big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HDFS-17478. FSPermissionChecker optimization by initializing AccessControlEnforcer in constructor (#6749)

Browse Source
This commit is contained in:
Madhan Neethiraj 2024-04-18 15:43:31 -07:00 committed by GitHub
parent 0c35cf0982
commit e8b2c28dec
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
View File

@ -89,6 +89,7 @@ private String toAccessControlString(INodeAttributes inodeAttrib,
private final Collection<String> groups; private final Collection<String> groups;
private final boolean isSuper; private final boolean isSuper;
private final INodeAttributeProvider attributeProvider; private final INodeAttributeProvider attributeProvider;
private final AccessControlEnforcer accessControlEnforcer;
private final boolean authorizeWithContext; private final boolean authorizeWithContext;
private final long accessControlEnforcerReportingThresholdMs; private final long accessControlEnforcerReportingThresholdMs;
@ -112,6 +113,7 @@ protected FSPermissionChecker(String fsOwner, String supergroup,
user = callerUgi.getShortUserName(); user = callerUgi.getShortUserName();
isSuper = user.equals(fsOwner) || groups.contains(supergroup); isSuper = user.equals(fsOwner) || groups.contains(supergroup);
this.attributeProvider = attributeProvider; this.attributeProvider = attributeProvider;
this.accessControlEnforcer = initAccessControlEnforcer();
if (attributeProvider == null) { if (attributeProvider == null) {
// If attribute provider is null, use FSPermissionChecker default // If attribute provider is null, use FSPermissionChecker default
@ -194,7 +196,7 @@ static String runCheckPermission(CheckPermission checker,
return message; return message;
} }
private AccessControlEnforcer getAccessControlEnforcer() { private AccessControlEnforcer initAccessControlEnforcer() {
final AccessControlEnforcer e = Optional.ofNullable(attributeProvider) final AccessControlEnforcer e = Optional.ofNullable(attributeProvider)
.map(p -> p.getExternalAccessControlEnforcer(this)) .map(p -> p.getExternalAccessControlEnforcer(this))
.orElse(this); .orElse(this);
@ -287,7 +289,7 @@ public void checkSuperuserPrivilege(String path)
+ ", operationName=" + FSPermissionChecker.operationType.get() + ", operationName=" + FSPermissionChecker.operationType.get()
+ ", path=" + path); + ", path=" + path);
} }
getAccessControlEnforcer().checkSuperUserPermissionWithContext( accessControlEnforcer.checkSuperUserPermissionWithContext(
getAuthorizationContextForSuperUser(path)); getAuthorizationContextForSuperUser(path));
} }
@ -306,7 +308,7 @@ public void denyUserAccess(String path, String errorMessage)
+ ", operationName=" + FSPermissionChecker.operationType.get() + ", operationName=" + FSPermissionChecker.operationType.get()
+ ", path=" + path); + ", path=" + path);
} }
getAccessControlEnforcer().denyUserAccess( accessControlEnforcer.denyUserAccess(
getAuthorizationContextForSuperUser(path), errorMessage); getAuthorizationContextForSuperUser(path), errorMessage);
} }
@ -368,7 +370,6 @@ void checkPermission(INodesInPath inodesInPath, boolean doCheckOwner,
String path = inodesInPath.getPath(); String path = inodesInPath.getPath();
int ancestorIndex = inodes.length - 2; int ancestorIndex = inodes.length - 2;
AccessControlEnforcer enforcer = getAccessControlEnforcer();
String opType = operationType.get(); String opType = operationType.get();
try { try {
@ -392,9 +393,9 @@ void checkPermission(INodesInPath inodesInPath, boolean doCheckOwner,
ignoreEmptyDir(ignoreEmptyDir). ignoreEmptyDir(ignoreEmptyDir).
operationName(opType). operationName(opType).
callerContext(CallerContext.getCurrent()); callerContext(CallerContext.getCurrent());
enforcer.checkPermissionWithContext(builder.build()); accessControlEnforcer.checkPermissionWithContext(builder.build());
} else { } else {
enforcer.checkPermission(fsOwner, supergroup, callerUgi, inodeAttrs, accessControlEnforcer.checkPermission(fsOwner, supergroup, callerUgi, inodeAttrs,
inodes, components, snapshotId, path, ancestorIndex, doCheckOwner, inodes, components, snapshotId, path, ancestorIndex, doCheckOwner,
ancestorAccess, parentAccess, access, subAccess, ignoreEmptyDir); ancestorAccess, parentAccess, access, subAccess, ignoreEmptyDir);
} }
@ -426,7 +427,6 @@ void checkPermission(INode inode, int snapshotId, FsAction access)
pathComponents.length - 1, inode, snapshotId); pathComponents.length - 1, inode, snapshotId);
try { try {
INodeAttributes[] iNodeAttr = {nodeAttributes}; INodeAttributes[] iNodeAttr = {nodeAttributes};
AccessControlEnforcer enforcer = getAccessControlEnforcer();
String opType = operationType.get(); String opType = operationType.get();
if (this.authorizeWithContext && opType != null) { if (this.authorizeWithContext && opType != null) {
INodeAttributeProvider.AuthorizationContext.Builder builder = INodeAttributeProvider.AuthorizationContext.Builder builder =
@ -452,9 +452,9 @@ void checkPermission(INode inode, int snapshotId, FsAction access)
.operationName(opType) .operationName(opType)
.callerContext(CallerContext.getCurrent()); .callerContext(CallerContext.getCurrent());
enforcer.checkPermissionWithContext(builder.build()); accessControlEnforcer.checkPermissionWithContext(builder.build());
} else { } else {
enforcer.checkPermission( accessControlEnforcer.checkPermission(
fsOwner, supergroup, callerUgi, fsOwner, supergroup, callerUgi,
iNodeAttr, // single inode attr in the array iNodeAttr, // single inode attr in the array
new INode[]{inode}, // single inode in the array new INode[]{inode}, // single inode in the array