Java 类org.apache.hadoop.hdfs.server.namenode.INodeAttributeProvider.AccessControlEnforcer 实例源码

/**
 * Check whether current user have permissions to access the path.
 * Traverse is always checked.
 *
 * Parent path means the parent directory for the path.
 * Ancestor path means the last (the closest) existing ancestor directory
 * of the path.
 * Note that if the parent path exists,
 * then the parent path and the ancestor path are the same.
 *
 * For example, suppose the path is "/foo/bar/baz".
 * No matter baz is a file or a directory,
 * the parent path is "/foo/bar".
 * If bar exists, then the ancestor path is also "/foo/bar".
 * If bar does not exist and foo exists,
 * then the ancestor path is "/foo".
 * Further, if both foo and bar do not exist,
 * then the ancestor path is "/".
 *
 * @param doCheckOwner Require user to be the owner of the path?
 * @param ancestorAccess The access required by the ancestor of the path.
 * @param parentAccess The access required by the parent of the path.
 * @param access The access required by the path.
 * @param subAccess If path is a directory,
 * it is the access required of the path and all the sub-directories.
 * If path is not a directory, there is no effect.
 * @param ignoreEmptyDir Ignore permission checking for empty directory?
 * @throws AccessControlException
 * 
 * Guarded by {@link FSNamesystem#readLock()}
 * Caller of this method must hold that lock.
 */
void checkPermission(INodesInPath inodesInPath, boolean doCheckOwner,
    FsAction ancestorAccess, FsAction parentAccess, FsAction access,
    FsAction subAccess, boolean ignoreEmptyDir)
    throws AccessControlException {
  if (LOG.isDebugEnabled()) {
    LOG.debug("ACCESS CHECK: " + this
        + ", doCheckOwner=" + doCheckOwner
        + ", ancestorAccess=" + ancestorAccess
        + ", parentAccess=" + parentAccess
        + ", access=" + access
        + ", subAccess=" + subAccess
        + ", ignoreEmptyDir=" + ignoreEmptyDir);
  }
  // check if (parentAccess != null) && file exists, then check sb
  // If resolveLink, the check is performed on the link target.
  final int snapshotId = inodesInPath.getPathSnapshotId();
  final INode[] inodes = inodesInPath.getINodesArray();
  final INodeAttributes[] inodeAttrs = new INodeAttributes[inodes.length];
  final byte[][] pathByNameArr = new byte[inodes.length][];
  for (int i = 0; i < inodes.length && inodes[i] != null; i++) {
    if (inodes[i] != null) {
      pathByNameArr[i] = inodes[i].getLocalNameBytes();
      inodeAttrs[i] = getINodeAttrs(pathByNameArr, i, inodes[i], snapshotId);
    }
  }

  String path = inodesInPath.getPath();
  int ancestorIndex = inodes.length - 2;

  AccessControlEnforcer enforcer =
      getAttributesProvider().getExternalAccessControlEnforcer(this);
  enforcer.checkPermission(fsOwner, supergroup, callerUgi, inodeAttrs, inodes,
      pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
      ancestorAccess, parentAccess, access, subAccess, ignoreEmptyDir);
}

/**
 * Check whether current user have permissions to access the path.
 * Traverse is always checked.
 *
 * Parent path means the parent directory for the path.
 * Ancestor path means the last (the closest) existing ancestor directory
 * of the path.
 * Note that if the parent path exists,
 * then the parent path and the ancestor path are the same.
 *
 * For example, suppose the path is "/foo/bar/baz".
 * No matter baz is a file or a directory,
 * the parent path is "/foo/bar".
 * If bar exists, then the ancestor path is also "/foo/bar".
 * If bar does not exist and foo exists,
 * then the ancestor path is "/foo".
 * Further, if both foo and bar do not exist,
 * then the ancestor path is "/".
 *
 * @param doCheckOwner Require user to be the owner of the path?
 * @param ancestorAccess The access required by the ancestor of the path.
 * @param parentAccess The access required by the parent of the path.
 * @param access The access required by the path.
 * @param subAccess If path is a directory,
 * it is the access required of the path and all the sub-directories.
 * If path is not a directory, there is no effect.
 * @param ignoreEmptyDir Ignore permission checking for empty directory?
 * @throws AccessControlException
 * 
 * Guarded by {@link FSNamesystem#readLock()}
 * Caller of this method must hold that lock.
 */
void checkPermission(INodesInPath inodesInPath, boolean doCheckOwner,
    FsAction ancestorAccess, FsAction parentAccess, FsAction access,
    FsAction subAccess, boolean ignoreEmptyDir)
    throws AccessControlException {
  if (LOG.isDebugEnabled()) {
    LOG.debug("ACCESS CHECK: " + this
        + ", doCheckOwner=" + doCheckOwner
        + ", ancestorAccess=" + ancestorAccess
        + ", parentAccess=" + parentAccess
        + ", access=" + access
        + ", subAccess=" + subAccess
        + ", ignoreEmptyDir=" + ignoreEmptyDir);
  }
  // check if (parentAccess != null) && file exists, then check sb
  // If resolveLink, the check is performed on the link target.
  final int snapshotId = inodesInPath.getPathSnapshotId();
  final INode[] inodes = inodesInPath.getINodesArray();
  final INodeAttributes[] inodeAttrs = new INodeAttributes[inodes.length];
  final byte[][] pathByNameArr = new byte[inodes.length][];
  for (int i = 0; i < inodes.length && inodes[i] != null; i++) {
    if (inodes[i] != null) {
      pathByNameArr[i] = inodes[i].getLocalNameBytes();
      inodeAttrs[i] = getINodeAttrs(pathByNameArr, i, inodes[i], snapshotId);
    }
  }

  String path = inodesInPath.getPath();
  int ancestorIndex = inodes.length - 2;

  AccessControlEnforcer enforcer =
      getAttributesProvider().getExternalAccessControlEnforcer(this);
  enforcer.checkPermission(fsOwner, supergroup, callerUgi, inodeAttrs, inodes,
      pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
      ancestorAccess, parentAccess, access, subAccess, ignoreEmptyDir);
}

/**
 * Check whether current user have permissions to access the path.
 * Traverse is always checked.
 *
 * Parent path means the parent directory for the path.
 * Ancestor path means the last (the closest) existing ancestor directory
 * of the path.
 * Note that if the parent path exists,
 * then the parent path and the ancestor path are the same.
 *
 * For example, suppose the path is "/foo/bar/baz".
 * No matter baz is a file or a directory,
 * the parent path is "/foo/bar".
 * If bar exists, then the ancestor path is also "/foo/bar".
 * If bar does not exist and foo exists,
 * then the ancestor path is "/foo".
 * Further, if both foo and bar do not exist,
 * then the ancestor path is "/".
 *
 * @param doCheckOwner Require user to be the owner of the path?
 * @param ancestorAccess The access required by the ancestor of the path.
 * @param parentAccess The access required by the parent of the path.
 * @param access The access required by the path.
 * @param subAccess If path is a directory,
 * it is the access required of the path and all the sub-directories.
 * If path is not a directory, there is no effect.
 * @param ignoreEmptyDir Ignore permission checking for empty directory?
 * @throws AccessControlException
 * 
 * Guarded by {@link FSNamesystem#readLock()}
 * Caller of this method must hold that lock.
 */
void checkPermission(INodesInPath inodesInPath, boolean doCheckOwner,
    FsAction ancestorAccess, FsAction parentAccess, FsAction access,
    FsAction subAccess, boolean ignoreEmptyDir)
    throws AccessControlException {
  if (LOG.isDebugEnabled()) {
    LOG.debug("ACCESS CHECK: " + this
        + ", doCheckOwner=" + doCheckOwner
        + ", ancestorAccess=" + ancestorAccess
        + ", parentAccess=" + parentAccess
        + ", access=" + access
        + ", subAccess=" + subAccess
        + ", ignoreEmptyDir=" + ignoreEmptyDir);
  }
  // check if (parentAccess != null) && file exists, then check sb
  // If resolveLink, the check is performed on the link target.
  final int snapshotId = inodesInPath.getPathSnapshotId();
  final INode[] inodes = inodesInPath.getINodesArray();
  final INodeAttributes[] inodeAttrs = new INodeAttributes[inodes.length];
  final byte[][] pathByNameArr = new byte[inodes.length][];
  for (int i = 0; i < inodes.length && inodes[i] != null; i++) {
    if (inodes[i] != null) {
      pathByNameArr[i] = inodes[i].getLocalNameBytes();
      inodeAttrs[i] = getINodeAttrs(pathByNameArr, i, inodes[i], snapshotId);
    }
  }

  String path = inodesInPath.getPath();
  int ancestorIndex = inodes.length - 2;

  AccessControlEnforcer enforcer =
      getAttributesProvider().getExternalAccessControlEnforcer(this);
  enforcer.checkPermission(fsOwner, supergroup, callerUgi, inodeAttrs, inodes,
      pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
      ancestorAccess, parentAccess, access, subAccess, ignoreEmptyDir);
}

@Override
public AccessControlEnforcer getExternalAccessControlEnforcer(
    AccessControlEnforcer deafultEnforcer) {
  return new MyAccessControlEnforcer();
}

@Override
public AccessControlEnforcer getExternalAccessControlEnforcer(
    AccessControlEnforcer deafultEnforcer) {
  return new MyAccessControlEnforcer();
}

@Override
public AccessControlEnforcer getExternalAccessControlEnforcer(
    AccessControlEnforcer deafultEnforcer) {
  return new MyAccessControlEnforcer();
}