Package org.apache.hadoop.hdfs.server.namenode

Class AclStorage

java.lang.Object
org.apache.hadoop.hdfs.server.namenode.AclStorage
@Private public final class AclStorage extends Object
AclStorage contains utility methods that define how ACL data is stored in the namespace. If an inode has an ACL, then the ACL bit is set in the inode's FsPermission and the inode also contains an AclFeature. For the access ACL, the owner and other entries are identical to the owner and other bits stored in FsPermission, so we reuse those. The access mask entry is stored into the group permission bits of FsPermission. This is consistent with other file systems' implementations of ACLs and eliminates the need for special handling in various parts of the codebase. For example, if a user calls chmod to change group permission bits on a file with an ACL, then the expected behavior is to change the ACL's mask entry. By saving the mask entry into the group permission bits, chmod continues to work correctly without special handling. All remaining access entries (named users and named groups) are stored as explicit AclEntry instances in a list inside the AclFeature. Additionally, all default entries are stored in the AclFeature. The methods in this class encapsulate these rules for reading or writing the ACL entries to the appropriate location. The methods in this class assume that input ACL entry lists have already been validated and sorted according to the rules enforced by AclTransformation.

  • Method Details

    • copyINodeDefaultAcl

      public static boolean copyINodeDefaultAcl(INode child)
      If a default ACL is defined on a parent directory, then copies that default ACL to a newly created child file or directory.
      Parameters:
      child - INode newly created child

    • readINodeAcl

      public static List<org.apache.hadoop.fs.permission.AclEntry> readINodeAcl(INode inode, int snapshotId)
      Reads the existing extended ACL entries of an inode. This method returns only the extended ACL entries stored in the AclFeature. If the inode does not have an ACL, then this method returns an empty list. This method supports querying by snapshot ID.
      Parameters:
      inode - INode to read
      snapshotId - int ID of snapshot to read
      Returns:
      List<AclEntry> containing extended inode ACL entries

    • readINodeAcl

      public static List<org.apache.hadoop.fs.permission.AclEntry> readINodeAcl(INodeAttributes inodeAttr)
      Reads the existing extended ACL entries of an INodeAttribute object.
      Parameters:
      inodeAttr - INode to read
      Returns:
      List<AclEntry> containing extended inode ACL entries

    • readINodeLogicalAcl

      public static List<org.apache.hadoop.fs.permission.AclEntry> readINodeLogicalAcl(INode inode)
      Reads the existing ACL of an inode. This method always returns the full logical ACL of the inode after reading relevant data from the inode's FsPermission and AclFeature. Note that every inode logically has an ACL, even if no ACL has been set explicitly. If the inode does not have an extended ACL, then the result is a minimal ACL consising of exactly 3 entries that correspond to the owner, group and other permissions. This method always reads the inode's current state and does not support querying by snapshot ID. This is because the method is intended to support ACL modification APIs, which always apply a delta on top of current state.
      Parameters:
      inode - INode to read
      Returns:
      List<AclEntry> containing all logical inode ACL entries

    • updateINodeAcl

      public static void updateINodeAcl(INode inode, List<org.apache.hadoop.fs.permission.AclEntry> newAcl, int snapshotId) throws org.apache.hadoop.hdfs.protocol.AclException, org.apache.hadoop.hdfs.protocol.QuotaExceededException
      Updates an inode with a new ACL. This method takes a full logical ACL and stores the entries to the inode's FsPermission and AclFeature.
      Parameters:
      inode - INode to update
      newAcl - List<AclEntry> containing new ACL entries
      snapshotId - int latest snapshot ID of inode
      Throws:
      org.apache.hadoop.hdfs.protocol.AclException - if the ACL is invalid for the given inode
      org.apache.hadoop.hdfs.protocol.QuotaExceededException - if quota limit is exceeded

    • getUniqueAclFeatures

      @VisibleForTesting public static ReferenceCountMap<AclFeature> getUniqueAclFeatures()

    • addAclFeature

      public static AclFeature addAclFeature(AclFeature aclFeature)
      Add reference for the said AclFeature
      Parameters:
      aclFeature -
      Returns:
      Referenced AclFeature

    • removeAclFeature

      public static void removeAclFeature(AclFeature aclFeature)
      Remove reference to the AclFeature
      Parameters:
      aclFeature -