This patch implements the logic for enforcing permissions defined in ACLs. This is a new code path in FSPermissionChecker to check permissions based on either FsPermission bits (existing logic, unchanged) or an AclEntry list, if defined on the inode. While I was in here, I also fixed a very minor bug that I noticed. The permission enforcement can run against permissions defined on a snapshot inode, but the string in the exception created by FSPermissionChecker#toAccessControlString wasn't using the snapshot inode. This wouldn't break any permission enforcement logic, but it could potentially make the exception messages confusing.
I've added new tests in TestFSPermissionChecker. I manually validated the behavior asserted by these tests against Linux setfacl. The tests cover the new code path at nearly 100%. Additionally, I ran a sampling of other HDFS tests related to existing permissions logic, and I didn't see any failures. (We do have a problem with TestOfflineEditsViewer and TestOfflineImageViewer on the HDFS-4685 branch right now, but it's a known problem and it's unrelated.)
The test has some helper methods that are duplicated from my
HDFS-5673 patch. After HDFS-5673 gets +1'd and I commit it, I plan to come back here and refactor those helper methods to a shared AclTestHelpers class.