Package org.apache.hadoop.hdfs.server.namenode

Class AclStorage

java.lang.Object

org.apache.hadoop.hdfs.server.namenode.AclStorage

@Private
public final class AclStorage
extends java.lang.Object

AclStorage contains utility methods that define how ACL data is stored in the namespace. If an inode has an ACL, then the ACL bit is set in the inode's FsPermission and the inode also contains an AclFeature. For the access ACL, the owner and other entries are identical to the owner and other bits stored in FsPermission, so we reuse those. The access mask entry is stored into the group permission bits of FsPermission. This is consistent with other file systems' implementations of ACLs and eliminates the need for special handling in various parts of the codebase. For example, if a user calls chmod to change group permission bits on a file with an ACL, then the expected behavior is to change the ACL's mask entry. By saving the mask entry into the group permission bits, chmod continues to work correctly without special handling. All remaining access entries (named users and named groups) are stored as explicit AclEntry instances in a list inside the AclFeature. Additionally, all default entries are stored in the AclFeature. The methods in this class encapsulate these rules for reading or writing the ACL entries to the appropriate location. The methods in this class assume that input ACL entry lists have already been validated and sorted according to the rules enforced by AclTransformation.

Method Summary

Modifier and Type	Method	Description
static AclFeature	addAclFeature(AclFeature aclFeature)	Add reference for the said AclFeature
static boolean	copyINodeDefaultAcl(INode child)	If a default ACL is defined on a parent directory, then copies that default ACL to a newly created child file or directory.
static ReferenceCountMap<AclFeature>	getUniqueAclFeatures()
static java.util.List<org.apache.hadoop.fs.permission.AclEntry>	readINodeAcl(INodeAttributes inodeAttr)	Reads the existing extended ACL entries of an INodeAttribute object.
static java.util.List<org.apache.hadoop.fs.permission.AclEntry>	readINodeAcl(INode inode, int snapshotId)	Reads the existing extended ACL entries of an inode.
static java.util.List<org.apache.hadoop.fs.permission.AclEntry>	readINodeLogicalAcl(INode inode)	Reads the existing ACL of an inode.
static void	removeAclFeature(AclFeature aclFeature)	Remove reference to the AclFeature
static void	updateINodeAcl(INode inode, java.util.List<org.apache.hadoop.fs.permission.AclEntry> newAcl, int snapshotId)	Updates an inode with a new ACL.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

copyINodeDefaultAcl

public static boolean copyINodeDefaultAcl(INode child)

If a default ACL is defined on a parent directory, then copies that default ACL to a newly created child file or directory.

Parameters:

child - INode newly created child

readINodeAcl

public static java.util.List<org.apache.hadoop.fs.permission.AclEntry> readINodeAcl(INode inode,
                                                                                    int snapshotId)

Reads the existing extended ACL entries of an inode. This method returns only the extended ACL entries stored in the AclFeature. If the inode does not have an ACL, then this method returns an empty list. This method supports querying by snapshot ID.

Parameters:

inode - INode to read

snapshotId - int ID of snapshot to read

Returns:

List<AclEntry> containing extended inode ACL entries

readINodeAcl

public static java.util.List<org.apache.hadoop.fs.permission.AclEntry> readINodeAcl(INodeAttributes inodeAttr)

Reads the existing extended ACL entries of an INodeAttribute object.

Parameters:

inodeAttr - INode to read

Returns:

List<AclEntry> containing extended inode ACL entries

readINodeLogicalAcl

public static java.util.List<org.apache.hadoop.fs.permission.AclEntry> readINodeLogicalAcl(INode inode)

Reads the existing ACL of an inode. This method always returns the full logical ACL of the inode after reading relevant data from the inode's FsPermission and AclFeature. Note that every inode logically has an ACL, even if no ACL has been set explicitly. If the inode does not have an extended ACL, then the result is a minimal ACL consising of exactly 3 entries that correspond to the owner, group and other permissions. This method always reads the inode's current state and does not support querying by snapshot ID. This is because the method is intended to support ACL modification APIs, which always apply a delta on top of current state.

Parameters:

inode - INode to read

Returns:

List<AclEntry> containing all logical inode ACL entries

updateINodeAcl

public static void updateINodeAcl(INode inode,
                                  java.util.List<org.apache.hadoop.fs.permission.AclEntry> newAcl,
                                  int snapshotId)
                           throws org.apache.hadoop.hdfs.protocol.AclException,
                                  org.apache.hadoop.hdfs.protocol.QuotaExceededException

Updates an inode with a new ACL. This method takes a full logical ACL and stores the entries to the inode's FsPermission and AclFeature.

Parameters:

inode - INode to update

newAcl - List<AclEntry> containing new ACL entries

snapshotId - int latest snapshot ID of inode

Throws:

org.apache.hadoop.hdfs.protocol.AclException - if the ACL is invalid for the given inode

org.apache.hadoop.hdfs.protocol.QuotaExceededException - if quota limit is exceeded

getUniqueAclFeatures

@VisibleForTesting
public static ReferenceCountMap<AclFeature> getUniqueAclFeatures()

addAclFeature

public static AclFeature addAclFeature(AclFeature aclFeature)

Add reference for the said AclFeature

Parameters:

aclFeature -

Returns:

Referenced AclFeature

removeAclFeature

public static void removeAclFeature(AclFeature aclFeature)

Remove reference to the AclFeature

Parameters:

aclFeature -