HDFS-14112. Avoid recursive call to external authorizer for getContentSummary.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/0081b02e Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/0081b02e Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/0081b02e Branch: refs/heads/HDFS-12943 Commit: 0081b02e35306cb757c63d0f11a536941d73a139 Parents: ae5fbdd Author: Tsz Wo Nicholas Sze <szets...@apache.org> Authored: Thu Nov 29 13:55:21 2018 -0800 Committer: Tsz Wo Nicholas Sze <szets...@apache.org> Committed: Thu Nov 29 13:55:21 2018 -0800 ---------------------------------------------------------------------- .../main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java | 4 ++++ .../hdfs/server/namenode/FSDirStatAndListingOp.java | 5 +++++ .../apache/hadoop/hdfs/server/namenode/FSDirectory.java | 7 +++++++ .../hadoop-hdfs/src/main/resources/hdfs-default.xml | 10 ++++++++++ 4 files changed, 26 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/0081b02e/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java index 3628b2b..5899c92 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java @@ -284,6 +284,10 @@ public class DFSConfigKeys extends CommonConfigurationKeys { HdfsClientConfigKeys.DFS_WEBHDFS_USER_PATTERN_DEFAULT; public static final String DFS_PERMISSIONS_ENABLED_KEY = HdfsClientConfigKeys.DeprecatedKeys.DFS_PERMISSIONS_ENABLED_KEY; + public static final String DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_KEY + = "dfs.permissions.ContentSummary.subAccess"; + public static final boolean DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_DEFAULT + = false; public static final boolean DFS_PERMISSIONS_ENABLED_DEFAULT = true; public static final String DFS_PERMISSIONS_SUPERUSERGROUP_KEY = HdfsClientConfigKeys.DeprecatedKeys.DFS_PERMISSIONS_SUPERUSERGROUP_KEY; http://git-wip-us.apache.org/repos/asf/hadoop/blob/0081b02e/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirStatAndListingOp.java ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirStatAndListingOp.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirStatAndListingOp.java index 01de236..052e522 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirStatAndListingOp.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirStatAndListingOp.java @@ -128,6 +128,11 @@ class FSDirStatAndListingOp { static ContentSummary getContentSummary( FSDirectory fsd, FSPermissionChecker pc, String src) throws IOException { final INodesInPath iip = fsd.resolvePath(pc, src, DirOp.READ_LINK); + if (fsd.isPermissionEnabled() && fsd.isPermissionContentSummarySubAccess()) { + fsd.checkPermission(pc, iip, false, null, null, null, + FsAction.READ_EXECUTE); + pc = null; + } // getContentSummaryInt() call will check access (if enabled) when // traversing all sub directories. return getContentSummaryInt(fsd, pc, iip); http://git-wip-us.apache.org/repos/asf/hadoop/blob/0081b02e/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java index 712a327..45f859c 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java @@ -175,6 +175,7 @@ public class FSDirectory implements Closeable { private final ReentrantReadWriteLock dirLock; private final boolean isPermissionEnabled; + private final boolean isPermissionContentSummarySubAccess; /** * Support for ACLs is controlled by a configuration flag. If the * configuration flag is false, then the NameNode will reject all @@ -274,6 +275,9 @@ public class FSDirectory implements Closeable { this.isPermissionEnabled = conf.getBoolean( DFSConfigKeys.DFS_PERMISSIONS_ENABLED_KEY, DFSConfigKeys.DFS_PERMISSIONS_ENABLED_DEFAULT); + this.isPermissionContentSummarySubAccess = conf.getBoolean( + DFSConfigKeys.DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_KEY, + DFSConfigKeys.DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_DEFAULT); this.fsOwnerShortUserName = UserGroupInformation.getCurrentUser().getShortUserName(); this.supergroup = conf.get( @@ -538,6 +542,9 @@ public class FSDirectory implements Closeable { boolean isAclsEnabled() { return aclsEnabled; } + boolean isPermissionContentSummarySubAccess() { + return isPermissionContentSummarySubAccess; + } @VisibleForTesting public boolean isPosixAclInheritanceEnabled() { http://git-wip-us.apache.org/repos/asf/hadoop/blob/0081b02e/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml index c187a7d..4e6c4db 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml @@ -470,6 +470,16 @@ </property> <property> + <name>dfs.permissions.ContentSummary.subAccess</name> + <value>false</value> + <description> + If "true", the ContentSummary permission checking will use subAccess. + If "false", the ContentSummary permission checking will NOT use subAccess. + subAccess means using recursion to check the access of all descendants. + </description> +</property> + +<property> <name>dfs.permissions.superusergroup</name> <value>supergroup</value> <description>The name of the group of super-users. --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org