6 年之前 · 9d508f719b
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
@@ -280,6 +280,10 @@ public class DFSConfigKeys extends CommonConfigurationKeys {
 
				       HdfsClientConfigKeys.DFS_WEBHDFS_USER_PATTERN_DEFAULT;
			
 
				   public static final String  DFS_PERMISSIONS_ENABLED_KEY =
			
 
				       HdfsClientConfigKeys.DeprecatedKeys.DFS_PERMISSIONS_ENABLED_KEY;
			
 
				+  public static final String  DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_KEY
			
 
				+      = "dfs.permissions.ContentSummary.subAccess";
			
 
				+  public static final boolean DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_DEFAULT
			
 
				+      = false;
			
 
				   public static final boolean DFS_PERMISSIONS_ENABLED_DEFAULT = true;
			
 
				   public static final String  DFS_PERMISSIONS_SUPERUSERGROUP_KEY =
			
 
				       HdfsClientConfigKeys.DeprecatedKeys.DFS_PERMISSIONS_SUPERUSERGROUP_KEY;
			
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirStatAndListingOp.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirStatAndListingOp.java
@@ -128,6 +128,11 @@ class FSDirStatAndListingOp {
 
				   static ContentSummary getContentSummary(
			
 
				       FSDirectory fsd, FSPermissionChecker pc, String src) throws IOException {
			
 
				     final INodesInPath iip = fsd.resolvePath(pc, src, DirOp.READ_LINK);
			
 
				+    if (fsd.isPermissionEnabled() && fsd.isPermissionContentSummarySubAccess()) {
			
 
				+      fsd.checkPermission(pc, iip, false, null, null, null,
			
 
				+          FsAction.READ_EXECUTE);
			
 
				+      pc = null;
			
 
				+    }
			
 
				     // getContentSummaryInt() call will check access (if enabled) when
			
 
				     // traversing all sub directories.
			
 
				     return getContentSummaryInt(fsd, pc, iip);
			
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirectory.java
@@ -175,6 +175,7 @@ public class FSDirectory implements Closeable {
 
				   private final ReentrantReadWriteLock dirLock;
			
 
				 
			
 
				   private final boolean isPermissionEnabled;
			
 
				+  private final boolean isPermissionContentSummarySubAccess;
			
 
				   /**
			
 
				    * Support for ACLs is controlled by a configuration flag. If the
			
 
				    * configuration flag is false, then the NameNode will reject all
			
@@ -274,6 +275,9 @@ public class FSDirectory implements Closeable {
 
				     this.isPermissionEnabled = conf.getBoolean(
			
 
				       DFSConfigKeys.DFS_PERMISSIONS_ENABLED_KEY,
			
 
				       DFSConfigKeys.DFS_PERMISSIONS_ENABLED_DEFAULT);
			
 
				+    this.isPermissionContentSummarySubAccess = conf.getBoolean(
			
 
				+        DFSConfigKeys.DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_KEY,
			
 
				+        DFSConfigKeys.DFS_PERMISSIONS_CONTENT_SUMMARY_SUBACCESS_DEFAULT);
			
 
				     this.fsOwnerShortUserName =
			
 
				       UserGroupInformation.getCurrentUser().getShortUserName();
			
 
				     this.supergroup = conf.get(
			
@@ -538,6 +542,9 @@ public class FSDirectory implements Closeable {
 
				   boolean isAclsEnabled() {
			
 
				     return aclsEnabled;
			
 
				   }
			
 
				+  boolean isPermissionContentSummarySubAccess() {
			
 
				+    return isPermissionContentSummarySubAccess;
			
 
				+  }
			
 
				 
			
 
				   @VisibleForTesting
			
 
				   public boolean isPosixAclInheritanceEnabled() {
			
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
@@ -465,6 +465,16 @@
 
				   </description>
			
 
				 </property>
			
 
				 
			
 
				+<property>
			
 
				+  <name>dfs.permissions.ContentSummary.subAccess</name>
			
 
				+  <value>false</value>
			
 
				+  <description>
			
 
				+    If "true", the ContentSummary permission checking will use subAccess.
			
 
				+    If "false", the ContentSummary permission checking will NOT use subAccess.
			
 
				+    subAccess means using recursion to check the access of all descendants.
			
 
				+  </description>
			
 
				+</property>
			
 
				+
			
 
				 <property>
			
 
				   <name>dfs.permissions.superusergroup</name>
			
 
				   <value>supergroup</value>