doc/html/FsPermissionChecker_8java_source.html

 // Copyright 2013 Cloudera Inc.

 //

 // Licensed under the Apache License, Version 2.0 (the "License");

 // you may not use this file except in compliance with the License.

 // You may obtain a copy of the License at

 //

 // http://www.apache.org/licenses/LICENSE-2.0

 //

 // Unless required by applicable law or agreed to in writing, software

 // distributed under the License is distributed on an "AS IS" BASIS,

 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 // See the License for the specific language governing permissions and

 // limitations under the License.


 package com.cloudera.impala.util;


 import java.io.IOException;

 import java.util.Arrays;

 import java.util.HashSet;

 import java.util.Set;

 import java.util.Map;

 import java.util.List;


 import org.slf4j.Logger;

 import org.slf4j.LoggerFactory;


 import org.apache.hadoop.fs.permission.AclEntry;

 import org.apache.hadoop.fs.permission.AclEntryType;

 import org.apache.hadoop.fs.permission.AclStatus;

 import org.apache.hadoop.fs.permission.AclStatus;

 import org.apache.hadoop.fs.permission.AclEntryScope;

 import org.apache.hadoop.fs.FileStatus;

 import org.apache.hadoop.fs.FileSystem;

 import org.apache.hadoop.fs.Path;

 import org.apache.hadoop.fs.permission.FsAction;

 import org.apache.hadoop.fs.permission.FsPermission;

 import org.apache.hadoop.security.UserGroupInformation;

 import org.apache.hadoop.hdfs.protocol.AclException;

 import org.apache.hadoop.ipc.RemoteException;


 import com.google.common.base.Preconditions;

 import com.google.common.collect.ImmutableList;

 import com.google.common.collect.Maps;

 import com.google.common.collect.Lists;


 public class FsPermissionChecker {

   private final static Logger LOG = LoggerFactory.getLogger(FsPermissionChecker.class);

   private final static FsPermissionChecker instance_;

   protected final String user_;

   private final Set<String> groups_ = new HashSet<String>();


   static {

     try {

       instance_ = new FsPermissionChecker();

     } catch (IOException e) {

       throw new RuntimeException(

           "Error initializing FsPermissionChecker: " + e.getMessage(), e);

     }

   }


   private FsPermissionChecker() throws IOException {

     UserGroupInformation ugi = UserGroupInformation.getCurrentUser();

     groups_.addAll(Arrays.asList(ugi.getGroupNames()));

     // Todo: should add HDFS supergroup as well

     user_ = ugi.getShortUserName();

   }


   private static List<AclEntryType> ACL_TYPE_PRIORITY =

       ImmutableList.of(AclEntryType.USER, AclEntryType.GROUP, AclEntryType.OTHER);


   public class Permissions {

     private final FileStatus fileStatus_;

     private final FsPermission permissions_;

     private final AclStatus aclStatus_;

     private Map<AclEntryType, List<AclEntry>> entriesByTypes_ = Maps.newHashMap();

     private AclEntry mask_;


     protected Permissions(FileStatus fileStatus, AclStatus aclStatus) {

       Preconditions.checkNotNull(fileStatus);

       fileStatus_ = fileStatus;

       permissions_ = fileStatus.getPermission();

       aclStatus_ = aclStatus;

       if (aclStatus_ == null) return;


       // Group the ACLs by type, so that we can apply them in correct priority order. Not

       // clear from documentation whether aclStatus_.getEntries() guarantees this

       // ordering, so this is defensive.

       for (AclEntryType t: ACL_TYPE_PRIORITY) {

         entriesByTypes_.put(t, Lists.<AclEntry>newArrayList());

       }


       List<AclEntry> fullAclList =

           getAclFromPermAndEntries(permissions_, aclStatus_.getEntries());

       for (AclEntry e: fullAclList) {

         if (e.getType() == AclEntryType.MASK && e.getScope() != AclEntryScope.DEFAULT) {

           mask_ = e;

         } else if (isApplicableAcl(e)) {

           entriesByTypes_.get(e.getType()).add(e);

         }

       }

     }


     private boolean shouldApplyMask(AclEntry acl) {

       if (mask_ == null) return false;


       switch (acl.getType()) {

         case USER:

           return acl.getName() != null;

         case GROUP:

           return true;

       }

       return false;

     }


     private boolean isApplicableAcl(AclEntry e) {

       // Default ACLs are not used for permission checking, but instead control the

       // permissions received by child directories

       if (e.getScope() == AclEntryScope.DEFAULT) return false;


       switch (e.getType()) {

         case USER:

           String aclUser = e.getName() == null ? aclStatus_.getOwner() : e.getName();

           return FsPermissionChecker.this.user_.equals(aclUser);

         case GROUP:

           String aclGroup = e.getName() == null ? aclStatus_.getGroup() : e.getName();

           return FsPermissionChecker.this.groups_.contains(aclGroup);

         case OTHER:

           return true;

         case MASK:

           return false;

         default:

           LOG.warn("Unknown Acl type: " + e.getType());

           return false;

       }

     }


     private Boolean checkAcls(FsAction action) {

       // ACLs may not be enabled, so we need this ternary logic. If no ACLs are available,

       // returning null causes us to fall back to standard ugo permissions.

       if (aclStatus_ == null) return null;


       // Remember if there is an applicable ACL entry, including owner user, named user,

       // owning group, named group.

       boolean foundMatch = false;

       for (AclEntryType t: ACL_TYPE_PRIORITY) {

         for (AclEntry e: entriesByTypes_.get(t)) {

           if (t == AclEntryType.OTHER) {

             // Processed all ACL entries except the OTHER entry.

             // If found applicable ACL entries but none of them contain requested

             // permission, deny access. Otherwise check OTHER entry.

             return foundMatch ? false : e.getPermission().implies(action);

           }

           // If there is an applicable mask, 'action' is allowed iff both the mask and

           // the underlying ACL permit it.

           if (e.getPermission().implies(action)) {

             if (shouldApplyMask(e)) {

               if (mask_.getPermission().implies(action)) return true;

             } else {

               return true;

             }

           }

           // User ACL entry has priority, no need to continue check.

           if (t == AclEntryType.USER) return false;


           foundMatch = true;

         }

       }

       return false;

     }


     public boolean checkPermissions(FsAction action) {

       Boolean aclPerms = checkAcls(action);

       if (aclPerms != null) return aclPerms;


       // Check user, group and then 'other' permissions in turn.

       if (FsPermissionChecker.this.user_.equals(fileStatus_.getOwner())) {

         // If the user matches, we must return their access rights whether or not the user

         // is allowed to access without checking the group. This is counter-intuitive if

         // the user cannot access the file, but the group permissions would allow it, but

         // is consistent with UNIX behaviour.

         return permissions_.getUserAction().implies(action);

       }


       if (FsPermissionChecker.this.groups_.contains(fileStatus_.getGroup())) {

         return permissions_.getGroupAction().implies(action);

       }

       return permissions_.getOtherAction().implies(action);

     }


     public boolean canRead() { return checkPermissions(FsAction.READ); }

     public boolean canWrite() { return checkPermissions(FsAction.WRITE); }

     public boolean canReadAndWrite() { return canRead() && canWrite(); }


     // This was originally lifted from Hadoop. Won't need it if HDFS-7177 is resolved.

     // getAclStatus() returns just extended ACL entries, the default file permissions

     // like "user::,group::,other::" are not included. We need to combine them together

     // to get full logic ACL list.

     private List<AclEntry> getAclFromPermAndEntries(FsPermission perm,

         List<AclEntry> entries) {

       // File permission always have 3 items.

       List<AclEntry> aclEntries = Lists.newArrayListWithCapacity(entries.size() + 3);


       // Owner entry implied by owner permission bits.

       aclEntries.add(new AclEntry.Builder()

           .setScope(AclEntryScope.ACCESS)

           .setType(AclEntryType.USER)

           .setPermission(perm.getUserAction())

           .build());


       // All extended access ACL entries add by "-setfacl" other than default file

       // permission.

       boolean hasAccessAcl = false;

       for (AclEntry entry: entries) {

         // AclEntry list should be ordered, all ACCESS one are in first half, DEFAULT one

         // are in second half, so no need to continue here.

         if (entry.getScope() == AclEntryScope.DEFAULT) break;

         hasAccessAcl = true;

         aclEntries.add(entry);

       }


       // Mask entry implied by group permission bits, or group entry if there is

       // no access ACL (only default ACL).

       aclEntries.add(new AclEntry.Builder()

           .setScope(AclEntryScope.ACCESS)

           .setType(hasAccessAcl ? AclEntryType.MASK : AclEntryType.GROUP)

           .setPermission(perm.getGroupAction())

           .build());


       // Other entry implied by other bits.

       aclEntries.add(new AclEntry.Builder()

           .setScope(AclEntryScope.ACCESS)

           .setType(AclEntryType.OTHER)

           .setPermission(perm.getOtherAction())

           .build());


       return aclEntries;

     }

   }


   public Permissions getPermissions(FileSystem fs, Path path) throws IOException {

     Preconditions.checkNotNull(fs);

     Preconditions.checkNotNull(path);

     AclStatus aclStatus = null;

     try {

       aclStatus = fs.getAclStatus(path);

     } catch (AclException ex) {

       LOG.trace("No ACLs retrieved, skipping ACLs check (HDFS will enforce ACLs)", ex);

     } catch (UnsupportedOperationException ex) {

       LOG.trace("No ACLs retrieved, unsupported", ex);

     }

     return new Permissions(fs.getFileStatus(path), aclStatus);

   }


   public static FsPermissionChecker getInstance() { return instance_; }

 }

path
string path("/usr/lib/sasl2:/usr/lib64/sasl2:/usr/local/lib/sasl2:/usr/lib/x86_64-linux-gnu/sasl2")

com.cloudera.impala.util.FsPermissionChecker.Permissions.aclStatus_
final AclStatus aclStatus_
Definition: FsPermissionChecker.java:83

com.cloudera.impala.util.FsPermissionChecker.instance_
static final FsPermissionChecker instance_
Definition: FsPermissionChecker.java:52

com.cloudera.impala.util.FsPermissionChecker.groups_
final Set< String > groups_
Definition: FsPermissionChecker.java:54

com.cloudera.impala.util.FsPermissionChecker.Permissions.Permissions
Permissions(FileStatus fileStatus, AclStatus aclStatus)
Definition: FsPermissionChecker.java:90

com.cloudera.impala.util.FsPermissionChecker.Permissions.permissions_
final FsPermission permissions_
Definition: FsPermissionChecker.java:82

com.cloudera.impala.util.FsPermissionChecker.Permissions.canWrite
boolean canWrite()
Definition: FsPermissionChecker.java:220

com.cloudera.impala.util.FsPermissionChecker
Definition: FsPermissionChecker.java:50

com.cloudera.impala.util.FsPermissionChecker.Permissions.checkPermissions
boolean checkPermissions(FsAction action)
Definition: FsPermissionChecker.java:200

com.cloudera.impala.util.FsPermissionChecker.ACL_TYPE_PRIORITY
static List< AclEntryType > ACL_TYPE_PRIORITY
Definition: FsPermissionChecker.java:73

com.cloudera.impala.util.FsPermissionChecker.getPermissions
Permissions getPermissions(FileSystem fs, Path path)
Definition: FsPermissionChecker.java:273

com.cloudera.impala.util.FsPermissionChecker.Permissions.mask_
AclEntry mask_
Definition: FsPermissionChecker.java:85

com.cloudera.impala.util.FsPermissionChecker.user_
final String user_
Definition: FsPermissionChecker.java:53

com.cloudera.impala.util.FsPermissionChecker.Permissions
Definition: FsPermissionChecker.java:80

com.cloudera.impala.util.FsPermissionChecker.Permissions.shouldApplyMask
boolean shouldApplyMask(AclEntry acl)
Definition: FsPermissionChecker.java:119

com.cloudera.impala.util.FsPermissionChecker.Permissions.checkAcls
Boolean checkAcls(FsAction action)
Definition: FsPermissionChecker.java:162

com.cloudera.impala.util.FsPermissionChecker.Permissions.getAclFromPermAndEntries
List< AclEntry > getAclFromPermAndEntries(FsPermission perm, List< AclEntry > entries)
Definition: FsPermissionChecker.java:227

com.cloudera.impala.util.FsPermissionChecker.FsPermissionChecker
FsPermissionChecker()
Definition: FsPermissionChecker.java:65

com.cloudera.impala.util.FsPermissionChecker.getInstance
static FsPermissionChecker getInstance()
Definition: FsPermissionChecker.java:290

com.cloudera.impala.util.FsPermissionChecker.Permissions.entriesByTypes_
Map< AclEntryType, List< AclEntry > > entriesByTypes_
Definition: FsPermissionChecker.java:84

com.cloudera.impala.util.FsPermissionChecker.LOG
static final Logger LOG
Definition: FsPermissionChecker.java:51

com.cloudera.impala.util.FsPermissionChecker.Permissions.canRead
boolean canRead()
Definition: FsPermissionChecker.java:219

com.cloudera.impala.util.FsPermissionChecker.Permissions.canReadAndWrite
boolean canReadAndWrite()
Definition: FsPermissionChecker.java:221

com.cloudera.impala.util.FsPermissionChecker.Permissions.isApplicableAcl
boolean isApplicableAcl(AclEntry e)
Definition: FsPermissionChecker.java:134

com.cloudera.impala.util.FsPermissionChecker.Permissions.fileStatus_
final FileStatus fileStatus_
Definition: FsPermissionChecker.java:81