static AccessControlException readOnlyMountTable(final String operation, final String p) { return new AccessControlException( "InternalDir of ViewFileSystem is readonly; operation=" + operation + "Path=" + p); } static AccessControlException readOnlyMountTable(final String operation,
static AccessControlException readOnlyMountTable(final String operation, final String p) { return new AccessControlException( "InternalDir of ViewFileSystem is readonly; operation=" + operation + "Path=" + p); } static AccessControlException readOnlyMountTable(final String operation,
throw new AccessControlException( "Server does not support SASL " + authMethod);
ugi = UserGroupInformation.getCurrentUser(); if (serverId.isEmpty()) { throw new AccessControlException( "Kerberos principal name does NOT have the expected " + "hostname part: " + ugi.getUserName()); throw new AccessControlException( "Server does not support SASL " + authMethod); throw new AccessControlException( "Unable to find SASL server implementation for " + mechanism);
@Override public boolean delete(final Path f, final boolean recursive) throws AccessControlException, FileNotFoundException, UnresolvedLinkException, IOException { InodeTree.ResolveResult<AbstractFileSystem> res = fsState.resolve(getUriPath(f), true); // If internal dir or target is a mount link (ie remainingPath is Slash) if (res.isInternalDir() || res.remainingPath == InodeTree.SlashPath) { throw new AccessControlException( "Cannot delete internal mount table directory: " + f); } return res.targetFileSystem.delete(res.remainingPath, recursive); }
serverAuthMethods.add(authType.getMethod()); throw new AccessControlException( "Client cannot authenticate via:" + serverAuthMethods);
private AuthProtocol initializeAuthContext(int authType) throws IOException { AuthProtocol authProtocol = AuthProtocol.valueOf(authType); if (authProtocol == null) { IOException ioe = new IpcException("Unknown auth protocol:" + authType); doSaslReply(ioe); throw ioe; } boolean isSimpleEnabled = enabledAuthMethods.contains(AuthMethod.SIMPLE); switch (authProtocol) { case NONE: { // don't reply if client is simple and server is insecure if (!isSimpleEnabled) { IOException ioe = new AccessControlException( "SIMPLE authentication is not enabled." + " Available:" + enabledAuthMethods); doSaslReply(ioe); throw ioe; } break; } default: { break; } } return authProtocol; }
private UserGroupInformation getAuthorizedUgi(String authorizedId) throws InvalidToken, AccessControlException { if (authMethod == AuthMethod.TOKEN) { TokenIdentifier tokenId = SaslRpcServer.getIdentifier(authorizedId, secretManager); UserGroupInformation ugi = tokenId.getUser(); if (ugi == null) { throw new AccessControlException( "Can't retrieve username from tokenIdentifier."); } ugi.addTokenIdentifier(tokenId); return ugi; } else { return UserGroupInformation.createRemoteUser(authorizedId, authMethod); } }
return; throw new AccessControlException("action " + action + " not permitted on path " + stat.getPath() + " for user " + user);
&& (renewer == null || renewer.toString().isEmpty() || !cancelerShortName .equals(renewer.toString()))) { throw new AccessControlException(canceller + " is not authorized to cancel the token " + formatTokenId(id));
new AccessControlException("Authenticated user (" + user + ") doesn't match what the client claims to be (" + protocolUser + ")"));
throw new AccessControlException(String.format( "Permission denied: user=%s, path=\"%s\":%s:%s:%s%s", user, stat.getPath(), stat.getOwner(), stat.getGroup(), stat.isDirectory() ? "d" : "-", perm));
throw new AccessControlException(renewer + " tried to renew a token " + formatTokenId(id) + " without a renewer"); throw new AccessControlException(renewer + " tries to renew a token " + formatTokenId(id) + " with non-matching renewer " + id.getRenewer()); throw new AccessControlException(renewer + " is trying to renew a token " + formatTokenId(id) + " with wrong password");
@Override public void renameInternal(final Path src, final Path dst, final boolean overwrite) throws IOException, UnresolvedLinkException { // passing resolveLastComponet as false to catch renaming a mount point // itself we need to catch this as an internal operation and fail. InodeTree.ResolveResult<AbstractFileSystem> resSrc = fsState.resolve(getUriPath(src), false); if (resSrc.isInternalDir()) { throw new AccessControlException( "Cannot Rename within internal dirs of mount table: src=" + src + " is readOnly"); } InodeTree.ResolveResult<AbstractFileSystem> resDst = fsState.resolve(getUriPath(dst), false); if (resDst.isInternalDir()) { throw new AccessControlException( "Cannot Rename within internal dirs of mount table: dest=" + dst + " is readOnly"); } //Alternate 1: renames within same file system URI srcUri = resSrc.targetFileSystem.getUri(); URI dstUri = resDst.targetFileSystem.getUri(); ViewFileSystem.verifyRenameStrategy(srcUri, dstUri, resSrc.targetFileSystem == resDst.targetFileSystem, renameStrategy); ChRootedFs srcFS = (ChRootedFs) resSrc.targetFileSystem; ChRootedFs dstFS = (ChRootedFs) resDst.targetFileSystem; srcFS.getMyFs().renameInternal(srcFS.fullPath(resSrc.remainingPath), dstFS.fullPath(resDst.remainingPath), overwrite); }
if (sentNegotiate) { throw new AccessControlException( "Client already attempted negotiation"); if (!negotiateResponse.getAuthsList().contains(clientSaslAuth)) { if (sentNegotiate) { throw new AccessControlException( clientSaslAuth.getMethod() + " authentication is not enabled." + " Available:" + enabledAuthMethods);
private void checkBlockLocalPathAccess() throws IOException { checkKerberosAuthMethod("getBlockLocalPathInfo()"); String currentUser = UserGroupInformation.getCurrentUser().getShortUserName(); if (!usersWithLocalPathAccess.contains(currentUser)) { throw new AccessControlException( "Can't continue with getBlockLocalPathInfo() " + "authorization. The user " + currentUser + " is not configured in " + DFSConfigKeys.DFS_BLOCK_LOCAL_PATH_ACCESS_USER_KEY); } }
/** * Verify if the caller has the required permission. This will result into * an exception if the caller is not allowed to access the resource. */ public void checkSuperuserPrivilege() throws AccessControlException { if (!isSuperUser()) { throw new AccessControlException("Access denied for user " + getUser() + ". Superuser privilege is required"); } }
/** Guarded by {@link FSNamesystem#readLock()} */ private void checkOwner(INodeAttributes[] inodes, byte[][] components, int i) throws AccessControlException { if (getUser().equals(inodes[i].getUserName())) { return; } throw new AccessControlException( "Permission denied. user=" + getUser() + " is not the owner of inode=" + getPath(components, 0, i)); }
/** Guarded by {@link FSNamesystem#readLock()} */ private void check(INodeAttributes[] inodes, byte[][] components, int i, FsAction access) throws AccessControlException { INodeAttributes inode = (i >= 0) ? inodes[i] : null; if (inode != null && !hasPermission(inode, access)) { throw new AccessControlException( toAccessControlString(inode, getPath(components, 0, i), access)); } }
void checkUnreadableBySuperuser(FSPermissionChecker pc, INodesInPath iip) throws IOException { if (pc.isSuperUser()) { if (FSDirXAttrOp.getXAttrByPrefixedName(this, iip, SECURITY_XATTR_UNREADABLE_BY_SUPERUSER) != null) { throw new AccessControlException( "Access is denied for " + pc.getUser() + " since the superuser " + "is not allowed to perform this operation."); } } }