HDFS-17478. FSPermissionChecker optimization by initializing AccessCo…

…ntrolEnforcer in constructor (#6749)
apache · Apr 18, 2024 · e8b2c28 · e8b2c28
1 parent 0c35cf0
commit e8b2c28
Showing 1 changed file with 9 additions and 9 deletions.
diff --git a/...hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java b/...hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
@@ -89,6 +89,7 @@ private String toAccessControlString(INodeAttributes inodeAttrib,
   private final Collection<String> groups;
   private final boolean isSuper;
   private final INodeAttributeProvider attributeProvider;
+  private final AccessControlEnforcer accessControlEnforcer;
   private final boolean authorizeWithContext;
   private final long accessControlEnforcerReportingThresholdMs;
 
@@ -112,6 +113,7 @@ protected FSPermissionChecker(String fsOwner, String supergroup,
     user = callerUgi.getShortUserName();
     isSuper = user.equals(fsOwner) || groups.contains(supergroup);
     this.attributeProvider = attributeProvider;
+    this.accessControlEnforcer = initAccessControlEnforcer();
 
     if (attributeProvider == null) {
       // If attribute provider is null, use FSPermissionChecker default
@@ -194,7 +196,7 @@ static String runCheckPermission(CheckPermission checker,
     return message;
   }
 
-  private AccessControlEnforcer getAccessControlEnforcer() {
+  private AccessControlEnforcer initAccessControlEnforcer() {
     final AccessControlEnforcer e = Optional.ofNullable(attributeProvider)
         .map(p -> p.getExternalAccessControlEnforcer(this))
         .orElse(this);
@@ -287,7 +289,7 @@ public void checkSuperuserPrivilege(String path)
           + ", operationName=" + FSPermissionChecker.operationType.get()
           + ", path=" + path);
     }
-    getAccessControlEnforcer().checkSuperUserPermissionWithContext(
+    accessControlEnforcer.checkSuperUserPermissionWithContext(
         getAuthorizationContextForSuperUser(path));
   }
 
@@ -306,7 +308,7 @@ public void denyUserAccess(String path, String errorMessage)
           + ", operationName=" + FSPermissionChecker.operationType.get()
           + ", path=" + path);
     }
-    getAccessControlEnforcer().denyUserAccess(
+    accessControlEnforcer.denyUserAccess(
         getAuthorizationContextForSuperUser(path), errorMessage);
   }
 
@@ -368,7 +370,6 @@ void checkPermission(INodesInPath inodesInPath, boolean doCheckOwner,
     String path = inodesInPath.getPath();
     int ancestorIndex = inodes.length - 2;
 
-    AccessControlEnforcer enforcer = getAccessControlEnforcer();
 
     String opType = operationType.get();
     try {
@@ -392,9 +393,9 @@ void checkPermission(INodesInPath inodesInPath, boolean doCheckOwner,
             ignoreEmptyDir(ignoreEmptyDir).
             operationName(opType).
             callerContext(CallerContext.getCurrent());
-        enforcer.checkPermissionWithContext(builder.build());
+        accessControlEnforcer.checkPermissionWithContext(builder.build());
       } else {
-        enforcer.checkPermission(fsOwner, supergroup, callerUgi, inodeAttrs,
+        accessControlEnforcer.checkPermission(fsOwner, supergroup, callerUgi, inodeAttrs,
             inodes, components, snapshotId, path, ancestorIndex, doCheckOwner,
             ancestorAccess, parentAccess, access, subAccess, ignoreEmptyDir);
       }
@@ -426,7 +427,6 @@ void checkPermission(INode inode, int snapshotId, FsAction access)
         pathComponents.length - 1, inode, snapshotId);
     try {
       INodeAttributes[] iNodeAttr = {nodeAttributes};
-      AccessControlEnforcer enforcer = getAccessControlEnforcer();
       String opType = operationType.get();
       if (this.authorizeWithContext && opType != null) {
         INodeAttributeProvider.AuthorizationContext.Builder builder =
@@ -452,9 +452,9 @@ void checkPermission(INode inode, int snapshotId, FsAction access)
             .operationName(opType)
             .callerContext(CallerContext.getCurrent());
 
-        enforcer.checkPermissionWithContext(builder.build());
+        accessControlEnforcer.checkPermissionWithContext(builder.build());
       } else {
-        enforcer.checkPermission(
+        accessControlEnforcer.checkPermission(
             fsOwner, supergroup, callerUgi,
             iNodeAttr, // single inode attr in the array
             new INode[]{inode}, // single inode in the array