HDFS-14743. Enhance INodeAttributeProvider/ AccessControlEnforcer Interface in HDFS to support Authorization of mkdir, rm, rmdir, copy, move etc... (#1829)

Reviewed-by: Xiaoyu Yao <xyao@apache.org>
This commit is contained in:
Wei-Chiu Chuang 2020-03-13 11:29:44 -07:00 committed by GitHub
parent cd91ef649e
commit 4b95c242ec
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 703 additions and 16 deletions

View File

@ -1982,6 +1982,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
FileStatus auditStat;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -2012,6 +2013,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
FileStatus auditStat;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -2039,6 +2041,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
checkOperation(OperationCategory.READ);
GetBlockLocationsResult res = null;
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
final INode inode;
try {
readLock();
@ -2149,6 +2152,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
final String operationName = "concat";
FileStatus stat = null;
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
checkOperation(OperationCategory.WRITE);
try {
writeLock();
@ -2178,6 +2182,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
FileStatus auditStat;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -2220,6 +2225,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
}
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
writeLock();
BlocksMapUpdateInfo toRemoveBlocks = new BlocksMapUpdateInfo();
try {
@ -2255,6 +2261,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
}
FileStatus auditStat = null;
checkOperation(OperationCategory.WRITE);
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -2293,6 +2300,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
boolean success = false;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -2326,6 +2334,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
FileStatus auditStat;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -2408,6 +2417,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
FileStatus auditStat;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -2435,6 +2445,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
BlockStoragePolicy getStoragePolicy(String src) throws IOException {
checkOperation(OperationCategory.READ);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(null);
readLock();
try {
checkOperation(OperationCategory.READ);
@ -2462,6 +2473,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
long getPreferredBlockSize(String src) throws IOException {
checkOperation(OperationCategory.READ);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(null);
readLock();
try {
checkOperation(OperationCategory.READ);
@ -2575,6 +2587,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(null);
writeLock();
try {
checkOperation(OperationCategory.WRITE);
@ -2670,6 +2683,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
boolean skipSync = false;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(null);
writeLock();
try {
checkOperation(OperationCategory.WRITE);
@ -2810,6 +2824,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
LastBlockWithStatus lbs = null;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
writeLock();
try {
checkOperation(OperationCategory.WRITE);
@ -2866,6 +2881,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
FSDirWriteFileOp.ValidateAddBlockResult r;
checkOperation(OperationCategory.READ);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
readLock();
try {
checkOperation(OperationCategory.READ);
@ -2916,6 +2932,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
final BlockType blockType;
checkOperation(OperationCategory.READ);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(null);
readLock();
try {
checkOperation(OperationCategory.READ);
@ -2964,6 +2981,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
"BLOCK* NameSystem.abandonBlock: {} of file {}", b, src);
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(null);
writeLock();
try {
checkOperation(OperationCategory.WRITE);
@ -3029,6 +3047,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
boolean success = false;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(null);
writeLock();
try {
checkOperation(OperationCategory.WRITE);
@ -3108,6 +3127,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
FSDirRenameOp.RenameResult ret = null;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -3136,6 +3156,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
FSDirRenameOp.RenameResult res = null;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -3175,6 +3196,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
BlocksMapUpdateInfo toRemovedBlocks = null;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
boolean ret = false;
try {
writeLock();
@ -3283,6 +3305,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
checkOperation(OperationCategory.READ);
HdfsFileStatus stat = null;
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
readLock();
try {
@ -3307,6 +3330,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
final String operationName = "isFileClosed";
checkOperation(OperationCategory.READ);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
boolean success = false;
try {
readLock();
@ -3335,6 +3359,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
FileStatus auditStat = null;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -3373,6 +3398,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
final String operationName = "contentSummary";
ContentSummary cs;
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
readLock();
try {
@ -3408,6 +3434,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
final String operationName = "quotaUsage";
QuotaUsage quotaUsage;
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
readLock();
try {
@ -3439,6 +3466,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
checkOperation(OperationCategory.WRITE);
final String operationName = getQuotaCommand(nsQuota, ssQuota);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
checkSuperuserPrivilege(pc);
writeLock();
@ -3471,6 +3499,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
NameNode.stateChangeLog.info("BLOCK* fsync: " + src + " for " + clientName);
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(null);
writeLock();
try {
checkOperation(OperationCategory.WRITE);
@ -3973,6 +4002,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
final String operationName = "listStatus";
DirectoryListing dl = null;
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
readLock();
try {
@ -6793,6 +6823,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
final String operationName = "createSnapshot";
String snapshotPath = null;
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -6829,6 +6860,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
String oldSnapshotRoot = Snapshot.getSnapshotPath(path, snapshotOldName);
String newSnapshotRoot = Snapshot.getSnapshotPath(path, snapshotNewName);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -6862,6 +6894,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
SnapshottableDirectoryStatus[] status = null;
checkOperation(OperationCategory.READ);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
readLock();
try {
@ -6905,6 +6938,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
String toSnapshotRoot = (toSnapshot == null || toSnapshot.isEmpty()) ?
path : Snapshot.getSnapshotPath(path, toSnapshot);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
long actualTime = Time.monotonicNow();
try {
readLock();
@ -6978,6 +7012,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
(toSnapshot == null || toSnapshot.isEmpty()) ? path :
Snapshot.getSnapshotPath(path, toSnapshot);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
readLock();
try {
@ -7012,6 +7047,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
String rootPath = null;
BlocksMapUpdateInfo blocksToBeDeleted = null;
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
checkOperation(OperationCategory.WRITE);
try {
writeLock();
@ -7307,6 +7343,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
cacheManager.waitForRescanIfNeeded();
}
checkOperation(OperationCategory.WRITE);
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -7334,6 +7371,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
if (!flags.contains(CacheFlag.FORCE)) {
cacheManager.waitForRescanIfNeeded();
}
FSPermissionChecker.setOperationType(operationName);
checkOperation(OperationCategory.WRITE);
try {
writeLock();
@ -7359,6 +7397,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
final String operationName = "removeCacheDirective";
String idStr = "{id: " + Long.toString(id) + "}";
checkOperation(OperationCategory.WRITE);
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -7381,6 +7420,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
long startId, CacheDirectiveInfo filter) throws IOException {
final String operationName = "listCacheDirectives";
checkOperation(OperationCategory.READ);
FSPermissionChecker.setOperationType(operationName);
BatchedListEntries<CacheDirectiveEntry> results;
cacheManager.waitForRescanIfNeeded();
try {
@ -7482,6 +7522,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
final String operationName = "listCachePools";
BatchedListEntries<CachePoolEntry> results;
checkOperation(OperationCategory.READ);
FSPermissionChecker.setOperationType(operationName);
cacheManager.waitForRescanIfNeeded();
try {
readLock();
@ -7505,6 +7546,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
FileStatus auditStat = null;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -7528,6 +7570,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
checkOperation(OperationCategory.WRITE);
FileStatus auditStat = null;
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -7550,6 +7593,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
FileStatus auditStat = null;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -7572,6 +7616,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
FileStatus auditStat = null;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -7594,6 +7639,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
FileStatus auditStat = null;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -7616,6 +7662,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
checkOperation(OperationCategory.READ);
final AclStatus ret;
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
readLock();
try {
@ -7652,6 +7699,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
Metadata metadata = FSDirEncryptionZoneOp.ensureKeyIsInitialized(dir,
keyName, src);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
checkSuperuserPrivilege(pc);
checkOperation(OperationCategory.WRITE);
writeLock();
@ -7685,6 +7733,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
FileStatus resultingStat = null;
EncryptionZone encryptionZone;
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
checkOperation(OperationCategory.READ);
try {
readLock();
@ -7711,6 +7760,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
boolean success = false;
checkOperation(OperationCategory.READ);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
checkSuperuserPrivilege(pc);
readLock();
try {
@ -7748,6 +7798,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
boolean success = false;
checkOperation(OperationCategory.READ);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
checkSuperuserPrivilege(pc);
readLock();
try {
@ -7834,6 +7885,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
checkErasureCodingSupported(operationName);
FileStatus resultingStat = null;
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
writeLock();
try {
checkOperation(OperationCategory.WRITE);
@ -8002,6 +8054,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
checkErasureCodingSupported(operationName);
FileStatus resultingStat = null;
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
writeLock();
try {
checkOperation(OperationCategory.WRITE);
@ -8067,6 +8120,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
checkOperation(OperationCategory.READ);
checkErasureCodingSupported(operationName);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
readLock();
try {
checkOperation(OperationCategory.READ);
@ -8129,6 +8183,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
FileStatus auditStat = null;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -8153,6 +8208,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
checkOperation(OperationCategory.READ);
List<XAttr> fsXattrs;
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
readLock();
try {
@ -8174,6 +8230,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
checkOperation(OperationCategory.READ);
List<XAttr> fsXattrs;
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
readLock();
try {
@ -8196,6 +8253,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
FileStatus auditStat = null;
checkOperation(OperationCategory.WRITE);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
writeLock();
try {
@ -8241,6 +8299,7 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
final String operationName = "checkAccess";
checkOperation(OperationCategory.READ);
final FSPermissionChecker pc = getPermissionChecker();
FSPermissionChecker.setOperationType(operationName);
try {
readLock();
try {

View File

@ -24,6 +24,7 @@ import java.util.List;
import java.util.Stack;
import com.google.common.base.Preconditions;
import org.apache.hadoop.ipc.CallerContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.hadoop.fs.FSExceptionMessages;
@ -84,11 +85,15 @@ public class FSPermissionChecker implements AccessControlEnforcer {
private final Collection<String> groups;
private final boolean isSuper;
private final INodeAttributeProvider attributeProvider;
private final boolean authorizeWithContext;
private static ThreadLocal<String> operationType = new ThreadLocal<>();
protected FSPermissionChecker(String fsOwner, String supergroup,
UserGroupInformation callerUgi,
INodeAttributeProvider attributeProvider) {
boolean useNewAuthorizationWithContextAPI;
this.fsOwner = fsOwner;
this.supergroup = supergroup;
this.callerUgi = callerUgi;
@ -96,6 +101,41 @@ public class FSPermissionChecker implements AccessControlEnforcer {
user = callerUgi.getShortUserName();
isSuper = user.equals(fsOwner) || groups.contains(supergroup);
this.attributeProvider = attributeProvider;
// If the AccessControlEnforcer supports context enrichment, call
// the new API. Otherwise choose the old API.
Class[] cArg = new Class[1];
cArg[0] = INodeAttributeProvider.AuthorizationContext.class;
AccessControlEnforcer ace;
if (attributeProvider == null) {
// If attribute provider is null, use FSPermissionChecker default
// implementation to authorize, which supports authorization with context.
useNewAuthorizationWithContextAPI = true;
LOG.info("Default authorization provider supports the new authorization" +
" provider API");
} else {
ace = attributeProvider.getExternalAccessControlEnforcer(this);
// if the runtime external authorization provider doesn't support
// checkPermissionWithContext(), fall back to the old API
// checkPermission().
try {
Class<?> clazz = ace.getClass();
clazz.getDeclaredMethod("checkPermissionWithContext", cArg);
useNewAuthorizationWithContextAPI = true;
LOG.info("Use the new authorization provider API");
} catch (NoSuchMethodException e) {
useNewAuthorizationWithContextAPI = false;
LOG.info("Fallback to the old authorization provider API because " +
"the expected method is not found.");
}
}
authorizeWithContext = useNewAuthorizationWithContextAPI;
}
public static void setOperationType(String opType) {
operationType.set(opType);
}
public boolean isMemberOfGroup(String group) {
@ -190,11 +230,37 @@ public class FSPermissionChecker implements AccessControlEnforcer {
int ancestorIndex = inodes.length - 2;
AccessControlEnforcer enforcer = getAccessControlEnforcer();
enforcer.checkPermission(fsOwner, supergroup, callerUgi, inodeAttrs, inodes,
components, snapshotId, path, ancestorIndex, doCheckOwner,
String opType = operationType.get();
if (this.authorizeWithContext && opType != null) {
INodeAttributeProvider.AuthorizationContext.Builder builder =
new INodeAttributeProvider.AuthorizationContext.Builder();
builder.fsOwner(fsOwner).
supergroup(supergroup).
callerUgi(callerUgi).
inodeAttrs(inodeAttrs).
inodes(inodes).
pathByNameArr(components).
snapshotId(snapshotId).
path(path).
ancestorIndex(ancestorIndex).
doCheckOwner(doCheckOwner).
ancestorAccess(ancestorAccess).
parentAccess(parentAccess).
access(access).
subAccess(subAccess).
ignoreEmptyDir(ignoreEmptyDir).
operationName(opType).
callerContext(CallerContext.getCurrent());
enforcer.checkPermissionWithContext(builder.build());
} else {
enforcer.checkPermission(fsOwner, supergroup, callerUgi, inodeAttrs,
inodes, components, snapshotId, path, ancestorIndex, doCheckOwner,
ancestorAccess, parentAccess, access, subAccess, ignoreEmptyDir);
}
}
/**
* Check permission only for the given inode (not checking the children's
* access).
@ -212,6 +278,33 @@ public class FSPermissionChecker implements AccessControlEnforcer {
try {
INodeAttributes[] iNodeAttr = {nodeAttributes};
AccessControlEnforcer enforcer = getAccessControlEnforcer();
String opType = operationType.get();
if (this.authorizeWithContext && opType != null) {
INodeAttributeProvider.AuthorizationContext.Builder builder =
new INodeAttributeProvider.AuthorizationContext.Builder();
builder.fsOwner(fsOwner)
.supergroup(supergroup)
.callerUgi(callerUgi)
.inodeAttrs(iNodeAttr) // single inode attr in the array
.inodes(new INode[] { inode }) // single inode attr in the array
.pathByNameArr(pathComponents)
.snapshotId(snapshotId)
.path(null)
.ancestorIndex(-1) // this will skip checkTraverse()
// because not checking ancestor here
.doCheckOwner(false)
.ancestorAccess(null)
.parentAccess(null)
.access(access) // the target access to be checked against
// the inode
.subAccess(null) // passing null sub access avoids checking
// children
.ignoreEmptyDir(false)
.operationName(opType)
.callerContext(CallerContext.getCurrent());
enforcer.checkPermissionWithContext(builder.build());
} else {
enforcer.checkPermission(
fsOwner, supergroup, callerUgi,
iNodeAttr, // single inode attr in the array
@ -223,6 +316,7 @@ public class FSPermissionChecker implements AccessControlEnforcer {
access, // the target access to be checked against the inode
null, // passing null sub access avoids checking children
false);
}
} catch (AccessControlException ace) {
throw new AccessControlException(
toAccessControlString(nodeAttributes, inode.getFullPathName(),
@ -273,6 +367,22 @@ public class FSPermissionChecker implements AccessControlEnforcer {
}
}
@Override
public void checkPermissionWithContext(
INodeAttributeProvider.AuthorizationContext authzContext)
throws AccessControlException {
// The default authorization provider does not use the additional context
// parameters including operationName and callerContext.
this.checkPermission(authzContext.getFsOwner(),
authzContext.getSupergroup(), authzContext.getCallerUgi(),
authzContext.getInodeAttrs(), authzContext.getInodes(),
authzContext.getPathByNameArr(), authzContext.getSnapshotId(),
authzContext.getPath(), authzContext.getAncestorIndex(),
authzContext.isDoCheckOwner(), authzContext.getAncestorAccess(),
authzContext.getParentAccess(), authzContext.getAccess(),
authzContext.getSubAccess(), authzContext.isIgnoreEmptyDir());
}
private INodeAttributes getINodeAttrs(byte[][] pathByNameArr, int pathIdx,
INode inode, int snapshotId) {
INodeAttributes inodeAttrs = inode.getSnapshotINode(snapshotId);

View File

@ -17,19 +17,340 @@
*/
package org.apache.hadoop.hdfs.server.namenode;
import com.google.common.annotations.VisibleForTesting;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.hdfs.DFSUtil;
import org.apache.hadoop.ipc.CallerContext;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import java.util.Arrays;
@InterfaceAudience.Public
@InterfaceStability.Unstable
public abstract class INodeAttributeProvider {
public static class AuthorizationContext {
private String fsOwner;
private String supergroup;
private UserGroupInformation callerUgi;
private INodeAttributes[] inodeAttrs;
private INode[] inodes;
private byte[][] pathByNameArr;
private int snapshotId;
private String path;
private int ancestorIndex;
private boolean doCheckOwner;
private FsAction ancestorAccess;
private FsAction parentAccess;
private FsAction access;
private FsAction subAccess;
private boolean ignoreEmptyDir;
private String operationName;
private CallerContext callerContext;
public String getFsOwner() {
return fsOwner;
}
public void setFsOwner(String fsOwner) {
this.fsOwner = fsOwner;
}
public String getSupergroup() {
return supergroup;
}
public void setSupergroup(String supergroup) {
this.supergroup = supergroup;
}
public UserGroupInformation getCallerUgi() {
return callerUgi;
}
public void setCallerUgi(UserGroupInformation callerUgi) {
this.callerUgi = callerUgi;
}
public INodeAttributes[] getInodeAttrs() {
return inodeAttrs;
}
public void setInodeAttrs(INodeAttributes[] inodeAttrs) {
this.inodeAttrs = inodeAttrs;
}
public INode[] getInodes() {
return inodes;
}
public void setInodes(INode[] inodes) {
this.inodes = inodes;
}
public byte[][] getPathByNameArr() {
return pathByNameArr;
}
public void setPathByNameArr(byte[][] pathByNameArr) {
this.pathByNameArr = pathByNameArr;
}
public int getSnapshotId() {
return snapshotId;
}
public void setSnapshotId(int snapshotId) {
this.snapshotId = snapshotId;
}
public String getPath() {
return path;
}
public void setPath(String path) {
this.path = path;
}
public int getAncestorIndex() {
return ancestorIndex;
}
public void setAncestorIndex(int ancestorIndex) {
this.ancestorIndex = ancestorIndex;
}
public boolean isDoCheckOwner() {
return doCheckOwner;
}
public void setDoCheckOwner(boolean doCheckOwner) {
this.doCheckOwner = doCheckOwner;
}
public FsAction getAncestorAccess() {
return ancestorAccess;
}
public void setAncestorAccess(FsAction ancestorAccess) {
this.ancestorAccess = ancestorAccess;
}
public FsAction getParentAccess() {
return parentAccess;
}
public void setParentAccess(FsAction parentAccess) {
this.parentAccess = parentAccess;
}
public FsAction getAccess() {
return access;
}
public void setAccess(FsAction access) {
this.access = access;
}
public FsAction getSubAccess() {
return subAccess;
}
public void setSubAccess(FsAction subAccess) {
this.subAccess = subAccess;
}
public boolean isIgnoreEmptyDir() {
return ignoreEmptyDir;
}
public void setIgnoreEmptyDir(boolean ignoreEmptyDir) {
this.ignoreEmptyDir = ignoreEmptyDir;
}
public String getOperationName() {
return operationName;
}
public void setOperationName(String operationName) {
this.operationName = operationName;
}
public CallerContext getCallerContext() {
return callerContext;
}
public void setCallerContext(CallerContext callerContext) {
this.callerContext = callerContext;
}
public static class Builder {
private String fsOwner;
private String supergroup;
private UserGroupInformation callerUgi;
private INodeAttributes[] inodeAttrs;
private INode[] inodes;
private byte[][] pathByNameArr;
private int snapshotId;
private String path;
private int ancestorIndex;
private boolean doCheckOwner;
private FsAction ancestorAccess;
private FsAction parentAccess;
private FsAction access;
private FsAction subAccess;
private boolean ignoreEmptyDir;
private String operationName;
private CallerContext callerContext;
public AuthorizationContext build() {
return new AuthorizationContext(this);
}
public Builder fsOwner(String val) {
this.fsOwner = val;
return this;
}
public Builder supergroup(String val) {
this.supergroup = val;
return this;
}
public Builder callerUgi(UserGroupInformation val) {
this.callerUgi = val;
return this;
}
public Builder inodeAttrs(INodeAttributes[] val) {
this.inodeAttrs = val;
return this;
}
public Builder inodes(INode[] val) {
this.inodes = val;
return this;
}
public Builder pathByNameArr(byte[][] val) {
this.pathByNameArr = val;
return this;
}
public Builder snapshotId(int val) {
this.snapshotId = val;
return this;
}
public Builder path(String val) {
this.path = val;
return this;
}
public Builder ancestorIndex(int val) {
this.ancestorIndex = val;
return this;
}
public Builder doCheckOwner(boolean val) {
this.doCheckOwner = val;
return this;
}
public Builder ancestorAccess(FsAction val) {
this.ancestorAccess = val;
return this;
}
public Builder parentAccess(FsAction val) {
this.parentAccess = val;
return this;
}
public Builder access(FsAction val) {
this.access = val;
return this;
}
public Builder subAccess(FsAction val) {
this.subAccess = val;
return this;
}
public Builder ignoreEmptyDir(boolean val) {
this.ignoreEmptyDir = val;
return this;
}
public Builder operationName(String val) {
this.operationName = val;
return this;
}
public Builder callerContext(CallerContext val) {
this.callerContext = val;
return this;
}
}
public AuthorizationContext(Builder builder) {
this.setFsOwner(builder.fsOwner);
this.setSupergroup(builder.supergroup);
this.setCallerUgi(builder.callerUgi);
this.setInodeAttrs(builder.inodeAttrs);
this.setInodes(builder.inodes);
this.setPathByNameArr(builder.pathByNameArr);
this.setSnapshotId(builder.snapshotId);
this.setPath(builder.path);
this.setAncestorIndex(builder.ancestorIndex);
this.setDoCheckOwner(builder.doCheckOwner);
this.setAncestorAccess(builder.ancestorAccess);
this.setParentAccess(builder.parentAccess);
this.setAccess(builder.access);
this.setSubAccess(builder.subAccess);
this.setIgnoreEmptyDir(builder.ignoreEmptyDir);
this.setOperationName(builder.operationName);
this.setCallerContext(builder.callerContext);
}
@VisibleForTesting
@Override
public boolean equals(Object obj) {
if (obj == this) {
return true;
} else if (obj == null || getClass() != obj.getClass()) {
return false;
}
AuthorizationContext other = (AuthorizationContext)obj;
return getFsOwner().equals(other.getFsOwner()) &&
getSupergroup().equals(other.getSupergroup()) &&
getCallerUgi().equals(other.getCallerUgi()) &&
Arrays.deepEquals(getInodeAttrs(), other.getInodeAttrs()) &&
Arrays.deepEquals(getInodes(), other.getInodes()) &&
Arrays.deepEquals(getPathByNameArr(), other.getPathByNameArr()) &&
getSnapshotId() == other.getSnapshotId() &&
getPath().equals(other.getPath()) &&
getAncestorIndex() == other.getAncestorIndex() &&
isDoCheckOwner() == other.isDoCheckOwner() &&
getAncestorAccess() == other.getAncestorAccess() &&
getParentAccess() == other.getParentAccess() &&
getAccess() == other.getAccess() &&
getSubAccess() == other.getSubAccess() &&
isIgnoreEmptyDir() == other.isIgnoreEmptyDir();
}
@Override
public int hashCode() {
assert false : "hashCode not designed";
return 42; // any arbitrary constant will do
}
}
/**
* The AccessControlEnforcer allows implementations to override the
* default File System permission checking logic enforced on a file system
@ -39,7 +360,7 @@ public abstract class INodeAttributeProvider {
/**
* Checks permission on a file system object. Has to throw an Exception
* if the filesystem object is not accessessible by the calling Ugi.
* if the filesystem object is not accessible by the calling Ugi.
* @param fsOwner Filesystem owner (The Namenode user)
* @param supergroup super user geoup
* @param callerUgi UserGroupInformation of the caller
@ -58,6 +379,8 @@ public abstract class INodeAttributeProvider {
* the path and all the sub-directories. If path is not a
* directory, there should ideally be no effect.
* @param ignoreEmptyDir Ignore permission checking for empty directory?
* @deprecated use{@link #checkPermissionWithContext(AuthorizationContext)}}
* instead
* @throws AccessControlException
*/
public abstract void checkPermission(String fsOwner, String supergroup,
@ -68,6 +391,16 @@ public abstract class INodeAttributeProvider {
boolean ignoreEmptyDir)
throws AccessControlException;
/**
* Checks permission on a file system object. Has to throw an Exception
* if the filesystem object is not accessessible by the calling Ugi.
* @param authzContext an {@link AuthorizationContext} object encapsulating
* the various parameters required to authorize an
* operation.
* @throws AccessControlException
*/
void checkPermissionWithContext(AuthorizationContext authzContext)
throws AccessControlException;
}
/**
* Initialize the provider. This method is called at NameNode startup

View File

@ -565,6 +565,8 @@ public class NamenodeFsck implements DataEncryptionKeyFactory {
long fileLen = file.getLen();
LocatedBlocks blocks = null;
final FSNamesystem fsn = namenode.getNamesystem();
final String operationName = "fsckGetBlockLocations";
FSPermissionChecker.setOperationType(operationName);
fsn.readLock();
try {
blocks = FSDirStatAndListingOp.getBlockLocations(
@ -574,7 +576,7 @@ public class NamenodeFsck implements DataEncryptionKeyFactory {
} catch (FileNotFoundException fnfe) {
blocks = null;
} finally {
fsn.readUnlock("fsckGetBlockLocations");
fsn.readUnlock(operationName);
}
return blocks;
}

View File

@ -83,6 +83,9 @@ public class NameNodeAdapter {
IOException {
final FSPermissionChecker pc =
namenode.getNamesystem().getPermissionChecker();
// consistent with FSNamesystem#getFileInfo()
final String operationName = needBlockToken ? "open" : "getfileinfo";
FSPermissionChecker.setOperationType(operationName);
namenode.getNamesystem().readLock();
try {
return FSDirStatAndListingOp.getFileInfo(namenode.getNamesystem()

View File

@ -0,0 +1,167 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hdfs.server.namenode;
import org.apache.hadoop.ipc.CallerContext;
import org.apache.hadoop.security.UserGroupInformation;
import org.junit.Before;
import org.junit.Test;
import java.io.IOException;
import static junit.framework.TestCase.assertEquals;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
public class TestAuthorizationContext {
private String fsOwner = "hdfs";
private String superGroup = "hdfs";
private UserGroupInformation ugi = UserGroupInformation.
createUserForTesting(fsOwner, new String[] {superGroup});
private INodeAttributes[] emptyINodeAttributes = new INodeAttributes[] {};
private INodesInPath iip = mock(INodesInPath.class);
private int snapshotId = 0;
private INode[] inodes = new INode[] {};
private byte[][] components = new byte[][] {};
private String path = "";
private int ancestorIndex = inodes.length - 2;
@Before
public void setUp() throws IOException {
when(iip.getPathSnapshotId()).thenReturn(snapshotId);
when(iip.getINodesArray()).thenReturn(inodes);
when(iip.getPathComponents()).thenReturn(components);
when(iip.getPath()).thenReturn(path);
}
@Test
public void testBuilder() {
String opType = "test";
CallerContext.setCurrent(new CallerContext.Builder(
"TestAuthorizationContext").build());
INodeAttributeProvider.AuthorizationContext.Builder builder =
new INodeAttributeProvider.AuthorizationContext.Builder();
builder.fsOwner(fsOwner).
supergroup(superGroup).
callerUgi(ugi).
inodeAttrs(emptyINodeAttributes).
inodes(inodes).
pathByNameArr(components).
snapshotId(snapshotId).
path(path).
ancestorIndex(ancestorIndex).
doCheckOwner(true).
ancestorAccess(null).
parentAccess(null).
access(null).
subAccess(null).
ignoreEmptyDir(true).
operationName(opType).
callerContext(CallerContext.getCurrent());
INodeAttributeProvider.AuthorizationContext authzContext = builder.build();
assertEquals(authzContext.getFsOwner(), fsOwner);
assertEquals(authzContext.getSupergroup(), superGroup);
assertEquals(authzContext.getCallerUgi(), ugi);
assertEquals(authzContext.getInodeAttrs(), emptyINodeAttributes);
assertEquals(authzContext.getInodes(), inodes);
assertEquals(authzContext.getPathByNameArr(), components);
assertEquals(authzContext.getSnapshotId(), snapshotId);
assertEquals(authzContext.getPath(), path);
assertEquals(authzContext.getAncestorIndex(), ancestorIndex);
assertEquals(authzContext.getOperationName(), opType);
assertEquals(authzContext.getCallerContext(), CallerContext.getCurrent());
}
@Test
public void testLegacyAPI() throws IOException {
INodeAttributeProvider.AccessControlEnforcer
mockEnforcer = mock(INodeAttributeProvider.AccessControlEnforcer.class);
INodeAttributeProvider mockINodeAttributeProvider =
mock(INodeAttributeProvider.class);
when(mockINodeAttributeProvider.getExternalAccessControlEnforcer(any())).
thenReturn(mockEnforcer);
FSPermissionChecker checker = new FSPermissionChecker(
fsOwner, superGroup, ugi, mockINodeAttributeProvider);
// set operation type to null to force using the legacy API.
FSPermissionChecker.setOperationType(null);
when(iip.getPathSnapshotId()).thenReturn(snapshotId);
when(iip.getINodesArray()).thenReturn(inodes);
when(iip.getPathComponents()).thenReturn(components);
when(iip.getPath()).thenReturn(path);
checker.checkPermission(iip, true, null, null, null, null, true);
verify(mockEnforcer).checkPermission(fsOwner, superGroup, ugi,
emptyINodeAttributes, inodes, components, snapshotId, path,
ancestorIndex, true, null, null, null, null, true);
}
@Test
public void testCheckPermissionWithContextAPI() throws IOException {
INodeAttributeProvider.AccessControlEnforcer
mockEnforcer = mock(INodeAttributeProvider.AccessControlEnforcer.class);
INodeAttributeProvider mockINodeAttributeProvider =
mock(INodeAttributeProvider.class);
when(mockINodeAttributeProvider.getExternalAccessControlEnforcer(any())).
thenReturn(mockEnforcer);
FSPermissionChecker checker = new FSPermissionChecker(
fsOwner, superGroup, ugi, mockINodeAttributeProvider);
// force it to use the new, checkPermissionWithContext API.
String operationName = "abc";
FSPermissionChecker.setOperationType(operationName);
checker.checkPermission(iip, true,
null, null, null,
null, true);
INodeAttributeProvider.AuthorizationContext.Builder builder =
new INodeAttributeProvider.AuthorizationContext.Builder();
builder.fsOwner(fsOwner).
supergroup(superGroup).
callerUgi(ugi).
inodeAttrs(emptyINodeAttributes).
inodes(inodes).
pathByNameArr(components).
snapshotId(snapshotId).
path(path).
ancestorIndex(ancestorIndex).
doCheckOwner(true).
ancestorAccess(null).
parentAccess(null).
access(null).
subAccess(null).
ignoreEmptyDir(true).
operationName(operationName).
callerContext(CallerContext.getCurrent());
INodeAttributeProvider.AuthorizationContext context = builder.build();
// the AuthorizationContext.equals() method is override to always return
// true as long as it is compared with another AuthorizationContext object.
verify(mockEnforcer).checkPermissionWithContext(context);
}
}

View File

@ -81,6 +81,19 @@ public class TestINodeAttributeProvider {
}
CALLED.add("checkPermission|" + ancestorAccess + "|" + parentAccess + "|" + access);
}
@Override
public void checkPermissionWithContext(
AuthorizationContext authzContext) throws AccessControlException {
if (authzContext.getAncestorIndex() > 1
&& authzContext.getInodes()[1].getLocalName().equals("user")
&& authzContext.getInodes()[2].getLocalName().equals("acl")) {
this.ace.checkPermissionWithContext(authzContext);
}
CALLED.add("checkPermission|" + authzContext.getAncestorAccess()
+ "|" + authzContext.getParentAccess() + "|" + authzContext
.getAccess());
}
}
@Override