HDFS-14112. Avoid recursive call to external authorizer for getContentSummary.
This commit is contained in:
parent
ae5fbdd9ed
commit
0081b02e35
@ -284,6 +284,10 @@ public class DFSConfigKeys extends CommonConfigurationKeys {
|
||||
HdfsClientConfigKeys.DFS_WEBHDFS_USER_PATTERN_DEFAULT;
|
||||
public static final String DFS_PERMISSIONS_ENABLED_KEY =
|
||||
HdfsClientConfigKeys.DeprecatedKeys.DFS_PERMISSIONS_ENABLED_KEY;
|
||||
public static final String DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_KEY
|
||||
= "dfs.permissions.ContentSummary.subAccess";
|
||||
public static final boolean DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_DEFAULT
|
||||
= false;
|
||||
public static final boolean DFS_PERMISSIONS_ENABLED_DEFAULT = true;
|
||||
public static final String DFS_PERMISSIONS_SUPERUSERGROUP_KEY =
|
||||
HdfsClientConfigKeys.DeprecatedKeys.DFS_PERMISSIONS_SUPERUSERGROUP_KEY;
|
||||
|
@ -128,6 +128,11 @@ static boolean isFileClosed(FSDirectory fsd, FSPermissionChecker pc,
|
||||
static ContentSummary getContentSummary(
|
||||
FSDirectory fsd, FSPermissionChecker pc, String src) throws IOException {
|
||||
final INodesInPath iip = fsd.resolvePath(pc, src, DirOp.READ_LINK);
|
||||
if (fsd.isPermissionEnabled() && fsd.isPermissionContentSummarySubAccess()) {
|
||||
fsd.checkPermission(pc, iip, false, null, null, null,
|
||||
FsAction.READ_EXECUTE);
|
||||
pc = null;
|
||||
}
|
||||
// getContentSummaryInt() call will check access (if enabled) when
|
||||
// traversing all sub directories.
|
||||
return getContentSummaryInt(fsd, pc, iip);
|
||||
|
@ -175,6 +175,7 @@ private static INodeDirectory createRoot(FSNamesystem namesystem) {
|
||||
private final ReentrantReadWriteLock dirLock;
|
||||
|
||||
private final boolean isPermissionEnabled;
|
||||
private final boolean isPermissionContentSummarySubAccess;
|
||||
/**
|
||||
* Support for ACLs is controlled by a configuration flag. If the
|
||||
* configuration flag is false, then the NameNode will reject all
|
||||
@ -274,6 +275,9 @@ public enum DirOp {
|
||||
this.isPermissionEnabled = conf.getBoolean(
|
||||
DFSConfigKeys.DFS_PERMISSIONS_ENABLED_KEY,
|
||||
DFSConfigKeys.DFS_PERMISSIONS_ENABLED_DEFAULT);
|
||||
this.isPermissionContentSummarySubAccess = conf.getBoolean(
|
||||
DFSConfigKeys.DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_KEY,
|
||||
DFSConfigKeys.DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_DEFAULT);
|
||||
this.fsOwnerShortUserName =
|
||||
UserGroupInformation.getCurrentUser().getShortUserName();
|
||||
this.supergroup = conf.get(
|
||||
@ -538,6 +542,9 @@ boolean isPermissionEnabled() {
|
||||
boolean isAclsEnabled() {
|
||||
return aclsEnabled;
|
||||
}
|
||||
boolean isPermissionContentSummarySubAccess() {
|
||||
return isPermissionContentSummarySubAccess;
|
||||
}
|
||||
|
||||
@VisibleForTesting
|
||||
public boolean isPosixAclInheritanceEnabled() {
|
||||
|
@ -469,6 +469,16 @@
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>dfs.permissions.ContentSummary.subAccess</name>
|
||||
<value>false</value>
|
||||
<description>
|
||||
If "true", the ContentSummary permission checking will use subAccess.
|
||||
If "false", the ContentSummary permission checking will NOT use subAccess.
|
||||
subAccess means using recursion to check the access of all descendants.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>dfs.permissions.superusergroup</name>
|
||||
<value>supergroup</value>
|
||||
|
Loading…
Reference in New Issue
Block a user