Package org.apache.hadoop.hdfs.server.namenode

Class FSPermissionChecker

java.lang.Object
org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker
All Implemented Interfaces:
INodeAttributeProvider.AccessControlEnforcer
public class FSPermissionChecker extends Object implements INodeAttributeProvider.AccessControlEnforcer
Class that helps in checking file system permission. The state of this class need not be synchronized as it has data structures that are read-only. Some of the helper methods are guarded by FSNamesystem.readLock(RwLockMode).

  • Constructor Details

    • FSPermissionChecker

      protected FSPermissionChecker(String fsOwner, String supergroup, org.apache.hadoop.security.UserGroupInformation callerUgi, INodeAttributeProvider attributeProvider)

    • FSPermissionChecker

      protected FSPermissionChecker(String fsOwner, String supergroup, org.apache.hadoop.security.UserGroupInformation callerUgi, INodeAttributeProvider attributeProvider, boolean useAuthorizationWithContextAPI, long accessControlEnforcerReportingThresholdMs)

  • Method Details

    • setOperationType

      public static void setOperationType(String opType)

    • isMemberOfGroup

      public boolean isMemberOfGroup(String group)

    • getUser

      public String getUser()

    • isSuperUser

      public boolean isSuperUser()

    • getAttributesProvider

      public INodeAttributeProvider getAttributesProvider()

    • checkSuperuserPrivilege

      public void checkSuperuserPrivilege() throws org.apache.hadoop.security.AccessControlException
      This method is retained to maintain backward compatibility. Please use the new method checkSuperuserPrivilege(String) to make sure that the external enforcers have the correct context to audit.
      Throws:
      org.apache.hadoop.security.AccessControlException - if the caller is not a super user.

    • checkSuperuserPrivilege

      public void checkSuperuserPrivilege(String path) throws org.apache.hadoop.security.AccessControlException
      Checks if the caller has super user privileges. Throws AccessControlException for non super users.
      Parameters:
      path - The resource path for which permission is being requested.
      Throws:
      org.apache.hadoop.security.AccessControlException - if the caller is not a super user.

    • denyUserAccess

      public void denyUserAccess(String path, String errorMessage) throws org.apache.hadoop.security.AccessControlException
      Calls the external enforcer to notify denial of access to the user with the given error message. Always throws an ACE with the given message.
      Parameters:
      path - The resource path for which permission is being requested.
      errorMessage - message for the exception.
      Throws:
      org.apache.hadoop.security.AccessControlException - with the error message.

    • checkPermission

      public void checkPermission(String fsOwner, String supergroup, org.apache.hadoop.security.UserGroupInformation callerUgi, INodeAttributes[] inodeAttrs, INode[] inodes, byte[][] components, int snapshotId, String path, int ancestorIndex, boolean doCheckOwner, org.apache.hadoop.fs.permission.FsAction ancestorAccess, org.apache.hadoop.fs.permission.FsAction parentAccess, org.apache.hadoop.fs.permission.FsAction access, org.apache.hadoop.fs.permission.FsAction subAccess, boolean ignoreEmptyDir) throws org.apache.hadoop.security.AccessControlException
      Description copied from interface: INodeAttributeProvider.AccessControlEnforcer
      Checks permission on a file system object. Has to throw an Exception if the filesystem object is not accessible by the calling Ugi.
      Specified by:
      checkPermission in interface INodeAttributeProvider.AccessControlEnforcer
      Parameters:
      fsOwner - Filesystem owner (The Namenode user)
      supergroup - super user group
      callerUgi - UserGroupInformation of the caller
      inodeAttrs - Array of INode attributes for each path element in the the path
      inodes - Array of INodes for each path element in the path
      components - Array of byte arrays of the LocalName
      snapshotId - the snapshotId of the requested path
      path - Path String
      ancestorIndex - Index of ancestor
      doCheckOwner - perform ownership check
      ancestorAccess - The access required by the ancestor of the path.
      parentAccess - The access required by the parent of the path.
      access - The access required by the path.
      subAccess - If path is a directory, It is the access required of the path and all the sub-directories. If path is not a directory, there should ideally be no effect.
      ignoreEmptyDir - Ignore permission checking for empty directory?
      Throws:
      org.apache.hadoop.security.AccessControlException

    • checkPermissionWithContext

      public void checkPermissionWithContext(INodeAttributeProvider.AuthorizationContext authzContext) throws org.apache.hadoop.security.AccessControlException
      Description copied from interface: INodeAttributeProvider.AccessControlEnforcer
      Checks permission on a file system object. Has to throw an Exception if the filesystem object is not accessible by the calling Ugi.
      Specified by:
      checkPermissionWithContext in interface INodeAttributeProvider.AccessControlEnforcer
      Parameters:
      authzContext - an INodeAttributeProvider.AuthorizationContext object encapsulating the various parameters required to authorize an operation.
      Throws:
      org.apache.hadoop.security.AccessControlException

    • checkPermission

      public void checkPermission(CachePool pool, org.apache.hadoop.fs.permission.FsAction access) throws org.apache.hadoop.security.AccessControlException
      Whether a cache pool can be accessed by the current context
      Parameters:
      pool - CachePool being accessed
      access - type of action being performed on the cache pool
      Throws:
      org.apache.hadoop.security.AccessControlException - if pool cannot be accessed