HDFS-14112. Avoid recursive call to external authorizer for getContentSummary.
This commit is contained in:
parent
ae5fbdd9ed
commit
0081b02e35
@ -284,6 +284,10 @@ public class DFSConfigKeys extends CommonConfigurationKeys {
|
|||||||
HdfsClientConfigKeys.DFS_WEBHDFS_USER_PATTERN_DEFAULT;
|
HdfsClientConfigKeys.DFS_WEBHDFS_USER_PATTERN_DEFAULT;
|
||||||
public static final String DFS_PERMISSIONS_ENABLED_KEY =
|
public static final String DFS_PERMISSIONS_ENABLED_KEY =
|
||||||
HdfsClientConfigKeys.DeprecatedKeys.DFS_PERMISSIONS_ENABLED_KEY;
|
HdfsClientConfigKeys.DeprecatedKeys.DFS_PERMISSIONS_ENABLED_KEY;
|
||||||
|
public static final String DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_KEY
|
||||||
|
= "dfs.permissions.ContentSummary.subAccess";
|
||||||
|
public static final boolean DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_DEFAULT
|
||||||
|
= false;
|
||||||
public static final boolean DFS_PERMISSIONS_ENABLED_DEFAULT = true;
|
public static final boolean DFS_PERMISSIONS_ENABLED_DEFAULT = true;
|
||||||
public static final String DFS_PERMISSIONS_SUPERUSERGROUP_KEY =
|
public static final String DFS_PERMISSIONS_SUPERUSERGROUP_KEY =
|
||||||
HdfsClientConfigKeys.DeprecatedKeys.DFS_PERMISSIONS_SUPERUSERGROUP_KEY;
|
HdfsClientConfigKeys.DeprecatedKeys.DFS_PERMISSIONS_SUPERUSERGROUP_KEY;
|
||||||
|
@ -128,6 +128,11 @@ static boolean isFileClosed(FSDirectory fsd, FSPermissionChecker pc,
|
|||||||
static ContentSummary getContentSummary(
|
static ContentSummary getContentSummary(
|
||||||
FSDirectory fsd, FSPermissionChecker pc, String src) throws IOException {
|
FSDirectory fsd, FSPermissionChecker pc, String src) throws IOException {
|
||||||
final INodesInPath iip = fsd.resolvePath(pc, src, DirOp.READ_LINK);
|
final INodesInPath iip = fsd.resolvePath(pc, src, DirOp.READ_LINK);
|
||||||
|
if (fsd.isPermissionEnabled() && fsd.isPermissionContentSummarySubAccess()) {
|
||||||
|
fsd.checkPermission(pc, iip, false, null, null, null,
|
||||||
|
FsAction.READ_EXECUTE);
|
||||||
|
pc = null;
|
||||||
|
}
|
||||||
// getContentSummaryInt() call will check access (if enabled) when
|
// getContentSummaryInt() call will check access (if enabled) when
|
||||||
// traversing all sub directories.
|
// traversing all sub directories.
|
||||||
return getContentSummaryInt(fsd, pc, iip);
|
return getContentSummaryInt(fsd, pc, iip);
|
||||||
|
@ -175,6 +175,7 @@ private static INodeDirectory createRoot(FSNamesystem namesystem) {
|
|||||||
private final ReentrantReadWriteLock dirLock;
|
private final ReentrantReadWriteLock dirLock;
|
||||||
|
|
||||||
private final boolean isPermissionEnabled;
|
private final boolean isPermissionEnabled;
|
||||||
|
private final boolean isPermissionContentSummarySubAccess;
|
||||||
/**
|
/**
|
||||||
* Support for ACLs is controlled by a configuration flag. If the
|
* Support for ACLs is controlled by a configuration flag. If the
|
||||||
* configuration flag is false, then the NameNode will reject all
|
* configuration flag is false, then the NameNode will reject all
|
||||||
@ -274,6 +275,9 @@ public enum DirOp {
|
|||||||
this.isPermissionEnabled = conf.getBoolean(
|
this.isPermissionEnabled = conf.getBoolean(
|
||||||
DFSConfigKeys.DFS_PERMISSIONS_ENABLED_KEY,
|
DFSConfigKeys.DFS_PERMISSIONS_ENABLED_KEY,
|
||||||
DFSConfigKeys.DFS_PERMISSIONS_ENABLED_DEFAULT);
|
DFSConfigKeys.DFS_PERMISSIONS_ENABLED_DEFAULT);
|
||||||
|
this.isPermissionContentSummarySubAccess = conf.getBoolean(
|
||||||
|
DFSConfigKeys.DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_KEY,
|
||||||
|
DFSConfigKeys.DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_DEFAULT);
|
||||||
this.fsOwnerShortUserName =
|
this.fsOwnerShortUserName =
|
||||||
UserGroupInformation.getCurrentUser().getShortUserName();
|
UserGroupInformation.getCurrentUser().getShortUserName();
|
||||||
this.supergroup = conf.get(
|
this.supergroup = conf.get(
|
||||||
@ -538,6 +542,9 @@ boolean isPermissionEnabled() {
|
|||||||
boolean isAclsEnabled() {
|
boolean isAclsEnabled() {
|
||||||
return aclsEnabled;
|
return aclsEnabled;
|
||||||
}
|
}
|
||||||
|
boolean isPermissionContentSummarySubAccess() {
|
||||||
|
return isPermissionContentSummarySubAccess;
|
||||||
|
}
|
||||||
|
|
||||||
@VisibleForTesting
|
@VisibleForTesting
|
||||||
public boolean isPosixAclInheritanceEnabled() {
|
public boolean isPosixAclInheritanceEnabled() {
|
||||||
|
@ -469,6 +469,16 @@
|
|||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<name>dfs.permissions.ContentSummary.subAccess</name>
|
||||||
|
<value>false</value>
|
||||||
|
<description>
|
||||||
|
If "true", the ContentSummary permission checking will use subAccess.
|
||||||
|
If "false", the ContentSummary permission checking will NOT use subAccess.
|
||||||
|
subAccess means using recursion to check the access of all descendants.
|
||||||
|
</description>
|
||||||
|
</property>
|
||||||
|
|
||||||
<property>
|
<property>
|
||||||
<name>dfs.permissions.superusergroup</name>
|
<name>dfs.permissions.superusergroup</name>
|
||||||
<value>supergroup</value>
|
<value>supergroup</value>
|
||||||
|
Loading…
Reference in New Issue
Block a user