HDFS-14112. Avoid recursive call to external authorizer for getContentSummary.

This commit is contained in:
Tsz Wo Nicholas Sze 2018-11-29 13:55:21 -08:00
parent ae5fbdd9ed
commit 0081b02e35
4 changed files with 26 additions and 0 deletions

View File

@ -284,6 +284,10 @@ public class DFSConfigKeys extends CommonConfigurationKeys {
HdfsClientConfigKeys.DFS_WEBHDFS_USER_PATTERN_DEFAULT; HdfsClientConfigKeys.DFS_WEBHDFS_USER_PATTERN_DEFAULT;
public static final String DFS_PERMISSIONS_ENABLED_KEY = public static final String DFS_PERMISSIONS_ENABLED_KEY =
HdfsClientConfigKeys.DeprecatedKeys.DFS_PERMISSIONS_ENABLED_KEY; HdfsClientConfigKeys.DeprecatedKeys.DFS_PERMISSIONS_ENABLED_KEY;
public static final String DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_KEY
= "dfs.permissions.ContentSummary.subAccess";
public static final boolean DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_DEFAULT
= false;
public static final boolean DFS_PERMISSIONS_ENABLED_DEFAULT = true; public static final boolean DFS_PERMISSIONS_ENABLED_DEFAULT = true;
public static final String DFS_PERMISSIONS_SUPERUSERGROUP_KEY = public static final String DFS_PERMISSIONS_SUPERUSERGROUP_KEY =
HdfsClientConfigKeys.DeprecatedKeys.DFS_PERMISSIONS_SUPERUSERGROUP_KEY; HdfsClientConfigKeys.DeprecatedKeys.DFS_PERMISSIONS_SUPERUSERGROUP_KEY;

View File

@ -128,6 +128,11 @@ static boolean isFileClosed(FSDirectory fsd, FSPermissionChecker pc,
static ContentSummary getContentSummary( static ContentSummary getContentSummary(
FSDirectory fsd, FSPermissionChecker pc, String src) throws IOException { FSDirectory fsd, FSPermissionChecker pc, String src) throws IOException {
final INodesInPath iip = fsd.resolvePath(pc, src, DirOp.READ_LINK); final INodesInPath iip = fsd.resolvePath(pc, src, DirOp.READ_LINK);
if (fsd.isPermissionEnabled() && fsd.isPermissionContentSummarySubAccess()) {
fsd.checkPermission(pc, iip, false, null, null, null,
FsAction.READ_EXECUTE);
pc = null;
}
// getContentSummaryInt() call will check access (if enabled) when // getContentSummaryInt() call will check access (if enabled) when
// traversing all sub directories. // traversing all sub directories.
return getContentSummaryInt(fsd, pc, iip); return getContentSummaryInt(fsd, pc, iip);

View File

@ -175,6 +175,7 @@ private static INodeDirectory createRoot(FSNamesystem namesystem) {
private final ReentrantReadWriteLock dirLock; private final ReentrantReadWriteLock dirLock;
private final boolean isPermissionEnabled; private final boolean isPermissionEnabled;
private final boolean isPermissionContentSummarySubAccess;
/** /**
* Support for ACLs is controlled by a configuration flag. If the * Support for ACLs is controlled by a configuration flag. If the
* configuration flag is false, then the NameNode will reject all * configuration flag is false, then the NameNode will reject all
@ -274,6 +275,9 @@ public enum DirOp {
this.isPermissionEnabled = conf.getBoolean( this.isPermissionEnabled = conf.getBoolean(
DFSConfigKeys.DFS_PERMISSIONS_ENABLED_KEY, DFSConfigKeys.DFS_PERMISSIONS_ENABLED_KEY,
DFSConfigKeys.DFS_PERMISSIONS_ENABLED_DEFAULT); DFSConfigKeys.DFS_PERMISSIONS_ENABLED_DEFAULT);
this.isPermissionContentSummarySubAccess = conf.getBoolean(
DFSConfigKeys.DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_KEY,
DFSConfigKeys.DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_DEFAULT);
this.fsOwnerShortUserName = this.fsOwnerShortUserName =
UserGroupInformation.getCurrentUser().getShortUserName(); UserGroupInformation.getCurrentUser().getShortUserName();
this.supergroup = conf.get( this.supergroup = conf.get(
@ -538,6 +542,9 @@ boolean isPermissionEnabled() {
boolean isAclsEnabled() { boolean isAclsEnabled() {
return aclsEnabled; return aclsEnabled;
} }
boolean isPermissionContentSummarySubAccess() {
return isPermissionContentSummarySubAccess;
}
@VisibleForTesting @VisibleForTesting
public boolean isPosixAclInheritanceEnabled() { public boolean isPosixAclInheritanceEnabled() {

View File

@ -469,6 +469,16 @@
</description> </description>
</property> </property>
<property>
<name>dfs.permissions.ContentSummary.subAccess</name>
<value>false</value>
<description>
If "true", the ContentSummary permission checking will use subAccess.
If "false", the ContentSummary permission checking will NOT use subAccess.
subAccess means using recursion to check the access of all descendants.
</description>
</property>
<property> <property>
<name>dfs.permissions.superusergroup</name> <name>dfs.permissions.superusergroup</name>
<value>supergroup</value> <value>supergroup</value>