Package alluxio.security.authorization
Class AccessControlList
- java.lang.Object
-
- alluxio.security.authorization.AccessControlList
-
- All Implemented Interfaces:
java.io.Serializable
- Direct Known Subclasses:
DefaultAccessControlList
@NotThreadSafe public class AccessControlList extends java.lang.Object implements java.io.Serializable
Access control list for a file or directory. An access control list is conceptually a list of entries, there are different types of entries: 1. owning user entry which specifies permitted actions for the owning user of a file or directory, there is only one owning user entry; 2. named user entry which specifies permitted actions for any user, there is only one named user entry for each user; 3. owning group entry which specifies permitted actions for the owning group of a file or directory, there is only one owning group entry; 4. named group entry which specifies permitted actions for any group, there is only one named group entry for each group; 5. mask entry which specifies the maximum set of permitted actions for users and groups in all the above entries; 6. other entry which specifies permitted actions for users who are neither the owning user nor have a named user entry, and whose belonging groups are neither the owning group nor have a named group entry. Also, the access control list contains owning user and owning group of a file or directory.- See Also:
- Serialized Form
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
AccessControlList.AccessControlListDeserializer
This is a custom json deserializer for AccessControlList class.static class
AccessControlList.AccessControlListSerializer
This is a custom json serializer for AccessControlList class.
-
Field Summary
Fields Modifier and Type Field Description static AccessControlList
EMPTY_ACL
protected ExtendedACLEntries
mExtendedEntries
protected short
mMode
protected java.lang.String
mOwningGroup
protected java.lang.String
mOwningUser
static java.lang.String
OWNER_FIELD
Keys representing owning user and group for proto ser/de.static java.lang.String
OWNING_GROUP_FIELD
static java.lang.String
OWNING_GROUP_KEY
static java.lang.String
OWNING_USER_KEY
static java.lang.String
STRING_ENTRY_FIELD
-
Constructor Summary
Constructors Constructor Description AccessControlList()
Creates a new instance where owning user and owning group are initialized to empty strings, and no action is permitted for any user or group.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
checkPermission(java.lang.String user, java.util.List<java.lang.String> groups, AclAction action)
Checks whether the user has the permission to perform the action.void
clearEntries()
Clears out all entries (does not modify the owner name and owning group).boolean
equals(java.lang.Object o)
static AccessControlList
fromStringEntries(java.lang.String owner, java.lang.String owningGroup, java.util.List<java.lang.String> stringEntries)
Converts a list of string entries into an AccessControlList or a DefaultAccessControlList.java.util.List<AclEntry>
getEntries()
Returns a list ofAclEntry
which represent this ACL instance.ExtendedACLEntries
getExtendedEntries()
short
getMode()
AclActions
getOtherActions()
java.lang.String
getOwningGroup()
AclActions
getOwningGroupActions()
java.lang.String
getOwningUser()
AclActions
getOwningUserActions()
AclActions
getPermission(java.lang.String user, java.util.List<java.lang.String> groups)
Gets the permitted actions for a user.boolean
hasExtended()
int
hashCode()
void
removeEntry(AclEntry entry)
Removes the specified entry.void
removeExtendedEntries()
Removes all of the exnteded entries.void
setEntry(AclEntry entry)
Sets an entry into the access control list.void
setMode(short mode)
Sets permitted actions for owning user, owning group, and other based on the mode.void
setOwningGroup(java.lang.String group)
Sets owning group.void
setOwningUser(java.lang.String user)
Sets owning user.java.lang.String
toString()
java.util.List<java.lang.String>
toStringEntries()
void
updateMask()
Update the mask to be the union of owning group entry, named user entry and named group entry.
-
-
-
Field Detail
-
EMPTY_ACL
public static final AccessControlList EMPTY_ACL
-
OWNER_FIELD
public static final java.lang.String OWNER_FIELD
Keys representing owning user and group for proto ser/de.- See Also:
- Constant Field Values
-
OWNING_GROUP_FIELD
public static final java.lang.String OWNING_GROUP_FIELD
- See Also:
- Constant Field Values
-
STRING_ENTRY_FIELD
public static final java.lang.String STRING_ENTRY_FIELD
- See Also:
- Constant Field Values
-
OWNING_USER_KEY
public static final java.lang.String OWNING_USER_KEY
- See Also:
- Constant Field Values
-
OWNING_GROUP_KEY
public static final java.lang.String OWNING_GROUP_KEY
- See Also:
- Constant Field Values
-
mOwningUser
protected java.lang.String mOwningUser
-
mOwningGroup
protected java.lang.String mOwningGroup
-
mMode
protected short mMode
-
mExtendedEntries
protected ExtendedACLEntries mExtendedEntries
-
-
Method Detail
-
clearEntries
public void clearEntries()
Clears out all entries (does not modify the owner name and owning group).
-
getExtendedEntries
public ExtendedACLEntries getExtendedEntries()
- Returns:
- the extended entries
-
getOwningUser
public java.lang.String getOwningUser()
- Returns:
- the owning user
-
getOwningGroup
public java.lang.String getOwningGroup()
- Returns:
- the owning group
-
getOwningUserActions
public AclActions getOwningUserActions()
- Returns:
- the owning user actions
-
getOwningGroupActions
public AclActions getOwningGroupActions()
- Returns:
- the owning group actions
-
getOtherActions
public AclActions getOtherActions()
- Returns:
- other actions
-
getMode
public short getMode()
- Returns:
- the permission mode defined in
Mode
for owning user, owning group, and other
-
getEntries
public java.util.List<AclEntry> getEntries()
Returns a list ofAclEntry
which represent this ACL instance. The mask will only be included if extended ACL entries exist.- Returns:
- an immutable list of ACL entries
-
hasExtended
public boolean hasExtended()
- Returns:
- true if has extended ACL (named users, named groups)
-
removeEntry
public void removeEntry(AclEntry entry)
Removes the specified entry. A base entry is not allowed to be removed.- Parameters:
entry
- the entry to be removed
-
removeExtendedEntries
public void removeExtendedEntries()
Removes all of the exnteded entries. The base entries are retained.
-
setOwningUser
public void setOwningUser(java.lang.String user)
Sets owning user.- Parameters:
user
- the owning user
-
setOwningGroup
public void setOwningGroup(java.lang.String group)
Sets owning group.- Parameters:
group
- the owning group
-
setMode
public void setMode(short mode)
Sets permitted actions for owning user, owning group, and other based on the mode. The format of mode is defined inMode
. The update logic is defined inAclActions.updateByModeBits(Mode.Bits)
.- Parameters:
mode
- the mode
-
updateMask
public void updateMask()
Update the mask to be the union of owning group entry, named user entry and named group entry. This method must be called when the aforementioned entries are modified.
-
setEntry
public void setEntry(AclEntry entry)
Sets an entry into the access control list. If an entry with the same type and subject already exists, overwrites the existing entry; Otherwise, adds this new entry. After we modify entries for NAMED_GROUP, OWNING_GROUP, NAMED_USER, we need to update the mask.- Parameters:
entry
- the entry to be added or updated
-
checkPermission
public boolean checkPermission(java.lang.String user, java.util.List<java.lang.String> groups, AclAction action)
Checks whether the user has the permission to perform the action. 1. If the user is the owner, then the owner entry determines the permission; 2. Else if the user matches the name of one of the named user entries, this entry determines the permission; 3. Else if one of the groups is the owning group and the owning group entry contains the requested permission, the permission is granted; 4. Else if one of the groups matches the name of one of the named group entries and this entry contains the requested permission, the permission is granted; 5. Else if one of the groups is the owning group or matches the name of one of the named group entries, but neither the owning group entry nor any of the matching named group entries contains the requested permission, the permission is denied; 6. Otherwise, the other entry determines the permission.- Parameters:
user
- the usergroups
- the groups the user belongs toaction
- the action- Returns:
- whether user has the permission to perform the action
-
getPermission
public AclActions getPermission(java.lang.String user, java.util.List<java.lang.String> groups)
Gets the permitted actions for a user. When AccessControlList is not modified after calling getPermission, for each action returned by this method, checkPermission(user, groups, action) is true, for other actions, checkPermission(user, groups, action) is false. 1. If the user is the owner, then return the permission in the owner entry; 2. Else if the user matches the name of one of the named user entries, then return the AND result of the permission in this entry and the mask ; 3. Else if at least one of the groups is the owning group or matches the name of one of the named group entries, then for the named group entries that match a member of groups, merge the permissions in these entries and return the merged permission ANDed with the mask; 4. Otherwise, return the permission in the other entry.- Parameters:
user
- the usergroups
- the groups the user belongs to- Returns:
- the permitted actions
-
equals
public boolean equals(java.lang.Object o)
- Overrides:
equals
in classjava.lang.Object
-
hashCode
public int hashCode()
- Overrides:
hashCode
in classjava.lang.Object
-
fromStringEntries
public static AccessControlList fromStringEntries(java.lang.String owner, java.lang.String owningGroup, java.util.List<java.lang.String> stringEntries)
Converts a list of string entries into an AccessControlList or a DefaultAccessControlList. It assumes the stringEntries contain all default entries or normal entries.- Parameters:
owner
- the ownerowningGroup
- the owning groupstringEntries
- the list of string representations of the entries- Returns:
- the
AccessControlList
instance
-
toStringEntries
public java.util.List<java.lang.String> toStringEntries()
- Returns:
- the list of string entries
-
toString
public java.lang.String toString()
- Overrides:
toString
in classjava.lang.Object
-
-