Skip to content

Commit d8bb510

Browse files
PRMerger12PRMerger12
authored
Merge pull request #50716 from saveenr/patch-27
Added specific and corrected algorithm for access check
2 parents 3594110 + 64cfcdb commit d8bb510

File tree

1 file changed

+39
-4
lines changed

1 file changed

+39
-4
lines changed

articles/data-lake-store/data-lake-store-access-control.md

Lines changed: 39 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -183,10 +183,45 @@ The owning group can be changed by:
183183
184184
## Access check algorithm
185185

186-
The following illustration represents the access check algorithm for Data Lake Storage Gen1 accounts.
187-
188-
![Data Lake Storage Gen1 ACLs algorithm](./media/data-lake-store-access-control/data-lake-store-acls-algorithm.png)
189-
186+
The following psuedocode represents the access check algorithm for Data Lake Storage Gen1 accounts.
187+
188+
```
189+
def access_check( user, desired_perms, path ) :
190+
# access_check returns true if user has the desired permissions on the path, false otherwise
191+
# user is the identity that wants to perform an operation on path
192+
# desired_perms is a simple integer with values from 0 to 7 ( R=4, W=2, X=1). User desires these permissions
193+
# path is the file or folder
194+
# Note: the "sticky bit" is not illustrated in this algorithm
195+
196+
# Handle super users
197+
if (is_superuser(user)) :
198+
return True
199+
200+
# Handle the owning user. Note that mask is not used.
201+
if (is_owning_user(path, user))
202+
perms = get_perms_for_owning_user(path)
203+
return ( (desired_perms & perms) == desired_perms )
204+
205+
# Handle the named user. Note that mask is used.
206+
if (user in get_named_users( path )) :
207+
perms = get_perms_for_named_user(path, user)
208+
mask = get_mask( path )
209+
return ( (desired_perms & perms & mask ) == desired_perms)
210+
211+
# Handle groups (named groups and owning group)
212+
belongs_to_groups = [g for g in get_groups(path) if is_member_of(user, g) ]
213+
if (len(belongs_to_groups)>0) :
214+
group_perms = [get_perms_for_group(path,g) for g in belongs_to_groups]
215+
perms = 0
216+
for p in group_perms : perms = perms | p # bitwise OR all the perms together
217+
mask = get_mask( path )
218+
return ( (desired_perms & perms & mask ) == desired_perms)
219+
220+
# Handle other
221+
perms = get_perms_for_other(path)
222+
mask = get_mask( path )
223+
return ( (desired_perms & perms & mask ) == desired_perms)
224+
```
190225

191226
## The mask and "effective permissions"
192227

0 commit comments

Comments
 (0)