org.apache.hadoop.hdfs.server.namenode

Class FSPermissionChecker

java.lang.Object

org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker

All Implemented Interfaces:

INodeAttributeProvider.AccessControlEnforcer

public class FSPermissionChecker
extends Object
implements INodeAttributeProvider.AccessControlEnforcer

Class that helps in checking file system permission. The state of this class need not be synchronized as it has data structures that are read-only. Some of the helper methods are gaurded by FSNamesystem.readLock().

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	FSPermissionChecker(String fsOwner, String supergroup, org.apache.hadoop.security.UserGroupInformation callerUgi, INodeAttributeProvider attributeProvider)

Method Summary

Methods

Modifier and Type	Method and Description
void	checkPermission(org.apache.hadoop.hdfs.server.namenode.CachePool pool, org.apache.hadoop.fs.permission.FsAction access) Whether a cache pool can be accessed by the current context
void	checkPermission(String fsOwner, String supergroup, org.apache.hadoop.security.UserGroupInformation callerUgi, org.apache.hadoop.hdfs.server.namenode.INodeAttributes[] inodeAttrs, org.apache.hadoop.hdfs.server.namenode.INode[] inodes, byte[][] components, int snapshotId, String path, int ancestorIndex, boolean doCheckOwner, org.apache.hadoop.fs.permission.FsAction ancestorAccess, org.apache.hadoop.fs.permission.FsAction parentAccess, org.apache.hadoop.fs.permission.FsAction access, org.apache.hadoop.fs.permission.FsAction subAccess, boolean ignoreEmptyDir) Checks permission on a file system object.
void	checkSuperuserPrivilege() Verify if the caller has the required permission.
INodeAttributeProvider	getAttributesProvider()
String	getUser()
boolean	isMemberOfGroup(String group)
boolean	isSuperUser()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

FSPermissionChecker

protected FSPermissionChecker(String fsOwner,
                   String supergroup,
                   org.apache.hadoop.security.UserGroupInformation callerUgi,
                   INodeAttributeProvider attributeProvider)

Method Detail

isMemberOfGroup

public boolean isMemberOfGroup(String group)

getUser

public String getUser()

isSuperUser

public boolean isSuperUser()

getAttributesProvider

public INodeAttributeProvider getAttributesProvider()

checkSuperuserPrivilege

public void checkSuperuserPrivilege()
                             throws org.apache.hadoop.security.AccessControlException

Verify if the caller has the required permission. This will result into an exception if the caller is not allowed to access the resource.

Throws:

org.apache.hadoop.security.AccessControlException

checkPermission

public void checkPermission(String fsOwner,
                   String supergroup,
                   org.apache.hadoop.security.UserGroupInformation callerUgi,
                   org.apache.hadoop.hdfs.server.namenode.INodeAttributes[] inodeAttrs,
                   org.apache.hadoop.hdfs.server.namenode.INode[] inodes,
                   byte[][] components,
                   int snapshotId,
                   String path,
                   int ancestorIndex,
                   boolean doCheckOwner,
                   org.apache.hadoop.fs.permission.FsAction ancestorAccess,
                   org.apache.hadoop.fs.permission.FsAction parentAccess,
                   org.apache.hadoop.fs.permission.FsAction access,
                   org.apache.hadoop.fs.permission.FsAction subAccess,
                   boolean ignoreEmptyDir)
                     throws org.apache.hadoop.security.AccessControlException

Description copied from interface: INodeAttributeProvider.AccessControlEnforcer

Checks permission on a file system object. Has to throw an Exception if the filesystem object is not accessessible by the calling Ugi.

Specified by:

checkPermission in interface INodeAttributeProvider.AccessControlEnforcer

Parameters:

fsOwner - Filesystem owner (The Namenode user)

supergroup - super user geoup

callerUgi - UserGroupInformation of the caller

inodeAttrs - Array of INode attributes for each path element in the the path

inodes - Array of INodes for each path element in the path

components - Array of byte arrays of the LocalName

snapshotId - the snapshotId of the requested path

path - Path String

ancestorIndex - Index of ancestor

doCheckOwner - perform ownership check

ancestorAccess - The access required by the ancestor of the path.

parentAccess - The access required by the parent of the path.

access - The access required by the path.

subAccess - If path is a directory, It is the access required of the path and all the sub-directories. If path is not a directory, there should ideally be no effect.

ignoreEmptyDir - Ignore permission checking for empty directory?

Throws:

org.apache.hadoop.security.AccessControlException

checkPermission

public void checkPermission(org.apache.hadoop.hdfs.server.namenode.CachePool pool,
                   org.apache.hadoop.fs.permission.FsAction access)
                     throws org.apache.hadoop.security.AccessControlException

Whether a cache pool can be accessed by the current context

Parameters:

pool - CachePool being accessed

access - type of action being performed on the cache pool

Throws:

org.apache.hadoop.security.AccessControlException - if pool cannot be accessed