Package alluxio.security.authorization

Class AccessControlList

  • All Implemented Interfaces:
    java.io.Serializable
    Direct Known Subclasses:
    DefaultAccessControlList
    @NotThreadSafe
public class AccessControlList
extends java.lang.Object
implements java.io.Serializable
    Access control list for a file or directory. An access control list is conceptually a list of entries, there are different types of entries: 1. owning user entry which specifies permitted actions for the owning user of a file or directory, there is only one owning user entry; 2. named user entry which specifies permitted actions for any user, there is only one named user entry for each user; 3. owning group entry which specifies permitted actions for the owning group of a file or directory, there is only one owning group entry; 4. named group entry which specifies permitted actions for any group, there is only one named group entry for each group; 5. mask entry which specifies the maximum set of permitted actions for users and groups in all the above entries; 6. other entry which specifies permitted actions for users who are neither the owning user nor have a named user entry, and whose belonging groups are neither the owning group nor have a named group entry. Also, the access control list contains owning user and owning group of a file or directory.
    See Also:
    Serialized Form

    • Field Detail

      • OWNER_FIELD

        public static final java.lang.String OWNER_FIELD
        Keys representing owning user and group for proto ser/de.
        See Also:
        Constant Field Values

      • OWNING_GROUP_FIELD

        public static final java.lang.String OWNING_GROUP_FIELD
        See Also:
        Constant Field Values

      • STRING_ENTRY_FIELD

        public static final java.lang.String STRING_ENTRY_FIELD
        See Also:
        Constant Field Values

      • OWNING_GROUP_KEY

        public static final java.lang.String OWNING_GROUP_KEY
        See Also:
        Constant Field Values

      • mOwningUser

        protected java.lang.String mOwningUser

      • mOwningGroup

        protected java.lang.String mOwningGroup

      • mMode

        protected short mMode

    • Constructor Detail

      • AccessControlList

        public AccessControlList()
        Creates a new instance where owning user and owning group are initialized to empty strings, and no action is permitted for any user or group.

    • Method Detail

      • clearEntries

        public void clearEntries()
        Clears out all entries (does not modify the owner name and owning group).

      • getExtendedEntries

        public ExtendedACLEntries getExtendedEntries()
        Returns:
        the extended entries

      • getOwningUser

        public java.lang.String getOwningUser()
        Returns:
        the owning user

      • getOwningGroup

        public java.lang.String getOwningGroup()
        Returns:
        the owning group

      • getOwningUserActions

        public AclActions getOwningUserActions()
        Returns:
        the owning user actions

      • getOwningGroupActions

        public AclActions getOwningGroupActions()
        Returns:
        the owning group actions

      • getOtherActions

        public AclActions getOtherActions()
        Returns:
        other actions

      • getMode

        public short getMode()
        Returns:
        the permission mode defined in Mode for owning user, owning group, and other

      • getEntries

        public java.util.List<AclEntry> getEntries()
        Returns a list of AclEntry which represent this ACL instance. The mask will only be included if extended ACL entries exist.
        Returns:
        an immutable list of ACL entries

      • hasExtended

        public boolean hasExtended()
        Returns:
        true if has extended ACL (named users, named groups)

      • removeEntry

        public void removeEntry​(AclEntry entry)
        Removes the specified entry. A base entry is not allowed to be removed.
        Parameters:
        entry - the entry to be removed

      • removeExtendedEntries

        public void removeExtendedEntries()
        Removes all of the exnteded entries. The base entries are retained.

      • setOwningUser

        public void setOwningUser​(java.lang.String user)
        Sets owning user.
        Parameters:
        user - the owning user

      • setOwningGroup

        public void setOwningGroup​(java.lang.String group)
        Sets owning group.
        Parameters:
        group - the owning group

      • setMode

        public void setMode​(short mode)
        Sets permitted actions for owning user, owning group, and other based on the mode. The format of mode is defined in Mode. The update logic is defined in AclActions.updateByModeBits(Mode.Bits).
        Parameters:
        mode - the mode

      • updateMask

        public void updateMask()
        Update the mask to be the union of owning group entry, named user entry and named group entry. This method must be called when the aforementioned entries are modified.

      • setEntry

        public void setEntry​(AclEntry entry)
        Sets an entry into the access control list. If an entry with the same type and subject already exists, overwrites the existing entry; Otherwise, adds this new entry. After we modify entries for NAMED_GROUP, OWNING_GROUP, NAMED_USER, we need to update the mask.
        Parameters:
        entry - the entry to be added or updated

      • checkPermission

        public boolean checkPermission​(java.lang.String user,
                               java.util.List<java.lang.String> groups,
                               AclAction action)
        Checks whether the user has the permission to perform the action. 1. If the user is the owner, then the owner entry determines the permission; 2. Else if the user matches the name of one of the named user entries, this entry determines the permission; 3. Else if one of the groups is the owning group and the owning group entry contains the requested permission, the permission is granted; 4. Else if one of the groups matches the name of one of the named group entries and this entry contains the requested permission, the permission is granted; 5. Else if one of the groups is the owning group or matches the name of one of the named group entries, but neither the owning group entry nor any of the matching named group entries contains the requested permission, the permission is denied; 6. Otherwise, the other entry determines the permission.
        Parameters:
        user - the user
        groups - the groups the user belongs to
        action - the action
        Returns:
        whether user has the permission to perform the action

      • getPermission

        public AclActions getPermission​(java.lang.String user,
                                java.util.List<java.lang.String> groups)
        Gets the permitted actions for a user. When AccessControlList is not modified after calling getPermission, for each action returned by this method, checkPermission(user, groups, action) is true, for other actions, checkPermission(user, groups, action) is false. 1. If the user is the owner, then return the permission in the owner entry; 2. Else if the user matches the name of one of the named user entries, then return the AND result of the permission in this entry and the mask ; 3. Else if at least one of the groups is the owning group or matches the name of one of the named group entries, then for the named group entries that match a member of groups, merge the permissions in these entries and return the merged permission ANDed with the mask; 4. Otherwise, return the permission in the other entry.
        Parameters:
        user - the user
        groups - the groups the user belongs to
        Returns:
        the permitted actions

      • equals

        public boolean equals​(java.lang.Object o)
        Overrides:
        equals in class java.lang.Object

      • hashCode

        public int hashCode()
        Overrides:
        hashCode in class java.lang.Object

      • fromStringEntries

        public static AccessControlList fromStringEntries​(java.lang.String owner,
                                                  java.lang.String owningGroup,
                                                  java.util.List<java.lang.String> stringEntries)
        Converts a list of string entries into an AccessControlList or a DefaultAccessControlList. It assumes the stringEntries contain all default entries or normal entries.
        Parameters:
        owner - the owner
        owningGroup - the owning group
        stringEntries - the list of string representations of the entries
        Returns:
        the AccessControlList instance

      • toStringEntries

        public java.util.List<java.lang.String> toStringEntries()
        Returns:
        the list of string entries

      • toString

        public java.lang.String toString()
        Overrides:
        toString in class java.lang.Object