Package org.apache.hadoop.hdfs.server.namenode

Interface INodeAttributeProvider.AccessControlEnforcer

All Known Implementing Classes:
FSPermissionChecker
Enclosing class:
INodeAttributeProvider
public static interface INodeAttributeProvider.AccessControlEnforcer
The AccessControlEnforcer allows implementations to override the default File System permission checking logic enforced on a file system object

  • Method Details

    • checkPermission

      void checkPermission(String fsOwner, String supergroup, org.apache.hadoop.security.UserGroupInformation callerUgi, INodeAttributes[] inodeAttrs, INode[] inodes, byte[][] pathByNameArr, int snapshotId, String path, int ancestorIndex, boolean doCheckOwner, org.apache.hadoop.fs.permission.FsAction ancestorAccess, org.apache.hadoop.fs.permission.FsAction parentAccess, org.apache.hadoop.fs.permission.FsAction access, org.apache.hadoop.fs.permission.FsAction subAccess, boolean ignoreEmptyDir) throws org.apache.hadoop.security.AccessControlException
      Deprecated.
      usecheckPermissionWithContext(AuthorizationContext)} instead
      Checks permission on a file system object. Has to throw an Exception if the filesystem object is not accessible by the calling Ugi.
      Parameters:
      fsOwner - Filesystem owner (The Namenode user)
      supergroup - super user group
      callerUgi - UserGroupInformation of the caller
      inodeAttrs - Array of INode attributes for each path element in the the path
      inodes - Array of INodes for each path element in the path
      pathByNameArr - Array of byte arrays of the LocalName
      snapshotId - the snapshotId of the requested path
      path - Path String
      ancestorIndex - Index of ancestor
      doCheckOwner - perform ownership check
      ancestorAccess - The access required by the ancestor of the path.
      parentAccess - The access required by the parent of the path.
      access - The access required by the path.
      subAccess - If path is a directory, It is the access required of the path and all the sub-directories. If path is not a directory, there should ideally be no effect.
      ignoreEmptyDir - Ignore permission checking for empty directory?
      Throws:
      org.apache.hadoop.security.AccessControlException

    • checkPermissionWithContext

      default void checkPermissionWithContext(INodeAttributeProvider.AuthorizationContext authzContext) throws org.apache.hadoop.security.AccessControlException
      Checks permission on a file system object. Has to throw an Exception if the filesystem object is not accessible by the calling Ugi.
      Parameters:
      authzContext - an INodeAttributeProvider.AuthorizationContext object encapsulating the various parameters required to authorize an operation.
      Throws:
      org.apache.hadoop.security.AccessControlException

    • checkSuperUserPermissionWithContext

      default void checkSuperUserPermissionWithContext(INodeAttributeProvider.AuthorizationContext authzContext) throws org.apache.hadoop.security.AccessControlException
      Checks if the user is a superuser or belongs to superuser group. It throws an AccessControlException if user is not a superuser.
      Parameters:
      authzContext - an INodeAttributeProvider.AuthorizationContext object encapsulating the various parameters required to authorize an operation.
      Throws:
      org.apache.hadoop.security.AccessControlException - - if user is not a super user or part of the super user group.

    • denyUserAccess

      default void denyUserAccess(INodeAttributeProvider.AuthorizationContext authzContext, String errorMessage) throws org.apache.hadoop.security.AccessControlException
      This method must be called when denying access to users to notify the external enforcers. This will help the external enforcers to audit the requests by users that were denied access.
      Parameters:
      authzContext - an INodeAttributeProvider.AuthorizationContext object encapsulating the various parameters required to authorize an operation.
      Throws:
      org.apache.hadoop.security.AccessControlException