List of usage examples for org.apache.hadoop.fs.permission AclEntryType USER
AclEntryType USER
To view the source code for org.apache.hadoop.fs.permission AclEntryType USER.
Click Source Link
From source file:alluxio.underfs.hdfs.acl.SupportedHdfsAclProvider.java
License:Apache License
/** * @param aclEntry an alluxio acl entry/*from w w w .j a v a 2 s .c o m*/ * @return hdfs acl entry type */ private AclEntryType getHdfsAclEntryType(alluxio.security.authorization.AclEntry aclEntry) throws IOException { switch (aclEntry.getType()) { case OWNING_USER: case NAMED_USER: return AclEntryType.USER; case OWNING_GROUP: case NAMED_GROUP: return AclEntryType.GROUP; case MASK: return AclEntryType.MASK; case OTHER: return AclEntryType.OTHER; default: throw new IOException("Unknown Alluxio ACL entry type: " + aclEntry.getType()); } }
From source file:org.apache.sentry.hdfs.SentryAuthorizationInfoX.java
License:Apache License
@Override public List<AclEntry> getAclEntries(String[] pathElements) { AclEntry acl = new AclEntry.Builder().setType(AclEntryType.USER).setPermission(FsAction.ALL) .setName("user-authz").setScope(AclEntryScope.ACCESS).build(); return Arrays.asList(acl); }
From source file:org.apache.sentry.hdfs.SentryAuthorizationProvider.java
License:Apache License
private List<AclEntry> createAclEntries(String user, String group, FsPermission permission) { List<AclEntry> list = new ArrayList<AclEntry>(); AclEntry.Builder builder = new AclEntry.Builder(); FsPermission fsPerm = new FsPermission(permission); builder.setName(user);/*w w w . j av a2s. co m*/ builder.setType(AclEntryType.USER); builder.setScope(AclEntryScope.ACCESS); builder.setPermission(fsPerm.getUserAction()); list.add(builder.build()); builder.setName(group); builder.setType(AclEntryType.GROUP); builder.setScope(AclEntryScope.ACCESS); builder.setPermission(fsPerm.getGroupAction()); list.add(builder.build()); builder.setName(null); return list; }
From source file:org.apache.sentry.hdfs.SentryINodeAttributesProvider.java
License:Apache License
private static List<AclEntry> createAclEntries(String user, String group, FsPermission permission) { List<AclEntry> list = new ArrayList<AclEntry>(); AclEntry.Builder builder = new AclEntry.Builder(); FsPermission fsPerm = new FsPermission(permission); builder.setName(user);//from w w w . j a v a 2 s. c om builder.setType(AclEntryType.USER); builder.setScope(AclEntryScope.ACCESS); builder.setPermission(fsPerm.getUserAction()); list.add(builder.build()); builder.setName(group); builder.setType(AclEntryType.GROUP); builder.setScope(AclEntryScope.ACCESS); builder.setPermission(fsPerm.getGroupAction()); list.add(builder.build()); builder.setName(null); return list; }
From source file:org.apache.sentry.hdfs.SentryPermissions.java
License:Apache License
/** * Constructs HDFS ACL's based on the permissions granted to the object directly * and inherited from the parents./*from w ww. j av a 2 s. co m*/ * @param authzObj Object name for which ACL are needed * @return HDFS ACL's */ @Override public List<AclEntry> getAcls(String authzObj) { Map<HdfsAclEntity, FsAction> permissions = getPerms(authzObj); List<AclEntry> retList = new LinkedList<AclEntry>(); for (Map.Entry<HdfsAclEntity, FsAction> permission : permissions.entrySet()) { AclEntry.Builder builder = new AclEntry.Builder(); if (permission.getKey().getType() == AclEntryType.GROUP) { builder.setName(permission.getKey().getValue()); builder.setType(AclEntryType.GROUP); } else if (permission.getKey().getType() == AclEntryType.USER) { builder.setName(permission.getKey().getValue()); builder.setType(AclEntryType.USER); } else { LOG.warn("Permissions for Invalid AclEntryType: %s", permission.getKey().getType()); continue; } builder.setScope(AclEntryScope.ACCESS); FsAction action = permission.getValue(); if (action == FsAction.READ || action == FsAction.WRITE || action == FsAction.READ_WRITE) { action = action.or(FsAction.EXECUTE); } builder.setPermission(action); retList.add(builder.build()); } return retList; }
From source file:org.apache.sentry.hdfs.TestSentryAuthorizationProvider.java
License:Apache License
@Test public void testProvider() throws Exception { admin.doAs(new PrivilegedExceptionAction<Void>() { @Override//from w w w . j av a 2 s . c o m public Void run() throws Exception { String sysUser = UserGroupInformation.getCurrentUser().getShortUserName(); FileSystem fs = FileSystem.get(miniDFS.getConfiguration(0)); List<AclEntry> baseAclList = new ArrayList<AclEntry>(); AclEntry.Builder builder = new AclEntry.Builder(); baseAclList.add(builder.setType(AclEntryType.USER).setScope(AclEntryScope.ACCESS).build()); baseAclList.add(builder.setType(AclEntryType.GROUP).setScope(AclEntryScope.ACCESS).build()); baseAclList.add(builder.setType(AclEntryType.OTHER).setScope(AclEntryScope.ACCESS).build()); Path path1 = new Path("/user/authz/obj/xxx"); fs.mkdirs(path1); fs.setAcl(path1, baseAclList); fs.mkdirs(new Path("/user/authz/xxx")); fs.mkdirs(new Path("/user/xxx")); // root Path path = new Path("/"); Assert.assertEquals(sysUser, fs.getFileStatus(path).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); // dir before prefixes path = new Path("/user"); Assert.assertEquals(sysUser, fs.getFileStatus(path).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); // prefix dir path = new Path("/user/authz"); Assert.assertEquals(sysUser, fs.getFileStatus(path).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); // dir inside of prefix, no obj path = new Path("/user/authz/xxx"); FileStatus status = fs.getFileStatus(path); Assert.assertEquals(sysUser, status.getOwner()); Assert.assertEquals("supergroup", status.getGroup()); Assert.assertEquals(new FsPermission((short) 0755), status.getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); // dir inside of prefix, obj path = new Path("/user/authz/obj"); Assert.assertEquals("hive", fs.getFileStatus(path).getOwner()); Assert.assertEquals("hive", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0770), fs.getFileStatus(path).getPermission()); Assert.assertFalse(fs.getAclStatus(path).getEntries().isEmpty()); List<AclEntry> acls = new ArrayList<AclEntry>(); acls.add(new AclEntry.Builder().setName(sysUser).setType(AclEntryType.USER) .setScope(AclEntryScope.ACCESS).setPermission(FsAction.ALL).build()); acls.add(new AclEntry.Builder().setName("supergroup").setType(AclEntryType.GROUP) .setScope(AclEntryScope.ACCESS).setPermission(FsAction.READ_EXECUTE).build()); acls.add(new AclEntry.Builder().setName("user-authz").setType(AclEntryType.USER) .setScope(AclEntryScope.ACCESS).setPermission(FsAction.ALL).build()); Assert.assertEquals(new LinkedHashSet<AclEntry>(acls), new LinkedHashSet<AclEntry>(fs.getAclStatus(path).getEntries())); // dir inside of prefix, inside of obj path = new Path("/user/authz/obj/xxx"); Assert.assertEquals("hive", fs.getFileStatus(path).getOwner()); Assert.assertEquals("hive", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0770), fs.getFileStatus(path).getPermission()); Assert.assertFalse(fs.getAclStatus(path).getEntries().isEmpty()); Path path2 = new Path("/user/authz/obj/path2"); fs.mkdirs(path2); fs.setAcl(path2, baseAclList); // dir outside of prefix path = new Path("/user/xxx"); Assert.assertEquals(sysUser, fs.getFileStatus(path).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); return null; } }); }
From source file:org.apache.sentry.hdfs.TestSentryINodeAttributesProvider.java
License:Apache License
@Test public void testProvider() throws Exception { admin.doAs(new PrivilegedExceptionAction<Void>() { @Override// w ww . j ava 2 s .co m public Void run() throws Exception { String sysUser = UserGroupInformation.getCurrentUser().getShortUserName(); FileSystem fs = FileSystem.get(miniDFS.getConfiguration(0)); List<AclEntry> baseAclList = new ArrayList<AclEntry>(); AclEntry.Builder builder = new AclEntry.Builder(); baseAclList.add(builder.setType(AclEntryType.USER).setScope(AclEntryScope.ACCESS).build()); baseAclList.add(builder.setType(AclEntryType.GROUP).setScope(AclEntryScope.ACCESS).build()); baseAclList.add(builder.setType(AclEntryType.OTHER).setScope(AclEntryScope.ACCESS).build()); Path path1 = new Path("/user/authz/obj/xxx"); fs.mkdirs(path1); fs.setAcl(path1, baseAclList); fs.mkdirs(new Path("/user/authz/xxx")); fs.mkdirs(new Path("/user/xxx")); // root Path path = new Path("/"); Assert.assertEquals(sysUser, fs.getFileStatus(path).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); // dir before prefixes path = new Path("/user"); Assert.assertEquals(sysUser, fs.getFileStatus(path).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); // prefix dir path = new Path("/user/authz"); Assert.assertEquals(sysUser, fs.getFileStatus(path).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); // dir inside of prefix, no obj path = new Path("/user/authz/xxx"); FileStatus status = fs.getFileStatus(path); Assert.assertEquals(sysUser, status.getOwner()); Assert.assertEquals("supergroup", status.getGroup()); Assert.assertEquals(new FsPermission((short) 0755), status.getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); // dir inside of prefix, obj path = new Path("/user/authz/obj"); Assert.assertEquals("hive", fs.getFileStatus(path).getOwner()); Assert.assertEquals("hive", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0771), fs.getFileStatus(path).getPermission()); Assert.assertFalse(fs.getAclStatus(path).getEntries().isEmpty()); List<AclEntry> acls = new ArrayList<AclEntry>(); acls.add(new AclEntry.Builder().setName(sysUser).setType(AclEntryType.USER) .setScope(AclEntryScope.ACCESS).setPermission(FsAction.ALL).build()); acls.add(new AclEntry.Builder().setName("supergroup").setType(AclEntryType.GROUP) .setScope(AclEntryScope.ACCESS).setPermission(FsAction.READ_EXECUTE).build()); acls.add(new AclEntry.Builder().setName("user-authz").setType(AclEntryType.USER) .setScope(AclEntryScope.ACCESS).setPermission(FsAction.ALL).build()); Assert.assertEquals(new LinkedHashSet<AclEntry>(acls), new LinkedHashSet<AclEntry>(fs.getAclStatus(path).getEntries())); // dir inside of prefix, inside of obj path = new Path("/user/authz/obj/xxx"); Assert.assertEquals("hive", fs.getFileStatus(path).getOwner()); Assert.assertEquals("hive", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0771), fs.getFileStatus(path).getPermission()); Assert.assertFalse(fs.getAclStatus(path).getEntries().isEmpty()); Path path2 = new Path("/user/authz/obj/path2"); fs.mkdirs(path2); fs.setAcl(path2, baseAclList); // dir outside of prefix path = new Path("/user/xxx"); Assert.assertEquals(sysUser, fs.getFileStatus(path).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); //stale and dir inside of prefix, obj System.setProperty("test.stale", "true"); path = new Path("/user/authz/xxx"); status = fs.getFileStatus(path); Assert.assertEquals(sysUser, status.getOwner()); Assert.assertEquals("supergroup", status.getGroup()); Assert.assertEquals(new FsPermission((short) 0755), status.getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); // setPermission sets the permission for dir outside of prefix. // setUser/setGroup sets the user/group for dir outside of prefix. Path pathOutside = new Path("/user/xxx"); fs.setPermission(pathOutside, new FsPermission((short) 0000)); Assert.assertEquals(new FsPermission((short) 0000), fs.getFileStatus(pathOutside).getPermission()); fs.setOwner(pathOutside, sysUser, "supergroup"); Assert.assertEquals(sysUser, fs.getFileStatus(pathOutside).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(pathOutside).getGroup()); // removeAcl removes the ACL entries for dir outside of prefix. List<AclEntry> aclsOutside = new ArrayList<AclEntry>(baseAclList); List<AclEntry> acl = new ArrayList<AclEntry>(); acl.add(new AclEntry.Builder().setName("supergroup").setType(AclEntryType.GROUP) .setScope(AclEntryScope.ACCESS).setPermission(FsAction.READ_EXECUTE).build()); aclsOutside.addAll(acl); fs.setAcl(pathOutside, aclsOutside); fs.removeAclEntries(pathOutside, acl); Assert.assertFalse(fs.getAclStatus(pathOutside).getEntries().containsAll(acl)); // setPermission sets the permission for dir inside of prefix but not a hive obj. // setUser/setGroup sets the user/group for dir inside of prefix but not a hive obj. Path pathInside = new Path("/user/authz/xxx"); fs.setPermission(pathInside, new FsPermission((short) 0000)); Assert.assertEquals(new FsPermission((short) 0000), fs.getFileStatus(pathInside).getPermission()); fs.setOwner(pathInside, sysUser, "supergroup"); Assert.assertEquals(sysUser, fs.getFileStatus(pathInside).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(pathInside).getGroup()); // removeAcl is a no op for dir inside of prefix. Assert.assertTrue(fs.getAclStatus(pathInside).getEntries().isEmpty()); fs.removeAclEntries(pathInside, acl); Assert.assertTrue(fs.getAclStatus(pathInside).getEntries().isEmpty()); // setPermission/setUser/setGroup is a no op for dir inside of prefix, and is a hive obj. Path pathInsideAndHive = new Path("/user/authz/obj"); fs.setPermission(pathInsideAndHive, new FsPermission((short) 0000)); Assert.assertEquals(new FsPermission((short) 0771), fs.getFileStatus(pathInsideAndHive).getPermission()); fs.setOwner(pathInsideAndHive, sysUser, "supergroup"); Assert.assertEquals("hive", fs.getFileStatus(pathInsideAndHive).getOwner()); Assert.assertEquals("hive", fs.getFileStatus(pathInsideAndHive).getGroup()); return null; } }); }
From source file:org.apache.sentry.hdfs.TestSentryPermissions.java
License:Apache License
/** * Adds user and group permissions and role info and check is the ACL are properly generated. *//*from ww w . j a v a 2s . co m*/ @Test public void testSentryPermissions() { String authorizable = "db1.tb1"; FsAction fsAction = FsAction.ALL; SentryPermissions perms = new SentryPermissions(); SentryPermissions.RoleInfo roleInfo = new SentryPermissions.RoleInfo("role1"); roleInfo.addGroup("group1"); roleInfo.addGroup("group2"); TPrivilegePrincipal roleEntity = new TPrivilegePrincipal(TPrivilegePrincipalType.ROLE, "role1"); TPrivilegePrincipal userEntity = new TPrivilegePrincipal(TPrivilegePrincipalType.USER, "user1"); perms.addRoleInfo(roleInfo); SentryPermissions.PrivilegeInfo pInfo = new SentryPermissions.PrivilegeInfo(authorizable); pInfo.setPermission(roleEntity, fsAction); pInfo.setPermission(userEntity, fsAction); perms.addPrivilegeInfo(pInfo); List<AclEntry> acls = perms.getAcls(authorizable); Assert.assertEquals("Unexpected number of ACL entries received", 3, acls.size()); Assert.assertEquals("Unexpected permission", fsAction, acls.get(0).getPermission()); int userAclCount = 0; int groupAclCount = 0; for (AclEntry entry : acls) { if (entry.getType() == AclEntryType.GROUP) { groupAclCount++; } else if (entry.getType() == AclEntryType.USER) { userAclCount++; } } Assert.assertEquals("Unexpected number of User ACL", 1, userAclCount); Assert.assertEquals("Unexpected number of Group ACL", 2, groupAclCount); }
From source file:org.apache.sentry.tests.e2e.hdfs.TestHDFSIntegrationBase.java
License:Apache License
private void verifyOnAllSubDirsHelper(Path p, FsAction fsAction, String user, String group, boolean shouldExist, boolean recurse, int retry) throws Throwable { FileStatus fStatus = null;/*from w w w . ja va2 s. com*/ // validate parent dir's acls try { fStatus = miniDFS.getFileSystem().getFileStatus(p); if (shouldExist) { if (!Strings.isNullOrEmpty(group)) { Assert.assertEquals("Error at verifying Path action : " + p + " ;", fsAction, getAcls(AclEntryType.GROUP, p).get(group)); } if (!Strings.isNullOrEmpty(user)) { Assert.assertEquals("Error at verifying Path action : " + p + " ;", fsAction, getAcls(AclEntryType.USER, p).get(user)); } } else { if (!Strings.isNullOrEmpty(group)) { assertFalse("Error at verifying Path : " + p + " ," + " group : " + group + " ;", getAcls(AclEntryType.GROUP, p).containsKey(group)); } if (!Strings.isNullOrEmpty(user)) { assertFalse("Error at verifying Path : " + p + " ," + " user : " + user + " ;", getAcls(AclEntryType.USER, p).containsKey(user)); } } LOGGER.info("Successfully found acls for path = " + p.getName()); } catch (Throwable th) { if (retry > 0) { LOGGER.info("Retry: " + retry); Thread.sleep(RETRY_WAIT); verifyOnAllSubDirsHelper(p, fsAction, user, group, shouldExist, recurse, retry - 1); } else { throw th; } } // validate children dirs if (recurse && fStatus.isDirectory()) { FileStatus[] children = miniDFS.getFileSystem().listStatus(p); for (FileStatus fs : children) { verifyOnAllSubDirsHelper(fs.getPath(), fsAction, user, group, shouldExist, recurse, NUM_RETRIES); } } }
From source file:org.trustedanalytics.auth.gateway.hdfs.integration.HdfsGatewayIntegrationTest.java
License:Apache License
private void checkIfDirectoryExistsWithACL(Path path, String owner, String[] privilegedUsers, String[] privilegedGroups) throws IOException { AclStatus s = fileSystem.getAclStatus(path); assertThat(fileSystem.exists(path), equalTo(true)); assertThat(s.getOwner(), equalTo(owner)); List<String> usersWithAcl = s.getEntries().stream() .filter(entry -> entry.getType().equals(AclEntryType.USER)) .filter(entry -> entry.getScope().equals(AclEntryScope.ACCESS)).map(AclEntry::getName) .collect(toList());/*from www . jav a 2 s . c o m*/ List<String> groupsWithAcl = s.getEntries().stream() .filter(entry -> entry.getType().equals(AclEntryType.GROUP)) .filter(entry -> entry.getScope().equals(AclEntryScope.ACCESS)).map(AclEntry::getName) .collect(toList()); List<String> usersWithDefaultAcl = s.getEntries().stream() .filter(entry -> entry.getType().equals(AclEntryType.USER)) .filter(entry -> entry.getScope().equals(AclEntryScope.ACCESS)).map(AclEntry::getName) .collect(toList()); List<String> groupsWithDefaultAcl = s.getEntries().stream() .filter(entry -> entry.getType().equals(AclEntryType.GROUP)) .filter(entry -> entry.getScope().equals(AclEntryScope.ACCESS)).map(AclEntry::getName) .collect(toList()); assertThat(usersWithAcl.size(), equalTo(privilegedUsers.length)); assertThat(usersWithAcl, containsInAnyOrder(privilegedUsers)); assertThat(groupsWithAcl.size(), equalTo(privilegedGroups.length)); assertThat(groupsWithAcl, containsInAnyOrder(privilegedGroups)); assertThat(usersWithDefaultAcl.size(), equalTo(privilegedUsers.length)); assertThat(usersWithDefaultAcl, containsInAnyOrder(privilegedUsers)); assertThat(groupsWithDefaultAcl.size(), equalTo(privilegedGroups.length)); assertThat(groupsWithDefaultAcl, containsInAnyOrder(privilegedGroups)); }