if ((entry.getName() != null || entry.getType() == AclEntryType.GROUP)) { if (entry.getScope() == AclEntryScope.ACCESS) { FsAction entryPerm = entry.getPermission(); return entryPerm.and(permArg.getGroupAction()); } else { .getPermission(); FsAction entryPerm = entry.getPermission(); return entryPerm.and(defaultMask); return entry.getPermission();
"Missing either <acl_spec> or <path>"); aclEntries = AclEntry.parseAclSpec(args.removeFirst(), !cf.getOpt("x")); if (aclEntries.isEmpty()) { throw new HadoopIllegalArgumentException( accessAclEntries = Lists.newArrayList(); for (AclEntry entry: aclEntries) { if (entry.getScope() == AclEntryScope.ACCESS) { accessAclEntries.add(entry);
/** * Parses a string representation of an ACL spec into a list of AclEntry * objects. Example: "user::rwx,user:foo:rw-,group::r--,other::---" * The expected format of ACL entries in the string parameter is the same * format produced by the {@link #toStringStable()} method. * * @param aclSpec * String representation of an ACL spec. * @param includePermission * for setAcl operations this will be true. i.e. AclSpec should * include permissions.<br> * But for removeAcl operation it will be false. i.e. AclSpec should * not contain permissions.<br> * Example: "user:foo,group:bar" * @return Returns list of {@link AclEntry} parsed */ public static List<AclEntry> parseAclSpec(String aclSpec, boolean includePermission) { List<AclEntry> aclEntries = new ArrayList<AclEntry>(); Collection<String> aclStrings = StringUtils.getStringCollection(aclSpec, ","); for (String aclStr : aclStrings) { AclEntry aclEntry = parseAclEntry(aclStr, includePermission); aclEntries.add(aclEntry); } return aclEntries; }
/** * Prints a single extended ACL entry. If the mask restricts the * permissions of the entry, then also prints the restricted version as the * effective permissions. The mask applies to all named entries and also * the unnamed group entry. * @param aclStatus AclStatus for the path * @param fsPerm FsPermission for the path * @param entry AclEntry extended ACL entry to print */ private void printExtendedAclEntry(AclStatus aclStatus, FsPermission fsPerm, AclEntry entry) { if (entry.getName() != null || entry.getType() == AclEntryType.GROUP) { FsAction entryPerm = entry.getPermission(); FsAction effectivePerm = aclStatus .getEffectivePermission(entry, fsPerm); if (entryPerm != effectivePerm) { out.println(String.format("%s\t#effective:%s", entry, effectivePerm.SYMBOL)); } else { out.println(entry.toStringStable()); } } else { out.println(entry.toStringStable()); } } }
@Override public int compare(AclEntry entry1, AclEntry entry2) { return ComparisonChain.start() .compare(entry1.getScope(), entry2.getScope(), Ordering.explicit(ACCESS, DEFAULT)) .compare(entry1.getType(), entry2.getType(), Ordering.explicit(USER, GROUP, MASK, OTHER)) .compare(entry1.getName(), entry2.getName(), Ordering.natural().nullsFirst()) .result(); } };
AclEntryType type = entry.getType(); String name = entry.getName(); AclEntry.Builder builder = new AclEntry.Builder() .setScope(AclEntryScope.ACCESS) permission = entry.getPermission().and(childPerm.getUserAction()); } else if (type == AclEntryType.GROUP && parentDefaultIsMinimal) { permission = entry.getPermission().and(childPerm.getGroupAction()); } else if (type == AclEntryType.MASK) { permission = entry.getPermission().and(childPerm.getGroupAction()); } else if (type == AclEntryType.OTHER) { permission = entry.getPermission().and(childPerm.getOtherAction()); } else { permission = entry.getPermission();
/** * Creates a remove acl entry executor. * * @param path path to set the acl. * @param aclSpec acl parts to remove. */ public FSRemoveAclEntries(String path, String aclSpec) { this.path = new Path(path); this.aclEntries = AclEntry.parseAclSpec(aclSpec, false); }
EnumSet<AclEntryScope> scopeDirty = EnumSet.noneOf(AclEntryScope.class); for (AclEntry aclSpecEntry: aclSpec) { scopeDirty.add(aclSpecEntry.getScope()); if (aclSpecEntry.getType() == MASK) { providedMask.put(aclSpecEntry.getScope(), aclSpecEntry); maskDirty.add(aclSpecEntry.getScope()); } else { aclBuilder.add(aclSpecEntry); if (!scopeDirty.contains(existingEntry.getScope())) { if (existingEntry.getType() == MASK) { providedMask.put(existingEntry.getScope(), existingEntry); } else { aclBuilder.add(existingEntry);
@Override public boolean apply(AclEntry input) { if (input.getName() == null) { return true; } return false; } });
/** * Returns the pivot point in the list between the access entries and the * default entries. This is the index of the first element in the list that is * a default entry. * * @param aclBuilder ArrayList<AclEntry> containing entries to build * @return int pivot point, or -1 if list contains no default entries */ private static int calculatePivotOnDefaultEntries(List<AclEntry> aclBuilder) { for (int i = 0; i < aclBuilder.size(); ++i) { if (aclBuilder.get(i).getScope() == AclEntryScope.DEFAULT) { return i; } } return PIVOT_NOT_FOUND; } }
/** * Convert a List of AclEntries into a string - the reverse of parseAclSpec. * @param aclSpec List of AclEntries to convert * @return String representation of aclSpec */ public static String aclSpecToString(List<AclEntry> aclSpec) { StringBuilder buf = new StringBuilder(); for ( AclEntry e : aclSpec ) { buf.append(e.toString()); buf.append(","); } return buf.substring(0, buf.length()-1); // remove last , } }
/** * Creates the new FsPermission for an inode that is receiving a minimal ACL, * based on its access ACL entries. For a correctly sorted ACL, the owner, * group and other permissions are in order. Also preserve sticky bit and * toggle ACL bit off. * * @param accessEntries List<AclEntry> access ACL entries * @param existingPerm FsPermission existing permissions * @return FsPermission new permissions */ private static FsPermission createFsPermissionForMinimalAcl( List<AclEntry> accessEntries, FsPermission existingPerm) { return new FsPermission(accessEntries.get(0).getPermission(), accessEntries.get(1).getPermission(), accessEntries.get(2).getPermission(), existingPerm.getStickyBit()); }
if (featureEntries.get(0).getScope() == AclEntryScope.ACCESS) { inode.getFullPathName() + "(" + inode.getId() + ") " + "with featureEntries:" + featureEntries); FsAction groupPerm = featureEntries.get(groupEntryIndex).getPermission(); FsPermission newPerm = new FsPermission(perm.getUserAction(), groupPerm, perm.getOtherAction(), perm.getStickyBit());
/** * Validates Git key permissions are secure on disk and throw an exception if not. * Otherwise exit out gracefully */ void verifyKeyPermissions(FileSystem fs, Path keyPath) throws IOException, ActionExecutorException{ String failedPermsWarning = "The permissions on the access key {0} are considered insecure: {1}"; FileStatus status = fs.getFileStatus(keyPath); FsPermission perms = status.getPermission(); // check standard permissioning for other's read access if (perms.getOtherAction().and(FsAction.READ) == FsAction.READ) { throw new ActionExecutorException(ActionExecutorException.ErrorType.ERROR, "GIT012", XLog .format(failedPermsWarning, keyPath, perms.toString())); } // check if any ACLs have been specified which allow others read access if (perms.getAclBit()) { List<AclEntry> aclEntries = new ArrayList<>(fs.getAclStatus(keyPath).getEntries()); for (AclEntry acl: aclEntries) { if (acl.getType() == AclEntryType.OTHER && acl.getPermission().and(FsAction.READ) == FsAction.READ) { throw new ActionExecutorException(ActionExecutorException.ErrorType.ERROR, "GIT013", XLog .format(failedPermsWarning, keyPath, perms.toString())); } } } }
client.setAcl("/file5", AclEntry.parseAclSpec( "user::rwx,user:foo:rw-,group::r--,other::---", true)); client.removeAcl("/file5"); // SetAclOp -> MetadataUpdateEvent Event.MetadataUpdateEvent.MetadataType.ACLS); Assert.assertTrue(mue7.getAcls().contains( AclEntry.parseAclEntry("user::rwx", true)));
/** * Builds a new AclEntry populated with the set properties. * * @return AclEntry new AclEntry */ public AclEntry build() { return new AclEntry(type, name, permission, scope); } }
@Override public int compare(AclEntry entry1, AclEntry entry2) { return ComparisonChain.start() .compare(entry1.getScope(), entry2.getScope(), Ordering.explicit(ACCESS, DEFAULT)) .compare(entry1.getType(), entry2.getType(), Ordering.explicit(USER, GROUP, MASK, OTHER)) .compare(entry1.getName(), entry2.getName(), Ordering.natural().nullsFirst()) .result(); } };
/** * Prints a single extended ACL entry. If the mask restricts the * permissions of the entry, then also prints the restricted version as the * effective permissions. The mask applies to all named entries and also * the unnamed group entry. * @param aclStatus AclStatus for the path * @param fsPerm FsPermission for the path * @param entry AclEntry extended ACL entry to print */ private void printExtendedAclEntry(AclStatus aclStatus, FsPermission fsPerm, AclEntry entry) { if (entry.getName() != null || entry.getType() == AclEntryType.GROUP) { FsAction entryPerm = entry.getPermission(); FsAction effectivePerm = aclStatus .getEffectivePermission(entry, fsPerm); if (entryPerm != effectivePerm) { out.println(String.format("%s\t#effective:%s", entry, effectivePerm.SYMBOL)); } else { out.println(entry); } } else { out.println(entry); } } }
/** * Creates a modify-acl executor. * * @param path path to set the acl. * @param aclSpec acl to set. */ public FSModifyAclEntries(String path, String aclSpec) { this.path = new Path(path); this.aclEntries = AclEntry.parseAclSpec(aclSpec, true); }