void checkPermission(INodeDirectory inode, int snapshotId, FsAction access) throws AccessControlException { if (dir != null && dir.isPermissionEnabled() && pc != null && !pc.isSuperUser()) { pc.checkPermission(inode, snapshotId, access); } } }
/** * Verify if the caller has the required permission. This will result into * an exception if the caller is not allowed to access the resource. */ public void checkSuperuserPrivilege() throws AccessControlException { if (!isSuperUser()) { throw new AccessControlException("Access denied for user " + getUser() + ". Superuser privilege is required"); } }
static List<XAttr> filterXAttrsForApi(FSPermissionChecker pc, List<XAttr> xAttrs, boolean isRawPath) { assert xAttrs != null : "xAttrs can not be null"; if (xAttrs.isEmpty()) { return xAttrs; } List<XAttr> filteredXAttrs = Lists.newArrayListWithCapacity(xAttrs.size()); final boolean isSuperUser = pc.isSuperUser(); for (XAttr xAttr : xAttrs) { if (xAttr.getNameSpace() == XAttr.NameSpace.USER) { filteredXAttrs.add(xAttr); } else if (xAttr.getNameSpace() == XAttr.NameSpace.TRUSTED && isSuperUser) { filteredXAttrs.add(xAttr); } else if (xAttr.getNameSpace() == XAttr.NameSpace.RAW && isRawPath) { filteredXAttrs.add(xAttr); } else if (XAttrHelper.getPrefixedName(xAttr). equals(SECURITY_XATTR_UNREADABLE_BY_SUPERUSER)) { filteredXAttrs.add(xAttr); } } return filteredXAttrs; } }
void checkUnreadableBySuperuser(FSPermissionChecker pc, INodesInPath iip) throws IOException { if (pc.isSuperUser()) { if (FSDirXAttrOp.getXAttrByPrefixedName(this, iip, SECURITY_XATTR_UNREADABLE_BY_SUPERUSER) != null) { throw new AccessControlException( "Access is denied for " + pc.getUser() + " since the superuser " + "is not allowed to perform this operation."); } } }
static SnapshottableDirectoryStatus[] getSnapshottableDirListing( FSDirectory fsd, FSPermissionChecker pc, SnapshotManager snapshotManager) throws IOException { fsd.readLock(); try { final String user = pc.isSuperUser()? null : pc.getUser(); return snapshotManager.getSnapshottableDirListing(user); } finally { fsd.readUnlock(); } }
/** * Check whether current user have permissions to access the path. For more * details of the parameters, see * {@link FSPermissionChecker#checkPermission}. */ void checkPermission(FSPermissionChecker pc, INodesInPath iip, boolean doCheckOwner, FsAction ancestorAccess, FsAction parentAccess, FsAction access, FsAction subAccess, boolean ignoreEmptyDir) throws AccessControlException { if (!pc.isSuperUser()) { readLock(); try { pc.checkPermission(iip, doCheckOwner, ancestorAccess, parentAccess, access, subAccess, ignoreEmptyDir); } finally { readUnlock(); } } }
DirOp dirOp = resolveLink ? DirOp.READ : DirOp.READ_LINK; final INodesInPath iip; if (pc.isSuperUser()) {
static void checkPermissionForApi(FSPermissionChecker pc, XAttr xAttr, boolean isRawPath) throws AccessControlException { final boolean isSuperUser = pc.isSuperUser(); if (xAttr.getNameSpace() == XAttr.NameSpace.USER || (xAttr.getNameSpace() == XAttr.NameSpace.TRUSTED && isSuperUser)) { return; } if (xAttr.getNameSpace() == XAttr.NameSpace.RAW && isRawPath) { return; } if (XAttrHelper.getPrefixedName(xAttr). equals(SECURITY_XATTR_UNREADABLE_BY_SUPERUSER)) { if (xAttr.getValue() != null) { throw new AccessControlException("Attempt to set a value for '" + SECURITY_XATTR_UNREADABLE_BY_SUPERUSER + "'. Values are not allowed for this xattr."); } return; } throw new AccessControlException("User doesn't have permission for xattr: " + XAttrHelper.getPrefixedName(xAttr)); }
private static void checkXAttrChangeAccess( FSDirectory fsd, INodesInPath iip, XAttr xAttr, FSPermissionChecker pc) throws AccessControlException, FileNotFoundException { if (fsd.isPermissionEnabled() && xAttr.getNameSpace() == XAttr.NameSpace .USER) { final INode inode = iip.getLastINode(); if (inode != null && inode.isDirectory() && inode.getFsPermission().getStickyBit()) { if (!pc.isSuperUser()) { fsd.checkOwner(pc, iip); } } else { fsd.checkPathAccess(pc, iip, FsAction.WRITE); } } }
UnresolvedPathException, ParentNotDirectoryException { try { if (pc == null || pc.isSuperUser()) { checkSimpleTraverse(iip); } else {
/** * Whether a cache pool can be accessed by the current context * * @param pool CachePool being accessed * @param access type of action being performed on the cache pool * @throws AccessControlException if pool cannot be accessed */ public void checkPermission(CachePool pool, FsAction access) throws AccessControlException { FsPermission mode = pool.getMode(); if (isSuperUser()) { return; } if (getUser().equals(pool.getOwnerName()) && mode.getUserAction().implies(access)) { return; } if (isMemberOfGroup(pool.getGroupName()) && mode.getGroupAction().implies(access)) { return; } if (!getUser().equals(pool.getOwnerName()) && !isMemberOfGroup(pool.getGroupName()) && mode.getOtherAction().implies(access)) { return; } throw new AccessControlException("Permission denied while accessing pool " + pool.getPoolName() + ": user " + getUser() + " does not have " + access.toString() + " permissions."); }
static FileStatus setOwner( FSDirectory fsd, FSPermissionChecker pc, String src, String username, String group) throws IOException { if (FSDirectory.isExactReservedName(src)) { throw new InvalidPathException(src); } INodesInPath iip; fsd.writeLock(); try { iip = fsd.resolvePath(pc, src, DirOp.WRITE); fsd.checkOwner(pc, iip); if (!pc.isSuperUser()) { if (username != null && !pc.getUser().equals(username)) { throw new AccessControlException("User " + pc.getUser() + " is not a super user (non-super user cannot change owner)."); } if (group != null && !pc.isMemberOfGroup(group)) { throw new AccessControlException( "User " + pc.getUser() + " does not belong to " + group); } } unprotectedSetOwner(fsd, iip, username, group); } finally { fsd.writeUnlock(); } fsd.getEditLog().logSetOwner(iip.getPath(), username, group); return fsd.getAuditFileInfo(iip); }
static DirectoryListing getListingInt(FSDirectory fsd, FSPermissionChecker pc, final String srcArg, byte[] startAfter, boolean needLocation) throws IOException { final INodesInPath iip = fsd.resolvePath(pc, srcArg, DirOp.READ); // Get file name when startAfter is an INodePath. This is not the // common case so avoid any unnecessary processing unless required. if (startAfter.length > 0 && startAfter[0] == Path.SEPARATOR_CHAR) { final String startAfterString = DFSUtil.bytes2String(startAfter); if (FSDirectory.isReservedName(startAfterString)) { try { byte[][] components = INode.getPathComponents(startAfterString); components = FSDirectory.resolveComponents(components, fsd); startAfter = components[components.length - 1]; } catch (IOException e) { // Possibly the inode is deleted throw new DirectoryListingStartAfterNotFoundException( "Can't find startAfter " + startAfterString); } } } boolean isSuperUser = true; if (fsd.isPermissionEnabled()) { if (iip.getLastINode() != null && iip.getLastINode().isDirectory()) { fsd.checkPathAccess(pc, iip, FsAction.READ_EXECUTE); } isSuperUser = pc.isSuperUser(); } return getListing(fsd, iip, startAfter, needLocation, isSuperUser); }
/** * Verify if the caller has the required permission. This will result into * an exception if the caller is not allowed to access the resource. */ public void checkSuperuserPrivilege() throws AccessControlException { if (!isSuperUser()) { throw new AccessControlException("Access denied for user " + getUser() + ". Superuser privilege is required"); } }
/** * Verify if the caller has the required permission. This will result into * an exception if the caller is not allowed to access the resource. */ public void checkSuperuserPrivilege() throws AccessControlException { if (!isSuperUser()) { throw new AccessControlException("Access denied for user " + getUser() + ". Superuser privilege is required"); } }
private void checkUnreadableBySuperuser(FSPermissionChecker pc, INode inode, int snapshotId) throws IOException { if (pc.isSuperUser()) { for (XAttr xattr : FSDirXAttrOp.getXAttrs(dir, inode, snapshotId)) { if (XAttrHelper.getPrefixName(xattr). equals(SECURITY_XATTR_UNREADABLE_BY_SUPERUSER)) { throw new AccessControlException("Access is denied for " + pc.getUser() + " since the superuser is not allowed to " + "perform this operation."); } } } }
private void checkUnreadableBySuperuser(FSPermissionChecker pc, INode inode, int snapshotId) throws IOException { if (pc.isSuperUser()) { for (XAttr xattr : FSDirXAttrOp.getXAttrs(dir, inode, snapshotId)) { if (XAttrHelper.getPrefixName(xattr). equals(SECURITY_XATTR_UNREADABLE_BY_SUPERUSER)) { throw new AccessControlException("Access is denied for " + pc.getUser() + " since the superuser is not allowed to " + "perform this operation."); } } } }
static SnapshottableDirectoryStatus[] getSnapshottableDirListing( FSDirectory fsd, SnapshotManager snapshotManager) throws IOException { FSPermissionChecker pc = fsd.getPermissionChecker(); fsd.readLock(); try { final String user = pc.isSuperUser()? null : pc.getUser(); return snapshotManager.getSnapshottableDirListing(user); } finally { fsd.readUnlock(); } }
static SnapshottableDirectoryStatus[] getSnapshottableDirListing( FSDirectory fsd, SnapshotManager snapshotManager) throws IOException { FSPermissionChecker pc = fsd.getPermissionChecker(); fsd.readLock(); try { final String user = pc.isSuperUser()? null : pc.getUser(); return snapshotManager.getSnapshottableDirListing(user); } finally { fsd.readUnlock(); } }
private static void checkXAttrChangeAccess( FSDirectory fsd, INodesInPath iip, XAttr xAttr, FSPermissionChecker pc) throws AccessControlException, FileNotFoundException { if (fsd.isPermissionEnabled() && xAttr.getNameSpace() == XAttr.NameSpace .USER) { final INode inode = iip.getLastINode(); if (inode != null && inode.isDirectory() && inode.getFsPermission().getStickyBit()) { if (!pc.isSuperUser()) { fsd.checkOwner(pc, iip); } } else { fsd.checkPathAccess(pc, iip, FsAction.WRITE); } } }