Examples with ACL org.apache.flink.shaded.zookeeper3.org.apache.zookeeper.data.ACL used on opensource projects

Example 61 with ACL

use of org.apache.flink.shaded.zookeeper3.org.apache.zookeeper.data.ACL in project hbase by apache.

the class ZKWatcher method checkAndSetZNodeAcls.

/**
 * On master start, we check the znode ACLs under the root directory and set the ACLs properly
 * if needed. If the cluster goes from an unsecure setup to a secure setup, this step is needed
 * so that the existing znodes created with open permissions are now changed with restrictive
 * perms.
 */
public void checkAndSetZNodeAcls() {
    if (!ZKAuthentication.isSecureZooKeeper(getConfiguration())) {
        LOG.info("not a secure deployment, proceeding");
        return;
    }
    // correct.
    try {
        List<ACL> actualAcls = recoverableZooKeeper.getAcl(znodePaths.baseZNode, new Stat());
        if (!isBaseZnodeAclSetup(actualAcls)) {
            LOG.info("setting znode ACLs");
            setZnodeAclsRecursive(znodePaths.baseZNode);
        }
    } catch (KeeperException.NoNodeException nne) {
        return;
    } catch (InterruptedException ie) {
        interruptedExceptionNoThrow(ie, false);
    } catch (IOException | KeeperException e) {
        LOG.warn("Received exception while checking and setting zookeeper ACLs", e);
    }
}

Example 62 with ACL

use of org.apache.flink.shaded.zookeeper3.org.apache.zookeeper.data.ACL in project hbase by apache.

the class ZKWatcher method isBaseZnodeAclSetup.

/**
 * Checks whether the ACLs returned from the base znode (/hbase) is set for secure setup.
 * @param acls acls from zookeeper
 * @return whether ACLs are set for the base znode
 * @throws IOException if getting the current user fails
 */
private boolean isBaseZnodeAclSetup(List<ACL> acls) throws IOException {
    if (LOG.isDebugEnabled()) {
        LOG.debug("Checking znode ACLs");
    }
    String[] superUsers = conf.getStrings(Superusers.SUPERUSER_CONF_KEY);
    // Check whether ACL set for all superusers
    if (superUsers != null && !checkACLForSuperUsers(superUsers, acls)) {
        return false;
    }
    // this assumes that current authenticated user is the same as zookeeper client user
    // configured via JAAS
    String hbaseUser = UserGroupInformation.getCurrentUser().getShortUserName();
    if (acls.isEmpty()) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("ACL is empty");
        }
        return false;
    }
    for (ACL acl : acls) {
        int perms = acl.getPerms();
        Id id = acl.getId();
        // and one for the hbase user
        if (Ids.ANYONE_ID_UNSAFE.equals(id)) {
            if (perms != Perms.READ) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug(String.format("permissions for '%s' are not correct: have 0x%x, want 0x%x", id, perms, Perms.READ));
                }
                return false;
            }
        } else if (superUsers != null && isSuperUserId(superUsers, id)) {
            if (perms != Perms.ALL) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug(String.format("permissions for '%s' are not correct: have 0x%x, want 0x%x", id, perms, Perms.ALL));
                }
                return false;
            }
        } else if ("sasl".equals(id.getScheme())) {
            String name = id.getId();
            // If ZooKeeper recorded the Kerberos full name in the ACL, use only the shortname
            Matcher match = NAME_PATTERN.matcher(name);
            if (match.matches()) {
                name = match.group(1);
            }
            if (name.equals(hbaseUser)) {
                if (perms != Perms.ALL) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug(String.format("permissions for '%s' are not correct: have 0x%x, want 0x%x", id, perms, Perms.ALL));
                    }
                    return false;
                }
            } else {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Unexpected shortname in SASL ACL: {}", id);
                }
                return false;
            }
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("unexpected ACL id '{}'", id);
            }
            return false;
        }
    }
    return true;
}

Example 63 with ACL

use of org.apache.flink.shaded.zookeeper3.org.apache.zookeeper.data.ACL in project hbase by apache.

the class TestZooKeeperACL method testHBaseRootRegionServerZNodeACL.

/**
 * When authentication is enabled on ZooKeeper, /hbase/root-region-server
 * should be created with 2 ACLs: one specifies that the hbase user has
 * full access to the node; the other, that it is world-readable.
 */
@Test
public void testHBaseRootRegionServerZNodeACL() throws Exception {
    if (!secureZKAvailable) {
        return;
    }
    List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper().getACL("/hbase/root-region-server", new Stat());
    assertEquals(2, acls.size());
    boolean foundWorldReadableAcl = false;
    boolean foundHBaseOwnerAcl = false;
    for (int i = 0; i < 2; i++) {
        if (acls.get(i).getId().getScheme().equals("world") == true) {
            assertEquals("anyone", acls.get(0).getId().getId());
            assertEquals(ZooDefs.Perms.READ, acls.get(0).getPerms());
            foundWorldReadableAcl = true;
        } else {
            if (acls.get(i).getId().getScheme().equals("sasl") == true) {
                assertEquals("hbase", acls.get(1).getId().getId());
                assertEquals("sasl", acls.get(1).getId().getScheme());
                foundHBaseOwnerAcl = true;
            } else {
                // error: should not get here: test fails.
                assertTrue(false);
            }
        }
    }
    assertTrue(foundWorldReadableAcl);
    assertTrue(foundHBaseOwnerAcl);
}

Example 64 with ACL

use of org.apache.flink.shaded.zookeeper3.org.apache.zookeeper.data.ACL in project hbase by apache.

the class TestZooKeeperACL method testHBaseRootZNodeACL.

/**
 * Create a node and check its ACL. When authentication is enabled on
 * ZooKeeper, all nodes (except /hbase/root-region-server, /hbase/master
 * and /hbase/hbaseid) should be created so that only the hbase server user
 * (master or region server user) that created them can access them, and
 * this user should have all permissions on this node. For
 * /hbase/root-region-server, /hbase/master, and /hbase/hbaseid the
 * permissions should be as above, but should also be world-readable. First
 * we check the general case of /hbase nodes in the following test, and
 * then check the subset of world-readable nodes in the three tests after
 * that.
 */
@Test
public void testHBaseRootZNodeACL() throws Exception {
    if (!secureZKAvailable) {
        return;
    }
    List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper().getACL("/hbase", new Stat());
    assertEquals(1, acls.size());
    assertEquals("sasl", acls.get(0).getId().getScheme());
    assertEquals("hbase", acls.get(0).getId().getId());
    assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms());
}

Example 65 with ACL

use of org.apache.flink.shaded.zookeeper3.org.apache.zookeeper.data.ACL in project hbase by apache.

the class TestZooKeeperACL method testOutsideHBaseNodeACL.

/**
 * Finally, we check the ACLs of a node outside of the /hbase hierarchy and
 * verify that its ACL is simply 'hbase:Perms.ALL'.
 */
@Test
public void testOutsideHBaseNodeACL() throws Exception {
    if (!secureZKAvailable) {
        return;
    }
    ZKUtil.createWithParents(zkw, "/testACLNode");
    List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper().getACL("/testACLNode", new Stat());
    assertEquals(1, acls.size());
    assertEquals("sasl", acls.get(0).getId().getScheme());
    assertEquals("hbase", acls.get(0).getId().getId());
    assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms());
}