/** * Apply a umask to this permission and return a new one. * * The umask is used by create, mkdir, and other Hadoop filesystem operations. * The mode argument for these operations is modified by removing the bits * which are set in the umask. Thus, the umask limits the permissions which * newly created files and directories get. * * @param umask The umask to use * * @return The effective permission */ public FsPermission applyUMask(FsPermission umask) { return new FsPermission(useraction.and(umask.useraction.not()), groupaction.and(umask.groupaction.not()), otheraction.and(umask.otheraction.not())); }
if (isDir) { dirActionNeeded.and(FsAction.EXECUTE);
if (entry.getScope() == AclEntryScope.ACCESS) { FsAction entryPerm = entry.getPermission(); return entryPerm.and(permArg.getGroupAction()); } else { Preconditions.checkArgument(this.entries.contains(entry) .getPermission(); FsAction entryPerm = entry.getPermission(); return entryPerm.and(defaultMask);
permission = entry.getPermission().and(childPerm.getUserAction()); } else if (type == AclEntryType.GROUP && parentDefaultIsMinimal) { permission = entry.getPermission().and(childPerm.getGroupAction()); } else if (type == AclEntryType.MASK) { permission = entry.getPermission().and(childPerm.getGroupAction()); } else if (type == AclEntryType.OTHER) { permission = entry.getPermission().and(childPerm.getOtherAction()); } else { permission = entry.getPermission();
/** * Apply a umask to this permission and return a new one. * * The umask is used by create, mkdir, and other Hadoop filesystem operations. * The mode argument for these operations is modified by removing the bits * which are set in the umask. Thus, the umask limits the permissions which * newly created files and directories get. * * @param umask The umask to use * * @return The effective permission */ public FsPermission applyUMask(FsPermission umask) { return new FsPermission(useraction.and(umask.useraction.not()), groupaction.and(umask.groupaction.not()), otheraction.and(umask.otheraction.not())); }
/** * Apply a umask to this permission and return a new one. * * The umask is used by create, mkdir, and other Hadoop filesystem operations. * The mode argument for these operations is modified by removing the bits * which are set in the umask. Thus, the umask limits the permissions which * newly created files and directories get. * * @param umask The umask to use * * @return The effective permission */ public FsPermission applyUMask(FsPermission umask) { return new FsPermission(useraction.and(umask.useraction.not()), groupaction.and(umask.groupaction.not()), otheraction.and(umask.otheraction.not())); }
/** * Apply a umask to this permission and return a new one. * * The umask is used by create, mkdir, and other Hadoop filesystem operations. * The mode argument for these operations is modified by removing the bits * which are set in the umask. Thus, the umask limits the permissions which * newly created files and directories get. * * @param umask The umask to use * * @return The effective permission */ public FsPermission applyUMask(FsPermission umask) { return new FsPermission(useraction.and(umask.useraction.not()), groupaction.and(umask.groupaction.not()), otheraction.and(umask.otheraction.not())); }
/** * Apply a umask to this permission and return a new one. * * The umask is used by create, mkdir, and other Hadoop filesystem operations. * The mode argument for these operations is modified by removing the bits * which are set in the umask. Thus, the umask limits the permissions which * newly created files and directories get. * * @param umask The umask to use * * @return The effective permission */ public FsPermission applyUMask(FsPermission umask) { return new FsPermission(useraction.and(umask.useraction.not()), groupaction.and(umask.groupaction.not()), otheraction.and(umask.otheraction.not())); }
if (isDir) { dirActionNeeded.and(FsAction.EXECUTE);
if (isDir) { dirActionNeeded.and(FsAction.EXECUTE);
public void testFsAction() { //implies for(FsAction a : FsAction.values()) { assertTrue(ALL.implies(a)); } for(FsAction a : FsAction.values()) { assertTrue(a == NONE? NONE.implies(a): !NONE.implies(a)); } for(FsAction a : FsAction.values()) { assertTrue(a == READ_EXECUTE || a == READ || a == EXECUTE || a == NONE? READ_EXECUTE.implies(a): !READ_EXECUTE.implies(a)); } //masks assertEquals(EXECUTE, EXECUTE.and(READ_EXECUTE)); assertEquals(READ, READ.and(READ_EXECUTE)); assertEquals(NONE, WRITE.and(READ_EXECUTE)); assertEquals(READ, READ_EXECUTE.and(READ_WRITE)); assertEquals(NONE, READ_EXECUTE.and(WRITE)); assertEquals(WRITE_EXECUTE, ALL.and(WRITE_EXECUTE)); }
if (entry.getScope() == AclEntryScope.ACCESS) { FsAction entryPerm = entry.getPermission(); return entryPerm.and(permArg.getGroupAction()); } else { Preconditions.checkArgument(this.entries.contains(entry) .getPermission(); FsAction entryPerm = entry.getPermission(); return entryPerm.and(defaultMask);
/** * Validates Git key permissions are secure on disk and throw an exception if not. * Otherwise exit out gracefully */ void verifyKeyPermissions(FileSystem fs, Path keyPath) throws IOException, ActionExecutorException{ String failedPermsWarning = "The permissions on the access key {0} are considered insecure: {1}"; FileStatus status = fs.getFileStatus(keyPath); FsPermission perms = status.getPermission(); // check standard permissioning for other's read access if (perms.getOtherAction().and(FsAction.READ) == FsAction.READ) { throw new ActionExecutorException(ActionExecutorException.ErrorType.ERROR, "GIT012", XLog .format(failedPermsWarning, keyPath, perms.toString())); } // check if any ACLs have been specified which allow others read access if (perms.getAclBit()) { List<AclEntry> aclEntries = new ArrayList<>(fs.getAclStatus(keyPath).getEntries()); for (AclEntry acl: aclEntries) { if (acl.getType() == AclEntryType.OTHER && acl.getPermission().and(FsAction.READ) == FsAction.READ) { throw new ActionExecutorException(ActionExecutorException.ErrorType.ERROR, "GIT013", XLog .format(failedPermsWarning, keyPath, perms.toString())); } } } }
/** * Validates Git key permissions are secure on disk and throw an exception if not. * Otherwise exit out gracefully */ void verifyKeyPermissions(FileSystem fs, Path keyPath) throws IOException, ActionExecutorException{ String failedPermsWarning = "The permissions on the access key {0} are considered insecure: {1}"; FileStatus status = fs.getFileStatus(keyPath); FsPermission perms = status.getPermission(); // check standard permissioning for other's read access if (perms.getOtherAction().and(FsAction.READ) == FsAction.READ) { throw new ActionExecutorException(ActionExecutorException.ErrorType.ERROR, "GIT012", XLog .format(failedPermsWarning, keyPath, perms.toString())); } // check if any ACLs have been specified which allow others read access if (perms.getAclBit()) { List<AclEntry> aclEntries = new ArrayList<>(fs.getAclStatus(keyPath).getEntries()); for (AclEntry acl: aclEntries) { if (acl.getType() == AclEntryType.OTHER && acl.getPermission().and(FsAction.READ) == FsAction.READ) { throw new ActionExecutorException(ActionExecutorException.ErrorType.ERROR, "GIT013", XLog .format(failedPermsWarning, keyPath, perms.toString())); } } } }
public void testFsAction() { //implies for(FsAction a : FsAction.values()) { assertTrue(ALL.implies(a)); } for(FsAction a : FsAction.values()) { assertTrue(a == NONE? NONE.implies(a): !NONE.implies(a)); } for(FsAction a : FsAction.values()) { assertTrue(a == READ_EXECUTE || a == READ || a == EXECUTE || a == NONE? READ_EXECUTE.implies(a): !READ_EXECUTE.implies(a)); } //masks assertEquals(EXECUTE, EXECUTE.and(READ_EXECUTE)); assertEquals(READ, READ.and(READ_EXECUTE)); assertEquals(NONE, WRITE.and(READ_EXECUTE)); assertEquals(READ, READ_EXECUTE.and(READ_WRITE)); assertEquals(NONE, READ_EXECUTE.and(WRITE)); assertEquals(WRITE_EXECUTE, ALL.and(WRITE_EXECUTE)); }
public void testFsAction() { //implies for(FsAction a : FsAction.values()) { assertTrue(ALL.implies(a)); } for(FsAction a : FsAction.values()) { assertTrue(a == NONE? NONE.implies(a): !NONE.implies(a)); } for(FsAction a : FsAction.values()) { assertTrue(a == READ_EXECUTE || a == READ || a == EXECUTE || a == NONE? READ_EXECUTE.implies(a): !READ_EXECUTE.implies(a)); } //masks assertEquals(EXECUTE, EXECUTE.and(READ_EXECUTE)); assertEquals(READ, READ.and(READ_EXECUTE)); assertEquals(NONE, WRITE.and(READ_EXECUTE)); assertEquals(READ, READ_EXECUTE.and(READ_WRITE)); assertEquals(NONE, READ_EXECUTE.and(WRITE)); assertEquals(WRITE_EXECUTE, ALL.and(WRITE_EXECUTE)); }