org.apache.hadoop.hdfs.server.namenode.INodeAttributeProvider.AccessControlEnforcer Java Examples

The following examples show how to use org.apache.hadoop.hdfs.server.namenode.INodeAttributeProvider.AccessControlEnforcer. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: RangerHdfsAuthorizerTest.java    From ranger with Apache License 2.0 6 votes vote down vote up
@BeforeClass
public static void setup() {
    try {
        File file = File.createTempFile("hdfs-version-site", ".xml");
        file.deleteOnExit();

        try(final FileOutputStream outStream = new FileOutputStream(file);
            final OutputStreamWriter writer = new OutputStreamWriter(outStream, StandardCharsets.UTF_8)) {
            writer.write("<configuration>\n" +
                    "        <property>\n" +
                    "                <name>hdfs.version</name>\n" +
                    "                <value>hdfs_version_3.0</value>\n" +
                    "        </property>\n" +
                    "</configuration>\n");
        }

        authorizer = new RangerHdfsAuthorizer(new org.apache.hadoop.fs.Path(file.toURI()));
        authorizer.start();
    } catch (Exception exception) {
        Assert.fail("Cannot create hdfs-version-site file:[" + exception.getMessage() + "]");
    }

    AccessControlEnforcer accessControlEnforcer = Mockito.mock(AccessControlEnforcer.class);
    rangerControlEnforcer = authorizer.getExternalAccessControlEnforcer(accessControlEnforcer);
}
 
Example #2
Source File: FSPermissionChecker.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/**
 * Check whether current user have permissions to access the path.
 * Traverse is always checked.
 *
 * Parent path means the parent directory for the path.
 * Ancestor path means the last (the closest) existing ancestor directory
 * of the path.
 * Note that if the parent path exists,
 * then the parent path and the ancestor path are the same.
 *
 * For example, suppose the path is "/foo/bar/baz".
 * No matter baz is a file or a directory,
 * the parent path is "/foo/bar".
 * If bar exists, then the ancestor path is also "/foo/bar".
 * If bar does not exist and foo exists,
 * then the ancestor path is "/foo".
 * Further, if both foo and bar do not exist,
 * then the ancestor path is "/".
 *
 * @param doCheckOwner Require user to be the owner of the path?
 * @param ancestorAccess The access required by the ancestor of the path.
 * @param parentAccess The access required by the parent of the path.
 * @param access The access required by the path.
 * @param subAccess If path is a directory,
 * it is the access required of the path and all the sub-directories.
 * If path is not a directory, there is no effect.
 * @param ignoreEmptyDir Ignore permission checking for empty directory?
 * @throws AccessControlException
 * 
 * Guarded by {@link FSNamesystem#readLock()}
 * Caller of this method must hold that lock.
 */
void checkPermission(INodesInPath inodesInPath, boolean doCheckOwner,
    FsAction ancestorAccess, FsAction parentAccess, FsAction access,
    FsAction subAccess, boolean ignoreEmptyDir)
    throws AccessControlException {
  if (LOG.isDebugEnabled()) {
    LOG.debug("ACCESS CHECK: " + this
        + ", doCheckOwner=" + doCheckOwner
        + ", ancestorAccess=" + ancestorAccess
        + ", parentAccess=" + parentAccess
        + ", access=" + access
        + ", subAccess=" + subAccess
        + ", ignoreEmptyDir=" + ignoreEmptyDir);
  }
  // check if (parentAccess != null) && file exists, then check sb
  // If resolveLink, the check is performed on the link target.
  final int snapshotId = inodesInPath.getPathSnapshotId();
  final INode[] inodes = inodesInPath.getINodesArray();
  final INodeAttributes[] inodeAttrs = new INodeAttributes[inodes.length];
  final byte[][] pathByNameArr = new byte[inodes.length][];
  for (int i = 0; i < inodes.length && inodes[i] != null; i++) {
    if (inodes[i] != null) {
      pathByNameArr[i] = inodes[i].getLocalNameBytes();
      inodeAttrs[i] = getINodeAttrs(pathByNameArr, i, inodes[i], snapshotId);
    }
  }

  String path = inodesInPath.getPath();
  int ancestorIndex = inodes.length - 2;

  AccessControlEnforcer enforcer =
      getAttributesProvider().getExternalAccessControlEnforcer(this);
  enforcer.checkPermission(fsOwner, supergroup, callerUgi, inodeAttrs, inodes,
      pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
      ancestorAccess, parentAccess, access, subAccess, ignoreEmptyDir);
}
 
Example #3
Source File: FSPermissionChecker.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * Check whether current user have permissions to access the path.
 * Traverse is always checked.
 *
 * Parent path means the parent directory for the path.
 * Ancestor path means the last (the closest) existing ancestor directory
 * of the path.
 * Note that if the parent path exists,
 * then the parent path and the ancestor path are the same.
 *
 * For example, suppose the path is "/foo/bar/baz".
 * No matter baz is a file or a directory,
 * the parent path is "/foo/bar".
 * If bar exists, then the ancestor path is also "/foo/bar".
 * If bar does not exist and foo exists,
 * then the ancestor path is "/foo".
 * Further, if both foo and bar do not exist,
 * then the ancestor path is "/".
 *
 * @param doCheckOwner Require user to be the owner of the path?
 * @param ancestorAccess The access required by the ancestor of the path.
 * @param parentAccess The access required by the parent of the path.
 * @param access The access required by the path.
 * @param subAccess If path is a directory,
 * it is the access required of the path and all the sub-directories.
 * If path is not a directory, there is no effect.
 * @param ignoreEmptyDir Ignore permission checking for empty directory?
 * @throws AccessControlException
 * 
 * Guarded by {@link FSNamesystem#readLock()}
 * Caller of this method must hold that lock.
 */
void checkPermission(INodesInPath inodesInPath, boolean doCheckOwner,
    FsAction ancestorAccess, FsAction parentAccess, FsAction access,
    FsAction subAccess, boolean ignoreEmptyDir)
    throws AccessControlException {
  if (LOG.isDebugEnabled()) {
    LOG.debug("ACCESS CHECK: " + this
        + ", doCheckOwner=" + doCheckOwner
        + ", ancestorAccess=" + ancestorAccess
        + ", parentAccess=" + parentAccess
        + ", access=" + access
        + ", subAccess=" + subAccess
        + ", ignoreEmptyDir=" + ignoreEmptyDir);
  }
  // check if (parentAccess != null) && file exists, then check sb
  // If resolveLink, the check is performed on the link target.
  final int snapshotId = inodesInPath.getPathSnapshotId();
  final INode[] inodes = inodesInPath.getINodesArray();
  final INodeAttributes[] inodeAttrs = new INodeAttributes[inodes.length];
  final byte[][] pathByNameArr = new byte[inodes.length][];
  for (int i = 0; i < inodes.length && inodes[i] != null; i++) {
    if (inodes[i] != null) {
      pathByNameArr[i] = inodes[i].getLocalNameBytes();
      inodeAttrs[i] = getINodeAttrs(pathByNameArr, i, inodes[i], snapshotId);
    }
  }

  String path = inodesInPath.getPath();
  int ancestorIndex = inodes.length - 2;

  AccessControlEnforcer enforcer =
      getAttributesProvider().getExternalAccessControlEnforcer(this);
  enforcer.checkPermission(fsOwner, supergroup, callerUgi, inodeAttrs, inodes,
      pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
      ancestorAccess, parentAccess, access, subAccess, ignoreEmptyDir);
}
 
Example #4
Source File: TestINodeAttributeProvider.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Override
public AccessControlEnforcer getExternalAccessControlEnforcer(
    AccessControlEnforcer deafultEnforcer) {
  return new MyAccessControlEnforcer();
}
 
Example #5
Source File: TestINodeAttributeProvider.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Override
public AccessControlEnforcer getExternalAccessControlEnforcer(
    AccessControlEnforcer deafultEnforcer) {
  return new MyAccessControlEnforcer();
}