(
    List<AclEntry> existingAcl, List<AclEntry> inAclSpec) throws AclException {
  ValidatedAclSpec aclSpec = new ValidatedAclSpec(inAclSpec);
  ArrayList<AclEntry> aclBuilder = Lists.newArrayListWithCapacity(MAX_ENTRIES);
  EnumMap<AclEntryScope, AclEntry> providedMask =
    Maps.newEnumMap(AclEntryScope.class);
  EnumSet<AclEntryScope> maskDirty = EnumSet.noneOf(AclEntryScope.class);
  EnumSet<AclEntryScope> scopeDirty = EnumSet.noneOf(AclEntryScope.class);
  for (AclEntry existingEntry: existingAcl) {
    if (aclSpec.containsKey(existingEntry)) {
      scopeDirty.add(existingEntry.getScope());
      if (existingEntry.getType() == MASK) {
        maskDirty.add(existingEntry.getScope());
      }
    } else {
      if (existingEntry.getType() == MASK) {
        providedMask.put(existingEntry.getScope(), existingEntry);
      } else {
        aclBuilder.add(existingEntry);
      }
    }
  }
  copyDefaultsIfNeeded(aclBuilder);
  calculateMasks(aclBuilder, providedMask, maskDirty, scopeDirty);
  return buildAndValidateAcl(aclBuilder);
}
 

/**
 * Completely replaces the ACL with the entries of the ACL spec.  If
 * necessary, recalculates the mask entries.  If necessary, default entries
 * are inferred by copying the permissions of the corresponding access
 * entries.  Replacement occurs separately for each of the access ACL and the
 * default ACL.  If the ACL spec contains only access entries, then the
 * existing default entries are retained.  If the ACL spec contains only
 * default entries, then the existing access entries are retained.  If the ACL
 * spec contains both access and default entries, then both are replaced.
 *
 * @param existingAcl List<AclEntry> existing ACL
 * @param inAclSpec List<AclEntry> ACL spec containing replacement entries
 * @return List<AclEntry> new ACL
 * @throws AclException if validation fails
 */
public static List<AclEntry> replaceAclEntries(List<AclEntry> existingAcl,
    List<AclEntry> inAclSpec) throws AclException {
  ValidatedAclSpec aclSpec = new ValidatedAclSpec(inAclSpec);
  ArrayList<AclEntry> aclBuilder = Lists.newArrayListWithCapacity(MAX_ENTRIES);
  // Replacement is done separately for each scope: access and default.
  EnumMap<AclEntryScope, AclEntry> providedMask =
    Maps.newEnumMap(AclEntryScope.class);
  EnumSet<AclEntryScope> maskDirty = EnumSet.noneOf(AclEntryScope.class);
  EnumSet<AclEntryScope> scopeDirty = EnumSet.noneOf(AclEntryScope.class);
  for (AclEntry aclSpecEntry: aclSpec) {
    scopeDirty.add(aclSpecEntry.getScope());
    if (aclSpecEntry.getType() == MASK) {
      providedMask.put(aclSpecEntry.getScope(), aclSpecEntry);
      maskDirty.add(aclSpecEntry.getScope());
    } else {
      aclBuilder.add(aclSpecEntry);
    }
  }
  // Copy existing entries if the scope was not replaced.
  for (AclEntry existingEntry: existingAcl) {
    if (!scopeDirty.contains(existingEntry.getScope())) {
      if (existingEntry.getType() == MASK) {
        providedMask.put(existingEntry.getScope(), existingEntry);
      } else {
        aclBuilder.add(existingEntry);
      }
    }
  }
  copyDefaultsIfNeeded(aclBuilder);
  calculateMasks(aclBuilder, providedMask, maskDirty, scopeDirty);
  return buildAndValidateAcl(aclBuilder);
}
 

/**
 * If a default ACL is defined on a parent directory, then copies that default
 * ACL to a newly created child file or directory.
 *
 * @param child INode newly created child
 */
public static void copyINodeDefaultAcl(INode child) {
  INodeDirectory parent = child.getParent();
  AclFeature parentAclFeature = parent.getAclFeature();
  if (parentAclFeature == null || !(child.isFile() || child.isDirectory())) {
    return;
  }

  // Split parent's entries into access vs. default.
  List<AclEntry> featureEntries = getEntriesFromAclFeature(parent
      .getAclFeature());
  ScopedAclEntries scopedEntries = new ScopedAclEntries(featureEntries);
  List<AclEntry> parentDefaultEntries = scopedEntries.getDefaultEntries();

  // The parent may have an access ACL but no default ACL.  If so, exit.
  if (parentDefaultEntries.isEmpty()) {
    return;
  }

  // Pre-allocate list size for access entries to copy from parent.
  List<AclEntry> accessEntries = Lists.newArrayListWithCapacity(
    parentDefaultEntries.size());

  FsPermission childPerm = child.getFsPermission();

  // Copy each default ACL entry from parent to new child's access ACL.
  boolean parentDefaultIsMinimal = AclUtil.isMinimalAcl(parentDefaultEntries);
  for (AclEntry entry: parentDefaultEntries) {
    AclEntryType type = entry.getType();
    String name = entry.getName();
    AclEntry.Builder builder = new AclEntry.Builder()
      .setScope(AclEntryScope.ACCESS)
      .setType(type)
      .setName(name);

    // The child's initial permission bits are treated as the mode parameter,
    // which can filter copied permission values for owner, mask and other.
    final FsAction permission;
    if (type == AclEntryType.USER && name == null) {
      permission = entry.getPermission().and(childPerm.getUserAction());
    } else if (type == AclEntryType.GROUP && parentDefaultIsMinimal) {
      // This only happens if the default ACL is a minimal ACL: exactly 3
      // entries corresponding to owner, group and other.  In this case,
      // filter the group permissions.
      permission = entry.getPermission().and(childPerm.getGroupAction());
    } else if (type == AclEntryType.MASK) {
      // Group bits from mode parameter filter permission of mask entry.
      permission = entry.getPermission().and(childPerm.getGroupAction());
    } else if (type == AclEntryType.OTHER) {
      permission = entry.getPermission().and(childPerm.getOtherAction());
    } else {
      permission = entry.getPermission();
    }

    builder.setPermission(permission);
    accessEntries.add(builder.build());
  }

  // A new directory also receives a copy of the parent's default ACL.
  List<AclEntry> defaultEntries = child.isDirectory() ? parentDefaultEntries :
    Collections.<AclEntry>emptyList();

  final FsPermission newPerm;
  if (!AclUtil.isMinimalAcl(accessEntries) || !defaultEntries.isEmpty()) {
    // Save the new ACL to the child.
    child.addAclFeature(createAclFeature(accessEntries, defaultEntries));
    newPerm = createFsPermissionForExtendedAcl(accessEntries, childPerm);
  } else {
    // The child is receiving a minimal ACL.
    newPerm = createFsPermissionForMinimalAcl(accessEntries, childPerm);
  }

  child.setPermission(newPerm);
}
 

/**
 * Merges the entries of the ACL spec into the existing ACL.  If necessary,
 * recalculates the mask entries.  If necessary, default entries may be
 * inferred by copying the permissions of the corresponding access entries.
 *
 * @param existingAcl List<AclEntry> existing ACL
 * @param inAclSpec List<AclEntry> ACL spec containing entries to merge
 * @return List<AclEntry> new ACL
 * @throws AclException if validation fails
 */
public static List<AclEntry> mergeAclEntries(List<AclEntry> existingAcl,
    List<AclEntry> inAclSpec) throws AclException {
  ValidatedAclSpec aclSpec = new ValidatedAclSpec(inAclSpec);
  ArrayList<AclEntry> aclBuilder = Lists.newArrayListWithCapacity(MAX_ENTRIES);
  List<AclEntry> foundAclSpecEntries =
    Lists.newArrayListWithCapacity(MAX_ENTRIES);
  EnumMap<AclEntryScope, AclEntry> providedMask =
    Maps.newEnumMap(AclEntryScope.class);
  EnumSet<AclEntryScope> maskDirty = EnumSet.noneOf(AclEntryScope.class);
  EnumSet<AclEntryScope> scopeDirty = EnumSet.noneOf(AclEntryScope.class);
  for (AclEntry existingEntry: existingAcl) {
    AclEntry aclSpecEntry = aclSpec.findByKey(existingEntry);
    if (aclSpecEntry != null) {
      foundAclSpecEntries.add(aclSpecEntry);
      scopeDirty.add(aclSpecEntry.getScope());
      if (aclSpecEntry.getType() == MASK) {
        providedMask.put(aclSpecEntry.getScope(), aclSpecEntry);
        maskDirty.add(aclSpecEntry.getScope());
      } else {
        aclBuilder.add(aclSpecEntry);
      }
    } else {
      if (existingEntry.getType() == MASK) {
        providedMask.put(existingEntry.getScope(), existingEntry);
      } else {
        aclBuilder.add(existingEntry);
      }
    }
  }
  // ACL spec entries that were not replacements are new additions.
  for (AclEntry newEntry: aclSpec) {
    if (Collections.binarySearch(foundAclSpecEntries, newEntry,
        ACL_ENTRY_COMPARATOR) < 0) {
      scopeDirty.add(newEntry.getScope());
      if (newEntry.getType() == MASK) {
        providedMask.put(newEntry.getScope(), newEntry);
        maskDirty.add(newEntry.getScope());
      } else {
        aclBuilder.add(newEntry);
      }
    }
  }
  copyDefaultsIfNeeded(aclBuilder);
  calculateMasks(aclBuilder, providedMask, maskDirty, scopeDirty);
  return buildAndValidateAcl(aclBuilder);
}
 

/**
 * Builds the final list of ACL entries to return by trimming, sorting and
 * validating the ACL entries that have been added.
 *
 * @param aclBuilder ArrayList<AclEntry> containing entries to build
 * @return List<AclEntry> unmodifiable, sorted list of ACL entries
 * @throws AclException if validation fails
 */
private static List<AclEntry> buildAndValidateAcl(
    ArrayList<AclEntry> aclBuilder) throws AclException {
  if (aclBuilder.size() > MAX_ENTRIES) {
    throw new AclException("Invalid ACL: ACL has " + aclBuilder.size() +
      " entries, which exceeds maximum of " + MAX_ENTRIES + ".");
  }
  aclBuilder.trimToSize();
  Collections.sort(aclBuilder, ACL_ENTRY_COMPARATOR);
  // Full iteration to check for duplicates and invalid named entries.
  AclEntry prevEntry = null;
  for (AclEntry entry: aclBuilder) {
    if (prevEntry != null &&
        ACL_ENTRY_COMPARATOR.compare(prevEntry, entry) == 0) {
      throw new AclException(
        "Invalid ACL: multiple entries with same scope, type and name.");
    }
    if (entry.getName() != null && (entry.getType() == MASK ||
        entry.getType() == OTHER)) {
      throw new AclException(
        "Invalid ACL: this entry type must not have a name: " + entry + ".");
    }
    prevEntry = entry;
  }
  // Search for the required base access entries.  If there is a default ACL,
  // then do the same check on the default entries.
  ScopedAclEntries scopedEntries = new ScopedAclEntries(aclBuilder);
  for (AclEntryType type: EnumSet.of(USER, GROUP, OTHER)) {
    AclEntry accessEntryKey = new AclEntry.Builder().setScope(ACCESS)
      .setType(type).build();
    if (Collections.binarySearch(scopedEntries.getAccessEntries(),
        accessEntryKey, ACL_ENTRY_COMPARATOR) < 0) {
      throw new AclException(
        "Invalid ACL: the user, group and other entries are required.");
    }
    if (!scopedEntries.getDefaultEntries().isEmpty()) {
      AclEntry defaultEntryKey = new AclEntry.Builder().setScope(DEFAULT)
        .setType(type).build();
      if (Collections.binarySearch(scopedEntries.getDefaultEntries(),
          defaultEntryKey, ACL_ENTRY_COMPARATOR) < 0) {
        throw new AclException(
          "Invalid default ACL: the user, group and other entries are required.");
      }
    }
  }
  return Collections.unmodifiableList(aclBuilder);
}
 

/**
 * Calculates mask entries required for the ACL.  Mask calculation is performed
 * separately for each scope: access and default.  This method is responsible
 * for handling the following cases of mask calculation:
 * 1. Throws an exception if the caller attempts to remove the mask entry of an
 *   existing ACL that requires it.  If the ACL has any named entries, then a
 *   mask entry is required.
 * 2. If the caller supplied a mask in the ACL spec, use it.
 * 3. If the caller did not supply a mask, but there are ACL entry changes in
 *   this scope, then automatically calculate a new mask.  The permissions of
 *   the new mask are the union of the permissions on the group entry and all
 *   named entries.
 *
 * @param aclBuilder ArrayList<AclEntry> containing entries to build
 * @param providedMask EnumMap<AclEntryScope, AclEntry> mapping each scope to
 *   the mask entry that was provided for that scope (if provided)
 * @param maskDirty EnumSet<AclEntryScope> which contains a scope if the mask
 *   entry is dirty (added or deleted) in that scope
 * @param scopeDirty EnumSet<AclEntryScope> which contains a scope if any entry
 *   is dirty (added or deleted) in that scope
 * @throws AclException if validation fails
 */
private static void calculateMasks(List<AclEntry> aclBuilder,
    EnumMap<AclEntryScope, AclEntry> providedMask,
    EnumSet<AclEntryScope> maskDirty, EnumSet<AclEntryScope> scopeDirty)
    throws AclException {
  EnumSet<AclEntryScope> scopeFound = EnumSet.noneOf(AclEntryScope.class);
  EnumMap<AclEntryScope, FsAction> unionPerms =
    Maps.newEnumMap(AclEntryScope.class);
  EnumSet<AclEntryScope> maskNeeded = EnumSet.noneOf(AclEntryScope.class);
  // Determine which scopes are present, which scopes need a mask, and the
  // union of group class permissions in each scope.
  for (AclEntry entry: aclBuilder) {
    scopeFound.add(entry.getScope());
    if (entry.getType() == GROUP || entry.getName() != null) {
      FsAction scopeUnionPerms = Objects.firstNonNull(
        unionPerms.get(entry.getScope()), FsAction.NONE);
      unionPerms.put(entry.getScope(),
        scopeUnionPerms.or(entry.getPermission()));
    }
    if (entry.getName() != null) {
      maskNeeded.add(entry.getScope());
    }
  }
  // Add mask entry if needed in each scope.
  for (AclEntryScope scope: scopeFound) {
    if (!providedMask.containsKey(scope) && maskNeeded.contains(scope) &&
        maskDirty.contains(scope)) {
      // Caller explicitly removed mask entry, but it's required.
      throw new AclException(
        "Invalid ACL: mask is required and cannot be deleted.");
    } else if (providedMask.containsKey(scope) &&
        (!scopeDirty.contains(scope) || maskDirty.contains(scope))) {
      // Caller explicitly provided new mask, or we are preserving the existing
      // mask in an unchanged scope.
      aclBuilder.add(providedMask.get(scope));
    } else if (maskNeeded.contains(scope) || providedMask.containsKey(scope)) {
      // Otherwise, if there are maskable entries present, or the ACL
      // previously had a mask, then recalculate a mask automatically.
      aclBuilder.add(new AclEntry.Builder()
        .setScope(scope)
        .setType(MASK)
        .setPermission(unionPerms.get(scope))
        .build());
    }
  }
}
 

/**
 * If a default ACL is defined on a parent directory, then copies that default
 * ACL to a newly created child file or directory.
 *
 * @param child INode newly created child
 */
public static void copyINodeDefaultAcl(INode child) {
  INodeDirectory parent = child.getParent();
  AclFeature parentAclFeature = parent.getAclFeature();
  if (parentAclFeature == null || !(child.isFile() || child.isDirectory())) {
    return;
  }

  // Split parent's entries into access vs. default.
  List<AclEntry> featureEntries = getEntriesFromAclFeature(parent
      .getAclFeature());
  ScopedAclEntries scopedEntries = new ScopedAclEntries(featureEntries);
  List<AclEntry> parentDefaultEntries = scopedEntries.getDefaultEntries();

  // The parent may have an access ACL but no default ACL.  If so, exit.
  if (parentDefaultEntries.isEmpty()) {
    return;
  }

  // Pre-allocate list size for access entries to copy from parent.
  List<AclEntry> accessEntries = Lists.newArrayListWithCapacity(
    parentDefaultEntries.size());

  FsPermission childPerm = child.getFsPermission();

  // Copy each default ACL entry from parent to new child's access ACL.
  boolean parentDefaultIsMinimal = AclUtil.isMinimalAcl(parentDefaultEntries);
  for (AclEntry entry: parentDefaultEntries) {
    AclEntryType type = entry.getType();
    String name = entry.getName();
    AclEntry.Builder builder = new AclEntry.Builder()
      .setScope(AclEntryScope.ACCESS)
      .setType(type)
      .setName(name);

    // The child's initial permission bits are treated as the mode parameter,
    // which can filter copied permission values for owner, mask and other.
    final FsAction permission;
    if (type == AclEntryType.USER && name == null) {
      permission = entry.getPermission().and(childPerm.getUserAction());
    } else if (type == AclEntryType.GROUP && parentDefaultIsMinimal) {
      // This only happens if the default ACL is a minimal ACL: exactly 3
      // entries corresponding to owner, group and other.  In this case,
      // filter the group permissions.
      permission = entry.getPermission().and(childPerm.getGroupAction());
    } else if (type == AclEntryType.MASK) {
      // Group bits from mode parameter filter permission of mask entry.
      permission = entry.getPermission().and(childPerm.getGroupAction());
    } else if (type == AclEntryType.OTHER) {
      permission = entry.getPermission().and(childPerm.getOtherAction());
    } else {
      permission = entry.getPermission();
    }

    builder.setPermission(permission);
    accessEntries.add(builder.build());
  }

  // A new directory also receives a copy of the parent's default ACL.
  List<AclEntry> defaultEntries = child.isDirectory() ? parentDefaultEntries :
    Collections.<AclEntry>emptyList();

  final FsPermission newPerm;
  if (!AclUtil.isMinimalAcl(accessEntries) || !defaultEntries.isEmpty()) {
    // Save the new ACL to the child.
    child.addAclFeature(createAclFeature(accessEntries, defaultEntries));
    newPerm = createFsPermissionForExtendedAcl(accessEntries, childPerm);
  } else {
    // The child is receiving a minimal ACL.
    newPerm = createFsPermissionForMinimalAcl(accessEntries, childPerm);
  }

  child.setPermission(newPerm);
}
 

/**
 * Merges the entries of the ACL spec into the existing ACL.  If necessary,
 * recalculates the mask entries.  If necessary, default entries may be
 * inferred by copying the permissions of the corresponding access entries.
 *
 * @param existingAcl List<AclEntry> existing ACL
 * @param inAclSpec List<AclEntry> ACL spec containing entries to merge
 * @return List<AclEntry> new ACL
 * @throws AclException if validation fails
 */
public static List<AclEntry> mergeAclEntries(List<AclEntry> existingAcl,
    List<AclEntry> inAclSpec) throws AclException {
  ValidatedAclSpec aclSpec = new ValidatedAclSpec(inAclSpec);
  ArrayList<AclEntry> aclBuilder = Lists.newArrayListWithCapacity(MAX_ENTRIES);
  List<AclEntry> foundAclSpecEntries =
    Lists.newArrayListWithCapacity(MAX_ENTRIES);
  EnumMap<AclEntryScope, AclEntry> providedMask =
    Maps.newEnumMap(AclEntryScope.class);
  EnumSet<AclEntryScope> maskDirty = EnumSet.noneOf(AclEntryScope.class);
  EnumSet<AclEntryScope> scopeDirty = EnumSet.noneOf(AclEntryScope.class);
  for (AclEntry existingEntry: existingAcl) {
    AclEntry aclSpecEntry = aclSpec.findByKey(existingEntry);
    if (aclSpecEntry != null) {
      foundAclSpecEntries.add(aclSpecEntry);
      scopeDirty.add(aclSpecEntry.getScope());
      if (aclSpecEntry.getType() == MASK) {
        providedMask.put(aclSpecEntry.getScope(), aclSpecEntry);
        maskDirty.add(aclSpecEntry.getScope());
      } else {
        aclBuilder.add(aclSpecEntry);
      }
    } else {
      if (existingEntry.getType() == MASK) {
        providedMask.put(existingEntry.getScope(), existingEntry);
      } else {
        aclBuilder.add(existingEntry);
      }
    }
  }
  // ACL spec entries that were not replacements are new additions.
  for (AclEntry newEntry: aclSpec) {
    if (Collections.binarySearch(foundAclSpecEntries, newEntry,
        ACL_ENTRY_COMPARATOR) < 0) {
      scopeDirty.add(newEntry.getScope());
      if (newEntry.getType() == MASK) {
        providedMask.put(newEntry.getScope(), newEntry);
        maskDirty.add(newEntry.getScope());
      } else {
        aclBuilder.add(newEntry);
      }
    }
  }
  copyDefaultsIfNeeded(aclBuilder);
  calculateMasks(aclBuilder, providedMask, maskDirty, scopeDirty);
  return buildAndValidateAcl(aclBuilder);
}
 

/**
 * Builds the final list of ACL entries to return by trimming, sorting and
 * validating the ACL entries that have been added.
 *
 * @param aclBuilder ArrayList<AclEntry> containing entries to build
 * @return List<AclEntry> unmodifiable, sorted list of ACL entries
 * @throws AclException if validation fails
 */
private static List<AclEntry> buildAndValidateAcl(
    ArrayList<AclEntry> aclBuilder) throws AclException {
  if (aclBuilder.size() > MAX_ENTRIES) {
    throw new AclException("Invalid ACL: ACL has " + aclBuilder.size() +
      " entries, which exceeds maximum of " + MAX_ENTRIES + ".");
  }
  aclBuilder.trimToSize();
  Collections.sort(aclBuilder, ACL_ENTRY_COMPARATOR);
  // Full iteration to check for duplicates and invalid named entries.
  AclEntry prevEntry = null;
  for (AclEntry entry: aclBuilder) {
    if (prevEntry != null &&
        ACL_ENTRY_COMPARATOR.compare(prevEntry, entry) == 0) {
      throw new AclException(
        "Invalid ACL: multiple entries with same scope, type and name.");
    }
    if (entry.getName() != null && (entry.getType() == MASK ||
        entry.getType() == OTHER)) {
      throw new AclException(
        "Invalid ACL: this entry type must not have a name: " + entry + ".");
    }
    prevEntry = entry;
  }
  // Search for the required base access entries.  If there is a default ACL,
  // then do the same check on the default entries.
  ScopedAclEntries scopedEntries = new ScopedAclEntries(aclBuilder);
  for (AclEntryType type: EnumSet.of(USER, GROUP, OTHER)) {
    AclEntry accessEntryKey = new AclEntry.Builder().setScope(ACCESS)
      .setType(type).build();
    if (Collections.binarySearch(scopedEntries.getAccessEntries(),
        accessEntryKey, ACL_ENTRY_COMPARATOR) < 0) {
      throw new AclException(
        "Invalid ACL: the user, group and other entries are required.");
    }
    if (!scopedEntries.getDefaultEntries().isEmpty()) {
      AclEntry defaultEntryKey = new AclEntry.Builder().setScope(DEFAULT)
        .setType(type).build();
      if (Collections.binarySearch(scopedEntries.getDefaultEntries(),
          defaultEntryKey, ACL_ENTRY_COMPARATOR) < 0) {
        throw new AclException(
          "Invalid default ACL: the user, group and other entries are required.");
      }
    }
  }
  return Collections.unmodifiableList(aclBuilder);
}
 

/**
 * Calculates mask entries required for the ACL.  Mask calculation is performed
 * separately for each scope: access and default.  This method is responsible
 * for handling the following cases of mask calculation:
 * 1. Throws an exception if the caller attempts to remove the mask entry of an
 *   existing ACL that requires it.  If the ACL has any named entries, then a
 *   mask entry is required.
 * 2. If the caller supplied a mask in the ACL spec, use it.
 * 3. If the caller did not supply a mask, but there are ACL entry changes in
 *   this scope, then automatically calculate a new mask.  The permissions of
 *   the new mask are the union of the permissions on the group entry and all
 *   named entries.
 *
 * @param aclBuilder ArrayList<AclEntry> containing entries to build
 * @param providedMask EnumMap<AclEntryScope, AclEntry> mapping each scope to
 *   the mask entry that was provided for that scope (if provided)
 * @param maskDirty EnumSet<AclEntryScope> which contains a scope if the mask
 *   entry is dirty (added or deleted) in that scope
 * @param scopeDirty EnumSet<AclEntryScope> which contains a scope if any entry
 *   is dirty (added or deleted) in that scope
 * @throws AclException if validation fails
 */
private static void calculateMasks(List<AclEntry> aclBuilder,
    EnumMap<AclEntryScope, AclEntry> providedMask,
    EnumSet<AclEntryScope> maskDirty, EnumSet<AclEntryScope> scopeDirty)
    throws AclException {
  EnumSet<AclEntryScope> scopeFound = EnumSet.noneOf(AclEntryScope.class);
  EnumMap<AclEntryScope, FsAction> unionPerms =
    Maps.newEnumMap(AclEntryScope.class);
  EnumSet<AclEntryScope> maskNeeded = EnumSet.noneOf(AclEntryScope.class);
  // Determine which scopes are present, which scopes need a mask, and the
  // union of group class permissions in each scope.
  for (AclEntry entry: aclBuilder) {
    scopeFound.add(entry.getScope());
    if (entry.getType() == GROUP || entry.getName() != null) {
      FsAction scopeUnionPerms = Objects.firstNonNull(
        unionPerms.get(entry.getScope()), FsAction.NONE);
      unionPerms.put(entry.getScope(),
        scopeUnionPerms.or(entry.getPermission()));
    }
    if (entry.getName() != null) {
      maskNeeded.add(entry.getScope());
    }
  }
  // Add mask entry if needed in each scope.
  for (AclEntryScope scope: scopeFound) {
    if (!providedMask.containsKey(scope) && maskNeeded.contains(scope) &&
        maskDirty.contains(scope)) {
      // Caller explicitly removed mask entry, but it's required.
      throw new AclException(
        "Invalid ACL: mask is required and cannot be deleted.");
    } else if (providedMask.containsKey(scope) &&
        (!scopeDirty.contains(scope) || maskDirty.contains(scope))) {
      // Caller explicitly provided new mask, or we are preserving the existing
      // mask in an unchanged scope.
      aclBuilder.add(providedMask.get(scope));
    } else if (maskNeeded.contains(scope) || providedMask.containsKey(scope)) {
      // Otherwise, if there are maskable entries present, or the ACL
      // previously had a mask, then recalculate a mask automatically.
      aclBuilder.add(new AclEntry.Builder()
        .setScope(scope)
        .setType(MASK)
        .setPermission(unionPerms.get(scope))
        .build());
    }
  }
}