Example 21 with IZooReaderWriter
use of org.apache.accumulo.fate.zookeeper.IZooReaderWriter in project accumulo by apache.
the class ZKAuthenticator method initializeSecurity.
@Override
public void initializeSecurity(TCredentials credentials, String principal, byte[] token) throws AccumuloSecurityException {
try {
// remove old settings from zookeeper first, if any
IZooReaderWriter zoo = ZooReaderWriter.getInstance();
synchronized (zooCache) {
zooCache.clear();
if (zoo.exists(ZKUserPath)) {
zoo.recursiveDelete(ZKUserPath, NodeMissingPolicy.SKIP);
log.info("Removed {}/ from zookeeper", ZKUserPath);
}
// prep parent node of users with root username
zoo.putPersistentData(ZKUserPath, principal.getBytes(UTF_8), NodeExistsPolicy.FAIL);
constructUser(principal, ZKSecurityTool.createPass(token));
}
} catch (KeeperException | AccumuloException | InterruptedException e) {
log.error("{}", e.getMessage(), e);
throw new RuntimeException(e);
}
}
Also used :
AccumuloException(org.apache.accumulo.core.client.AccumuloException)
IZooReaderWriter(org.apache.accumulo.fate.zookeeper.IZooReaderWriter)
KeeperException(org.apache.zookeeper.KeeperException)
Example 22 with IZooReaderWriter
use of org.apache.accumulo.fate.zookeeper.IZooReaderWriter in project accumulo by apache.
the class ZKAuthorizor method initializeSecurity.
@Override
public void initializeSecurity(TCredentials itw, String rootuser) throws AccumuloSecurityException {
IZooReaderWriter zoo = ZooReaderWriter.getInstance();
// create the root user with all system privileges, no table privileges, and no record-level authorizations
Set<SystemPermission> rootPerms = new TreeSet<>();
for (SystemPermission p : SystemPermission.values()) rootPerms.add(p);
Map<Table.ID, Set<TablePermission>> tablePerms = new HashMap<>();
// Allow the root user to flush the metadata tables
tablePerms.put(MetadataTable.ID, Collections.singleton(TablePermission.ALTER_TABLE));
tablePerms.put(RootTable.ID, Collections.singleton(TablePermission.ALTER_TABLE));
try {
// prep parent node of users with root username
if (!zoo.exists(ZKUserPath))
zoo.putPersistentData(ZKUserPath, rootuser.getBytes(UTF_8), NodeExistsPolicy.FAIL);
initUser(rootuser);
zoo.putPersistentData(ZKUserPath + "/" + rootuser + ZKUserAuths, ZKSecurityTool.convertAuthorizations(Authorizations.EMPTY), NodeExistsPolicy.FAIL);
} catch (KeeperException | InterruptedException e) {
log.error("{}", e.getMessage(), e);
throw new RuntimeException(e);
}
}
Also used :
SystemPermission(org.apache.accumulo.core.security.SystemPermission)
TreeSet(java.util.TreeSet)
Set(java.util.Set)
HashMap(java.util.HashMap)
IZooReaderWriter(org.apache.accumulo.fate.zookeeper.IZooReaderWriter)
TreeSet(java.util.TreeSet)
KeeperException(org.apache.zookeeper.KeeperException)
Example 23 with IZooReaderWriter
use of org.apache.accumulo.fate.zookeeper.IZooReaderWriter in project accumulo by apache.
the class ZKPermHandler method revokeNamespacePermission.
@Override
public void revokeNamespacePermission(String user, Namespace.ID namespace, NamespacePermission permission) throws AccumuloSecurityException {
byte[] serializedPerms = zooCache.get(ZKUserPath + "/" + user + ZKUserNamespacePerms + "/" + namespace);
// User had no namespace permission, nothing to revoke.
if (serializedPerms == null)
return;
Set<NamespacePermission> namespacePerms = ZKSecurityTool.convertNamespacePermissions(serializedPerms);
try {
if (namespacePerms.remove(permission)) {
zooCache.clear();
IZooReaderWriter zoo = ZooReaderWriter.getInstance();
if (namespacePerms.size() == 0)
zoo.recursiveDelete(ZKUserPath + "/" + user + ZKUserNamespacePerms + "/" + namespace, NodeMissingPolicy.SKIP);
else
zoo.putPersistentData(ZKUserPath + "/" + user + ZKUserNamespacePerms + "/" + namespace, ZKSecurityTool.convertNamespacePermissions(namespacePerms), NodeExistsPolicy.OVERWRITE);
}
} catch (KeeperException e) {
log.error("{}", e.getMessage(), e);
throw new AccumuloSecurityException(user, SecurityErrorCode.CONNECTION_ERROR, e);
} catch (InterruptedException e) {
log.error("{}", e.getMessage(), e);
throw new RuntimeException(e);
}
}
Also used :
IZooReaderWriter(org.apache.accumulo.fate.zookeeper.IZooReaderWriter)
AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException)
NamespacePermission(org.apache.accumulo.core.security.NamespacePermission)
KeeperException(org.apache.zookeeper.KeeperException)
Example 24 with IZooReaderWriter
use of org.apache.accumulo.fate.zookeeper.IZooReaderWriter in project accumulo by apache.
the class ZKPermHandler method initializeSecurity.
@Override
public void initializeSecurity(TCredentials itw, String rootuser) throws AccumuloSecurityException {
IZooReaderWriter zoo = ZooReaderWriter.getInstance();
// create the root user with all system privileges, no table privileges, and no record-level authorizations
Set<SystemPermission> rootPerms = new TreeSet<>();
for (SystemPermission p : SystemPermission.values()) rootPerms.add(p);
Map<Table.ID, Set<TablePermission>> tablePerms = new HashMap<>();
// Allow the root user to flush the system tables
tablePerms.put(RootTable.ID, Collections.singleton(TablePermission.ALTER_TABLE));
tablePerms.put(MetadataTable.ID, Collections.singleton(TablePermission.ALTER_TABLE));
// essentially the same but on the system namespace, the ALTER_TABLE permission is now redundant
Map<Namespace.ID, Set<NamespacePermission>> namespacePerms = new HashMap<>();
namespacePerms.put(Namespace.ID.ACCUMULO, Collections.singleton(NamespacePermission.ALTER_NAMESPACE));
namespacePerms.put(Namespace.ID.ACCUMULO, Collections.singleton(NamespacePermission.ALTER_TABLE));
try {
// prep parent node of users with root username
if (!zoo.exists(ZKUserPath))
zoo.putPersistentData(ZKUserPath, rootuser.getBytes(UTF_8), NodeExistsPolicy.FAIL);
initUser(rootuser);
zoo.putPersistentData(ZKUserPath + "/" + rootuser + ZKUserSysPerms, ZKSecurityTool.convertSystemPermissions(rootPerms), NodeExistsPolicy.FAIL);
for (Entry<Table.ID, Set<TablePermission>> entry : tablePerms.entrySet()) createTablePerm(rootuser, entry.getKey(), entry.getValue());
for (Entry<Namespace.ID, Set<NamespacePermission>> entry : namespacePerms.entrySet()) createNamespacePerm(rootuser, entry.getKey(), entry.getValue());
} catch (KeeperException | InterruptedException e) {
log.error("{}", e.getMessage(), e);
throw new RuntimeException(e);
}
}
Also used :
TreeSet(java.util.TreeSet)
Set(java.util.Set)
HashMap(java.util.HashMap)
SystemPermission(org.apache.accumulo.core.security.SystemPermission)
IZooReaderWriter(org.apache.accumulo.fate.zookeeper.IZooReaderWriter)
TreeSet(java.util.TreeSet)
KeeperException(org.apache.zookeeper.KeeperException)
Example 25 with IZooReaderWriter
use of org.apache.accumulo.fate.zookeeper.IZooReaderWriter in project accumulo by apache.
the class ZKPermHandler method cleanUser.
@Override
public void cleanUser(String user) throws AccumuloSecurityException {
try {
synchronized (zooCache) {
IZooReaderWriter zoo = ZooReaderWriter.getInstance();
zoo.recursiveDelete(ZKUserPath + "/" + user + ZKUserSysPerms, NodeMissingPolicy.SKIP);
zoo.recursiveDelete(ZKUserPath + "/" + user + ZKUserTablePerms, NodeMissingPolicy.SKIP);
zoo.recursiveDelete(ZKUserPath + "/" + user + ZKUserNamespacePerms, NodeMissingPolicy.SKIP);
zooCache.clear(ZKUserPath + "/" + user);
}
} catch (InterruptedException e) {
log.error("{}", e.getMessage(), e);
throw new RuntimeException(e);
} catch (KeeperException e) {
log.error("{}", e.getMessage(), e);
if (e.code().equals(KeeperException.Code.NONODE))
throw new AccumuloSecurityException(user, SecurityErrorCode.USER_DOESNT_EXIST, e);
throw new AccumuloSecurityException(user, SecurityErrorCode.CONNECTION_ERROR, e);
}
}
Also used :
IZooReaderWriter(org.apache.accumulo.fate.zookeeper.IZooReaderWriter)
AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException)
KeeperException(org.apache.zookeeper.KeeperException)
Aggregations
IZooReaderWriter (org.apache.accumulo.fate.zookeeper.IZooReaderWriter)57
KeeperException (org.apache.zookeeper.KeeperException)25
IOException (java.io.IOException)13
AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)11
Instance (org.apache.accumulo.core.client.Instance)11
AcceptableThriftTableOperationException (org.apache.accumulo.core.client.impl.AcceptableThriftTableOperationException)8
Mutator (org.apache.accumulo.fate.zookeeper.IZooReaderWriter.Mutator)6
HdfsZooInstance (org.apache.accumulo.server.client.HdfsZooInstance)6
AccumuloException (org.apache.accumulo.core.client.AccumuloException)5
TException (org.apache.thrift.TException)5
NoNodeException (org.apache.zookeeper.KeeperException.NoNodeException)5
ArrayList (java.util.ArrayList)4
TableNotFoundException (org.apache.accumulo.core.client.TableNotFoundException)4
ZooReaderWriterFactory (org.apache.accumulo.server.zookeeper.ZooReaderWriterFactory)4
File (java.io.File)3
Entry (java.util.Map.Entry)3
Connector (org.apache.accumulo.core.client.Connector)3
Scanner (org.apache.accumulo.core.client.Scanner)3
AccumuloConfiguration (org.apache.accumulo.core.conf.AccumuloConfiguration)3
Key (org.apache.accumulo.core.data.Key)3
