diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/Warehouse.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/Warehouse.java index 5a6a5fab..afa66074 100755 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/Warehouse.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/Warehouse.java @@ -31,6 +31,7 @@ import java.util.regex.Pattern; import org.apache.commons.lang.StringUtils; +import org.apache.hadoop.fs.permission.AclStatus; import org.apache.hadoop.hive.metastore.api.Catalog; import org.apache.hadoop.hive.metastore.conf.MetastoreConf; import org.apache.hadoop.hive.metastore.conf.MetastoreConf.ConfVars; @@ -399,11 +400,13 @@ public boolean isWritable(Path path) throws IOException { return false; } final FileStatus stat; + final AclStatus aclStat; final FileSystem fs; try { fs = getFs(path); stat = fs.getFileStatus(path); - HdfsUtils.checkFileAccess(fs, stat, FsAction.WRITE); + aclStat = fs.getAclStatus(path); + HdfsUtils.checkFileAccess(fs, stat, aclStat, FsAction.WRITE); return true; } catch (FileNotFoundException fnfe){ // File named by path doesn't exist; nothing to validate. diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/utils/HdfsUtils.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/utils/HdfsUtils.java index 21227885..209bd917 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/utils/HdfsUtils.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/utils/HdfsUtils.java @@ -72,9 +72,19 @@ public class HdfsUtils { */ public static void checkFileAccess(FileSystem fs, FileStatus stat, FsAction action) throws IOException, LoginException { - checkFileAccess(fs, stat, action, SecurityUtils.getUGI()); + checkFileAccess(fs, stat, null, action, SecurityUtils.getUGI()); } + public static void checkFileAccess(FileSystem fs, FileStatus stat, AclStatus aclStatus, FsAction action) + throws IOException, LoginException { + checkFileAccess(fs, stat, aclStatus, action, SecurityUtils.getUGI()); + } + + @VisibleForTesting + static void checkFileAccess(FileSystem fs, FileStatus stat, FsAction action, + UserGroupInformation ugi) throws IOException { + checkFileAccess(fs, stat, null, action ,ugi); + } /** * Check the permissions on a file * @param fs Filesystem the file is contained in @@ -86,7 +96,7 @@ public static void checkFileAccess(FileSystem fs, FileStatus stat, FsAction acti * @throws AccessControlException if the file cannot be accessed */ @VisibleForTesting - static void checkFileAccess(FileSystem fs, FileStatus stat, FsAction action, + static void checkFileAccess(FileSystem fs, FileStatus stat, AclStatus aclStatus, FsAction action, UserGroupInformation ugi) throws IOException { String user = ugi.getShortUserName(); @@ -114,6 +124,14 @@ static void checkFileAccess(FileSystem fs, FileStatus stat, FsAction action, } else if (dirPerms.getOtherAction().implies(action)) { return; } + + if(aclStatus!=null) + for(AclEntry entry: aclStatus.getEntries()){ + String name = entry.getName(); + if(name!=null && user.equals(name) && entry.getPermission().implies(action)) + return; + } + throw new AccessControlException("action " + action + " not permitted on path " + stat.getPath() + " for user " + user); }