public List<ACL> getZnodeAclFromTable() { Table table = getTable(); TableItem[] items = table.getItems(); Set<ACL> aclSet = new HashSet<ACL>(items.length); for (TableItem item : items) { int perms = getItemPerms(item); Id id = getItemId(item); ACL acl = new ACL(perms, id); aclSet.add(acl); } return new ArrayList<ACL>(aclSet); }
private static List<ACL> parseACLs(String aclString) { List<ACL> acl; String acls[] = aclString.split(","); acl = new ArrayList<ACL>(); for (String a : acls) { int firstColon = a.indexOf(':'); int lastColon = a.lastIndexOf(':'); if (firstColon == -1 || lastColon == -1 || firstColon == lastColon) { System.err .println(a + " does not have the form scheme:id:perm"); continue; } ACL newAcl = new ACL(); newAcl.setId(new Id(a.substring(0, firstColon), a.substring( firstColon + 1, lastColon))); newAcl.setPerms(getPermFromString(a.substring(lastColon + 1))); acl.add(newAcl); } return acl; }
public KeeperException.Code handleAuthentication(ServerCnxn cnxn, byte[] authData) { String id = new String(authData); try { String digest = generateDigest(id); if (digest.equals(superDigest)) { cnxn.addAuthInfo(new Id("super", "")); } cnxn.addAuthInfo(new Id(getScheme(), digest)); return KeeperException.Code.OK; } catch (NoSuchAlgorithmException e) { LOG.error("Missing algorithm",e); } return KeeperException.Code.AUTHFAILED; }
public NIOServerCnxn(ZooKeeperServer zk, SocketChannel sock, SelectionKey sk, NIOServerCnxnFactory factory) throws IOException { this.zkServer = zk; this.sock = sock; this.sk = sk; this.factory = factory; if (this.factory.login != null) { this.zooKeeperSaslServer = new ZooKeeperSaslServer(factory.login); } if (zk != null) { outstandingLimit = zk.getGlobalOutstandingLimit(); } sock.socket().setTcpNoDelay(true); /* set socket linger to false, so that socket close does not * block */ sock.socket().setSoLinger(false, -1); InetAddress addr = ((InetSocketAddress) sock.socket() .getRemoteSocketAddress()).getAddress(); authInfo.add(new Id("ip", addr.getHostAddress())); sk.interestOps(SelectionKey.OP_READ); }
public NIOServerCnxn(ZooKeeperServer zk, SocketChannel sock, SelectionKey sk, NIOServerCnxnFactory factory, SelectorThread selectorThread) throws IOException { this.zkServer = zk; this.sock = sock; this.sk = sk; this.factory = factory; this.selectorThread = selectorThread; if (this.factory.login != null) { this.zooKeeperSaslServer = new ZooKeeperSaslServer(factory.login); } if (zk != null) { outstandingLimit = zk.getGlobalOutstandingLimit(); } else { outstandingLimit = 1; } sock.socket().setTcpNoDelay(true); /* set socket linger to false, so that socket close does not block */ sock.socket().setSoLinger(false, -1); InetAddress addr = ((InetSocketAddress) sock.socket() .getRemoteSocketAddress()).getAddress(); addAuthInfo(new Id("ip", addr.getHostAddress())); this.sessionTimeout = factory.sessionlessCnxnTimeout; }
/** * parse string into list of ACL * @param aclString * @return */ public static List<ACL> parse(String aclString) { List<ACL> acl; String acls[] = aclString.split(","); acl = new ArrayList<ACL>(); for (String a : acls) { int firstColon = a.indexOf(':'); int lastColon = a.lastIndexOf(':'); if (firstColon == -1 || lastColon == -1 || firstColon == lastColon) { System.err.println(a + " does not have the form scheme:id:perm"); continue; } ACL newAcl = new ACL(); newAcl.setId(new Id(a.substring(0, firstColon), a.substring( firstColon + 1, lastColon))); newAcl.setPerms(getPermFromString(a.substring(lastColon + 1))); acl.add(newAcl); } return acl; }
@BeforeClass public static void setupStatic() throws Exception { oldAuthProvider = System.setProperty("zookeeper.authProvider.1","org.apache.zookeeper.server.auth.SASLAuthenticationProvider"); File tmpDir = createTmpDir(); File saslConfFile = new File(tmpDir, "jaas.conf"); FileWriter fwriter = new FileWriter(saslConfFile); fwriter.write("" + "Server {\n" + " org.apache.zookeeper.server.auth.DigestLoginModule required\n" + " user_super_duper=\"test\";\n" + "};\n" + "Client {\n" + " org.apache.zookeeper.server.auth.DigestLoginModule required\n" + " username=\"super_duper\"\n" + " password=\"test\";\n" + "};" + "\n"); fwriter.close(); oldLoginConfig = System.setProperty("java.security.auth.login.config",saslConfFile.getAbsolutePath()); oldSuperUser = System.setProperty("zookeeper.superUser","super_duper"); otherDigestUser = new Id ("digest", DigestAuthenticationProvider.generateDigest("jack:jack")); }
@Test(timeout = 10000) public void testReconfigEnabledWithAuthAndWrongACL() throws InterruptedException { resetZKAdmin(); try { zkAdmin.addAuthInfo("digest", "super:test".getBytes()); // There is ACL however the permission is wrong - need WRITE permission at leaste. ArrayList<ACL> acls = new ArrayList<ACL>( Collections.singletonList( new ACL(ZooDefs.Perms.READ, new Id("digest", "user:tl+z3z0vO6PfPfEENfLF96E6pM0="/* password is test */)))); zkAdmin.setACL(ZooDefs.CONFIG_NODE, acls, -1); resetZKAdmin(); zkAdmin.addAuthInfo("digest", "user:test".getBytes()); reconfigPort(); Assert.fail("Reconfig should fail with an ACL that is read only!"); } catch (KeeperException e) { Assert.assertTrue(e.code() == KeeperException.Code.NOAUTH); } }
@Test(timeout = 10000) public void testReconfigEnabledWithAuthAndACL() throws InterruptedException { resetZKAdmin(); try { zkAdmin.addAuthInfo("digest", "super:test".getBytes()); ArrayList<ACL> acls = new ArrayList<ACL>( Collections.singletonList( new ACL(ZooDefs.Perms.WRITE, new Id("digest", "user:tl+z3z0vO6PfPfEENfLF96E6pM0="/* password is test */)))); zkAdmin.setACL(ZooDefs.CONFIG_NODE, acls, -1); resetZKAdmin(); zkAdmin.addAuthInfo("digest", "user:test".getBytes()); Assert.assertTrue(reconfigPort()); } catch (KeeperException e) { Assert.fail("Reconfig should not fail, but failed with exception : " + e.getMessage()); } }
/** * Given the {@link Configuration} and {@link ACL}s used (zkAcl) for * ZooKeeper access, construct the {@link ACL}s for the store's root node. * In the constructed {@link ACL}, all the users allowed by zkAcl are given * rwa access, while the current RM has exclude create-delete access. * * To be called only when HA is enabled and the configuration doesn't set ACL * for the root node. */ @VisibleForTesting @Private @Unstable protected List<ACL> constructZkRootNodeACL( Configuration conf, List<ACL> sourceACLs) throws NoSuchAlgorithmException { List<ACL> zkRootNodeAcl = new ArrayList<ACL>(); for (ACL acl : sourceACLs) { zkRootNodeAcl.add(new ACL( ZKUtil.removeSpecificPerms(acl.getPerms(), CREATE_DELETE_PERMS), acl.getId())); } zkRootNodeUsername = HAUtil.getConfValueForRMInstance( YarnConfiguration.RM_ADDRESS, YarnConfiguration.DEFAULT_RM_ADDRESS, conf); Id rmId = new Id(zkRootNodeAuthScheme, DigestAuthenticationProvider.generateDigest( zkRootNodeUsername + ":" + zkRootNodePassword)); zkRootNodeAcl.add(new ACL(CREATE_DELETE_PERMS, rmId)); return zkRootNodeAcl; }
/** * Parse a string down to an ID, adding a realm if needed * @param idPair id:data tuple * @param realm realm to add * @return the ID. * @throws IllegalArgumentException if the idPair is invalid */ public Id parse(String idPair, String realm) { int firstColon = idPair.indexOf(':'); int lastColon = idPair.lastIndexOf(':'); if (firstColon == -1 || lastColon == -1 || firstColon != lastColon) { throw new IllegalArgumentException( "ACL '" + idPair + "' not of expected form scheme:id"); } String scheme = idPair.substring(0, firstColon); String id = idPair.substring(firstColon + 1); if (id.endsWith("@")) { Preconditions.checkArgument( StringUtils.isNotEmpty(realm), "@ suffixed account but no realm %s", id); id = id + realm; } return new Id(scheme, id); }
@Test public void testUserHomedirsPermissionsRestricted() throws Throwable { // test that the /users/$user permissions are restricted RMRegistryOperationsService rmRegistryOperations = startRMRegistryOperations(); // create Alice's dir, so it should have an ACL for Alice final String home = rmRegistryOperations.initUserRegistry(ALICE); List<ACL> acls = rmRegistryOperations.zkGetACLS(home); ACL aliceACL = null; for (ACL acl : acls) { LOG.info(RegistrySecurity.aclToString(acl)); Id id = acl.getId(); if (id.getScheme().equals(ZookeeperConfigOptions.SCHEME_SASL) && id.getId().startsWith(ALICE)) { aliceACL = acl; break; } } assertNotNull(aliceACL); assertEquals(RegistryAdminService.USER_HOMEDIR_ACL_PERMISSIONS, aliceACL.getPerms()); }
private void createZookeeper(final CountDownLatch connectionLatch) throws Exception { zk = new ZooKeeper(this.properties.getProperty(keys.zkConnectString .toString()), Integer.parseInt(this.properties .getProperty(keys.zkSessionTimeout.toString())), new Watcher() { public void process(WatchedEvent event) { sessionEvent(connectionLatch, event); } }); String authString = this.properties.getProperty(keys.userName.toString()) + ":"+ this.properties.getProperty(keys.password.toString()); this.isCheckParentPath = Boolean.parseBoolean(this.properties.getProperty(keys.isCheckParentPath.toString(),"true")); zk.addAuthInfo("digest", authString.getBytes()); acl.clear(); acl.add(new ACL(ZooDefs.Perms.ALL, new Id("digest", DigestAuthenticationProvider.generateDigest(authString)))); acl.add(new ACL(ZooDefs.Perms.READ, Ids.ANYONE_ID_UNSAFE)); }
/** * Given the {@link Configuration} and {@link ACL}s used (zkAcl) for * ZooKeeper access, construct the {@link ACL}s for the store's root node. * In the constructed {@link ACL}, all the users allowed by zkAcl are given * rwa access, while the current RM has exclude create-delete access. * * To be called only when HA is enabled and the configuration doesn't set ACL * for the root node. */ @VisibleForTesting @Private @Unstable protected List<ACL> constructZkRootNodeACL( Configuration conf, List<ACL> sourceACLs) throws NoSuchAlgorithmException { List<ACL> zkRootNodeAcl = new ArrayList<>(); for (ACL acl : sourceACLs) { zkRootNodeAcl.add(new ACL( ZKUtil.removeSpecificPerms(acl.getPerms(), CREATE_DELETE_PERMS), acl.getId())); } zkRootNodeUsername = HAUtil.getConfValueForRMInstance( YarnConfiguration.RM_ADDRESS, YarnConfiguration.DEFAULT_RM_ADDRESS, conf); Id rmId = new Id(zkRootNodeAuthScheme, DigestAuthenticationProvider.generateDigest( zkRootNodeUsername + ":" + zkRootNodePassword)); zkRootNodeAcl.add(new ACL(CREATE_DELETE_PERMS, rmId)); return zkRootNodeAcl; }
public static void createDir(ZookeeperCredentials credentials, String path) throws Exception { CuratorFramework tempClient = getNewTempClient(credentials.getConnectionString()); MessageDigest md = MessageDigest.getInstance("SHA-1"); byte[] authDigest = md.digest(String.format("%s:%s", credentials.getUsername(), credentials.getPassword()) .getBytes()); String authEncoded = new String(Base64.encode(authDigest)); ImmutableList<ACL> acl = ImmutableList.of(new ACL(ZooDefs.Perms.ALL, new Id("digest", String.format("%s:%s", credentials.getUsername(), authEncoded)))); tempClient.create().creatingParentsIfNeeded().withACL(acl).forPath(path); tempClient.close(); }
public NIOServerCnxn(ZooKeeperServer zk, SocketChannel sock, SelectionKey sk, NIOServerCnxnFactory factory) throws IOException { this.zkServer = zk; this.sock = sock; this.sk = sk; this.factory = factory; if (zk != null) { outstandingLimit = zk.getGlobalOutstandingLimit(); } sock.socket().setTcpNoDelay(true); /* set socket linger to false, so that socket close does not * block */ sock.socket().setSoLinger(false, -1); InetAddress addr = ((InetSocketAddress) sock.socket() .getRemoteSocketAddress()).getAddress(); authInfo.add(new Id("ip", addr.getHostAddress())); sk.interestOps(SelectionKey.OP_READ); }
private void createZookeeper(final CountDownLatch connectionLatch) throws Exception { zk = new ZooKeeper(this.properties.getProperty(keys.zkConnectString .toString()), Integer.parseInt(this.properties .getProperty(keys.zkSessionTimeout.toString())), new Watcher() { public void process(WatchedEvent event) { sessionEvent(connectionLatch, event); } }); String authString = this.properties.getProperty(keys.userName.toString()) + ":"+ this.properties.getProperty(keys.password.toString()); zk.addAuthInfo("digest", authString.getBytes()); acl.clear(); acl.add(new ACL(ZooDefs.Perms.ALL, new Id("digest", DigestAuthenticationProvider.generateDigest(authString)))); acl.add(new ACL(ZooDefs.Perms.READ, Ids.ANYONE_ID_UNSAFE)); }
