Example 76 with ACL
use of org.apache.flink.shaded.zookeeper3.org.apache.zookeeper.data.ACL in project zookeeper by apache.
the class PrepRequestProcessor method fixupACL.
/**
* This method checks out the acl making sure it isn't null or empty,
* it has valid schemes and ids, and expanding any relative ids that
* depend on the requestor's authentication information.
*
* @param authInfo list of ACL IDs associated with the client connection
* @param acls list of ACLs being assigned to the node (create or setACL operation)
* @return verified and expanded ACLs
* @throws KeeperException.InvalidACLException
*/
public static List<ACL> fixupACL(String path, List<Id> authInfo, List<ACL> acls) throws KeeperException.InvalidACLException {
// check for well formed ACLs
// This resolves https://issues.apache.org/jira/browse/ZOOKEEPER-1877
List<ACL> uniqacls = removeDuplicates(acls);
if (uniqacls == null || uniqacls.size() == 0) {
throw new KeeperException.InvalidACLException(path);
}
List<ACL> rv = new ArrayList<>();
for (ACL a : uniqacls) {
LOG.debug("Processing ACL: {}", a);
if (a == null) {
throw new KeeperException.InvalidACLException(path);
}
Id id = a.getId();
if (id == null || id.getScheme() == null) {
throw new KeeperException.InvalidACLException(path);
}
if (id.getScheme().equals("world") && id.getId().equals("anyone")) {
rv.add(a);
} else if (id.getScheme().equals("auth")) {
// This is the "auth" id, so we have to expand it to the
// authenticated ids of the requestor
boolean authIdValid = false;
for (Id cid : authInfo) {
ServerAuthenticationProvider ap = ProviderRegistry.getServerProvider(cid.getScheme());
if (ap == null) {
LOG.error("Missing AuthenticationProvider for {}", cid.getScheme());
} else if (ap.isAuthenticated()) {
authIdValid = true;
rv.add(new ACL(a.getPerms(), cid));
}
}
if (!authIdValid) {
throw new KeeperException.InvalidACLException(path);
}
} else {
ServerAuthenticationProvider ap = ProviderRegistry.getServerProvider(id.getScheme());
if (ap == null || !ap.isValid(id.getId())) {
throw new KeeperException.InvalidACLException(path);
}
rv.add(a);
}
}
return rv;
}
Also used :
ArrayList(java.util.ArrayList)
ACL(org.apache.zookeeper.data.ACL)
Id(org.apache.zookeeper.data.Id)
ServerAuthenticationProvider(org.apache.zookeeper.server.auth.ServerAuthenticationProvider)
KeeperException(org.apache.zookeeper.KeeperException)
Example 77 with ACL
use of org.apache.flink.shaded.zookeeper3.org.apache.zookeeper.data.ACL in project zookeeper by apache.
the class PrepRequestProcessor method pRequest2Txn.
/**
* This method will be called inside the ProcessRequestThread, which is a
* singleton, so there will be a single thread calling this code.
*
* @param type
* @param zxid
* @param request
* @param record
*/
protected void pRequest2Txn(int type, long zxid, Request request, Record record, boolean deserialize) throws KeeperException, IOException, RequestProcessorException {
if (request.getHdr() == null) {
request.setHdr(new TxnHeader(request.sessionId, request.cxid, zxid, Time.currentWallTime(), type));
}
switch(type) {
case OpCode.create:
case OpCode.create2:
case OpCode.createTTL:
case OpCode.createContainer:
{
pRequest2TxnCreate(type, request, record, deserialize);
break;
}
case OpCode.deleteContainer:
{
String path = new String(request.request.array(), UTF_8);
String parentPath = getParentPathAndValidate(path);
ChangeRecord nodeRecord = getRecordForPath(path);
if (nodeRecord.childCount > 0) {
throw new KeeperException.NotEmptyException(path);
}
if (EphemeralType.get(nodeRecord.stat.getEphemeralOwner()) == EphemeralType.NORMAL) {
throw new KeeperException.BadVersionException(path);
}
ChangeRecord parentRecord = getRecordForPath(parentPath);
request.setTxn(new DeleteTxn(path));
parentRecord = parentRecord.duplicate(request.getHdr().getZxid());
parentRecord.childCount--;
parentRecord.stat.setPzxid(request.getHdr().getZxid());
parentRecord.precalculatedDigest = precalculateDigest(DigestOpCode.UPDATE, parentPath, parentRecord.data, parentRecord.stat);
addChangeRecord(parentRecord);
nodeRecord = new ChangeRecord(request.getHdr().getZxid(), path, null, -1, null);
nodeRecord.precalculatedDigest = precalculateDigest(DigestOpCode.REMOVE, path);
setTxnDigest(request, nodeRecord.precalculatedDigest);
addChangeRecord(nodeRecord);
break;
}
case OpCode.delete:
zks.sessionTracker.checkSession(request.sessionId, request.getOwner());
DeleteRequest deleteRequest = (DeleteRequest) record;
if (deserialize) {
ByteBufferInputStream.byteBuffer2Record(request.request, deleteRequest);
}
String path = deleteRequest.getPath();
String parentPath = getParentPathAndValidate(path);
ChangeRecord parentRecord = getRecordForPath(parentPath);
zks.checkACL(request.cnxn, parentRecord.acl, ZooDefs.Perms.DELETE, request.authInfo, path, null);
ChangeRecord nodeRecord = getRecordForPath(path);
checkAndIncVersion(nodeRecord.stat.getVersion(), deleteRequest.getVersion(), path);
if (nodeRecord.childCount > 0) {
throw new KeeperException.NotEmptyException(path);
}
request.setTxn(new DeleteTxn(path));
parentRecord = parentRecord.duplicate(request.getHdr().getZxid());
parentRecord.childCount--;
parentRecord.stat.setPzxid(request.getHdr().getZxid());
parentRecord.precalculatedDigest = precalculateDigest(DigestOpCode.UPDATE, parentPath, parentRecord.data, parentRecord.stat);
addChangeRecord(parentRecord);
nodeRecord = new ChangeRecord(request.getHdr().getZxid(), path, null, -1, null);
nodeRecord.precalculatedDigest = precalculateDigest(DigestOpCode.REMOVE, path);
setTxnDigest(request, nodeRecord.precalculatedDigest);
addChangeRecord(nodeRecord);
break;
case OpCode.setData:
zks.sessionTracker.checkSession(request.sessionId, request.getOwner());
SetDataRequest setDataRequest = (SetDataRequest) record;
if (deserialize) {
ByteBufferInputStream.byteBuffer2Record(request.request, setDataRequest);
}
path = setDataRequest.getPath();
validatePath(path, request.sessionId);
nodeRecord = getRecordForPath(path);
zks.checkACL(request.cnxn, nodeRecord.acl, ZooDefs.Perms.WRITE, request.authInfo, path, null);
zks.checkQuota(path, nodeRecord.data, setDataRequest.getData(), OpCode.setData);
int newVersion = checkAndIncVersion(nodeRecord.stat.getVersion(), setDataRequest.getVersion(), path);
request.setTxn(new SetDataTxn(path, setDataRequest.getData(), newVersion));
nodeRecord = nodeRecord.duplicate(request.getHdr().getZxid());
nodeRecord.stat.setVersion(newVersion);
nodeRecord.stat.setMtime(request.getHdr().getTime());
nodeRecord.stat.setMzxid(zxid);
nodeRecord.data = setDataRequest.getData();
nodeRecord.precalculatedDigest = precalculateDigest(DigestOpCode.UPDATE, path, nodeRecord.data, nodeRecord.stat);
setTxnDigest(request, nodeRecord.precalculatedDigest);
addChangeRecord(nodeRecord);
break;
case OpCode.reconfig:
if (!zks.isReconfigEnabled()) {
LOG.error("Reconfig operation requested but reconfig feature is disabled.");
throw new KeeperException.ReconfigDisabledException();
}
if (ZooKeeperServer.skipACL) {
LOG.warn("skipACL is set, reconfig operation will skip ACL checks!");
}
zks.sessionTracker.checkSession(request.sessionId, request.getOwner());
LeaderZooKeeperServer lzks;
try {
lzks = (LeaderZooKeeperServer) zks;
} catch (ClassCastException e) {
// standalone mode - reconfiguration currently not supported
throw new KeeperException.UnimplementedException();
}
QuorumVerifier lastSeenQV = lzks.self.getLastSeenQuorumVerifier();
// check that there's no reconfig in progress
if (lastSeenQV.getVersion() != lzks.self.getQuorumVerifier().getVersion()) {
throw new KeeperException.ReconfigInProgress();
}
ReconfigRequest reconfigRequest = (ReconfigRequest) record;
long configId = reconfigRequest.getCurConfigId();
if (configId != -1 && configId != lzks.self.getLastSeenQuorumVerifier().getVersion()) {
String msg = "Reconfiguration from version " + configId + " failed -- last seen version is " + lzks.self.getLastSeenQuorumVerifier().getVersion();
throw new KeeperException.BadVersionException(msg);
}
String newMembers = reconfigRequest.getNewMembers();
if (newMembers != null) {
// non-incremental membership change
LOG.info("Non-incremental reconfig");
// Input may be delimited by either commas or newlines so convert to common newline separated format
newMembers = newMembers.replaceAll(",", "\n");
try {
Properties props = new Properties();
props.load(new StringReader(newMembers));
request.qv = QuorumPeerConfig.parseDynamicConfig(props, lzks.self.getElectionType(), true, false, lastSeenQV.getOraclePath());
request.qv.setVersion(request.getHdr().getZxid());
} catch (IOException | ConfigException e) {
throw new KeeperException.BadArgumentsException(e.getMessage());
}
} else {
// incremental change - must be a majority quorum system
LOG.info("Incremental reconfig");
List<String> joiningServers = null;
String joiningServersString = reconfigRequest.getJoiningServers();
if (joiningServersString != null) {
joiningServers = StringUtils.split(joiningServersString, ",");
}
List<String> leavingServers = null;
String leavingServersString = reconfigRequest.getLeavingServers();
if (leavingServersString != null) {
leavingServers = StringUtils.split(leavingServersString, ",");
}
if (!(lastSeenQV instanceof QuorumMaj) && !(lastSeenQV instanceof QuorumOracleMaj)) {
String msg = "Incremental reconfiguration requested but last configuration seen has a non-majority quorum system";
LOG.warn(msg);
throw new KeeperException.BadArgumentsException(msg);
}
Map<Long, QuorumServer> nextServers = new HashMap<Long, QuorumServer>(lastSeenQV.getAllMembers());
try {
if (leavingServers != null) {
for (String leaving : leavingServers) {
long sid = Long.parseLong(leaving);
nextServers.remove(sid);
}
}
if (joiningServers != null) {
for (String joiner : joiningServers) {
// joiner should have the following format: server.x = server_spec;client_spec
String[] parts = StringUtils.split(joiner, "=").toArray(new String[0]);
if (parts.length != 2) {
throw new KeeperException.BadArgumentsException("Wrong format of server string");
}
// extract server id x from first part of joiner: server.x
Long sid = Long.parseLong(parts[0].substring(parts[0].lastIndexOf('.') + 1));
QuorumServer qs = new QuorumServer(sid, parts[1]);
if (qs.clientAddr == null || qs.electionAddr == null || qs.addr == null) {
throw new KeeperException.BadArgumentsException("Wrong format of server string - each server should have 3 ports specified");
}
// check duplication of addresses and ports
for (QuorumServer nqs : nextServers.values()) {
if (qs.id == nqs.id) {
continue;
}
qs.checkAddressDuplicate(nqs);
}
nextServers.remove(qs.id);
nextServers.put(qs.id, qs);
}
}
} catch (ConfigException e) {
throw new KeeperException.BadArgumentsException("Reconfiguration failed");
}
if (lastSeenQV instanceof QuorumMaj) {
request.qv = new QuorumMaj(nextServers);
} else {
request.qv = new QuorumOracleMaj(nextServers, lastSeenQV.getOraclePath());
}
request.qv.setVersion(request.getHdr().getZxid());
}
if (QuorumPeerConfig.isStandaloneEnabled() && request.qv.getVotingMembers().size() < 2) {
String msg = "Reconfig failed - new configuration must include at least 2 followers";
LOG.warn(msg);
throw new KeeperException.BadArgumentsException(msg);
} else if (request.qv.getVotingMembers().size() < 1) {
String msg = "Reconfig failed - new configuration must include at least 1 follower";
LOG.warn(msg);
throw new KeeperException.BadArgumentsException(msg);
}
if (!lzks.getLeader().isQuorumSynced(request.qv)) {
String msg2 = "Reconfig failed - there must be a connected and synced quorum in new configuration";
LOG.warn(msg2);
throw new KeeperException.NewConfigNoQuorum();
}
nodeRecord = getRecordForPath(ZooDefs.CONFIG_NODE);
zks.checkACL(request.cnxn, nodeRecord.acl, ZooDefs.Perms.WRITE, request.authInfo, null, null);
SetDataTxn setDataTxn = new SetDataTxn(ZooDefs.CONFIG_NODE, request.qv.toString().getBytes(), -1);
request.setTxn(setDataTxn);
nodeRecord = nodeRecord.duplicate(request.getHdr().getZxid());
nodeRecord.stat.setVersion(-1);
nodeRecord.stat.setMtime(request.getHdr().getTime());
nodeRecord.stat.setMzxid(zxid);
nodeRecord.data = setDataTxn.getData();
// Reconfig is currently a noop from digest computation
// perspective since config node is not covered by the digests.
nodeRecord.precalculatedDigest = precalculateDigest(DigestOpCode.NOOP, ZooDefs.CONFIG_NODE, nodeRecord.data, nodeRecord.stat);
setTxnDigest(request, nodeRecord.precalculatedDigest);
addChangeRecord(nodeRecord);
break;
case OpCode.setACL:
zks.sessionTracker.checkSession(request.sessionId, request.getOwner());
SetACLRequest setAclRequest = (SetACLRequest) record;
if (deserialize) {
ByteBufferInputStream.byteBuffer2Record(request.request, setAclRequest);
}
path = setAclRequest.getPath();
validatePath(path, request.sessionId);
List<ACL> listACL = fixupACL(path, request.authInfo, setAclRequest.getAcl());
nodeRecord = getRecordForPath(path);
zks.checkACL(request.cnxn, nodeRecord.acl, ZooDefs.Perms.ADMIN, request.authInfo, path, listACL);
newVersion = checkAndIncVersion(nodeRecord.stat.getAversion(), setAclRequest.getVersion(), path);
request.setTxn(new SetACLTxn(path, listACL, newVersion));
nodeRecord = nodeRecord.duplicate(request.getHdr().getZxid());
nodeRecord.stat.setAversion(newVersion);
nodeRecord.precalculatedDigest = precalculateDigest(DigestOpCode.UPDATE, path, nodeRecord.data, nodeRecord.stat);
setTxnDigest(request, nodeRecord.precalculatedDigest);
addChangeRecord(nodeRecord);
break;
case OpCode.createSession:
request.request.rewind();
int to = request.request.getInt();
request.setTxn(new CreateSessionTxn(to));
request.request.rewind();
// only add the global session tracker but not to ZKDb
zks.sessionTracker.trackSession(request.sessionId, to);
zks.setOwner(request.sessionId, request.getOwner());
break;
case OpCode.closeSession:
// We don't want to do this check since the session expiration thread
// queues up this operation without being the session owner.
// this request is the last of the session so it should be ok
// zks.sessionTracker.checkSession(request.sessionId, request.getOwner());
long startTime = Time.currentElapsedTime();
synchronized (zks.outstandingChanges) {
// need to move getEphemerals into zks.outstandingChanges
// synchronized block, otherwise there will be a race
// condition with the on flying deleteNode txn, and we'll
// delete the node again here, which is not correct
Set<String> es = zks.getZKDatabase().getEphemerals(request.sessionId);
for (ChangeRecord c : zks.outstandingChanges) {
if (c.stat == null) {
// Doing a delete
es.remove(c.path);
} else if (c.stat.getEphemeralOwner() == request.sessionId) {
es.add(c.path);
}
}
for (String path2Delete : es) {
if (digestEnabled) {
parentPath = getParentPathAndValidate(path2Delete);
parentRecord = getRecordForPath(parentPath);
parentRecord = parentRecord.duplicate(request.getHdr().getZxid());
parentRecord.stat.setPzxid(request.getHdr().getZxid());
parentRecord.precalculatedDigest = precalculateDigest(DigestOpCode.UPDATE, parentPath, parentRecord.data, parentRecord.stat);
addChangeRecord(parentRecord);
}
nodeRecord = new ChangeRecord(request.getHdr().getZxid(), path2Delete, null, 0, null);
nodeRecord.precalculatedDigest = precalculateDigest(DigestOpCode.REMOVE, path2Delete);
addChangeRecord(nodeRecord);
}
if (ZooKeeperServer.isCloseSessionTxnEnabled()) {
request.setTxn(new CloseSessionTxn(new ArrayList<String>(es)));
}
zks.sessionTracker.setSessionClosing(request.sessionId);
}
ServerMetrics.getMetrics().CLOSE_SESSION_PREP_TIME.add(Time.currentElapsedTime() - startTime);
break;
case OpCode.check:
zks.sessionTracker.checkSession(request.sessionId, request.getOwner());
CheckVersionRequest checkVersionRequest = (CheckVersionRequest) record;
if (deserialize) {
ByteBufferInputStream.byteBuffer2Record(request.request, checkVersionRequest);
}
path = checkVersionRequest.getPath();
validatePath(path, request.sessionId);
nodeRecord = getRecordForPath(path);
zks.checkACL(request.cnxn, nodeRecord.acl, ZooDefs.Perms.READ, request.authInfo, path, null);
request.setTxn(new CheckVersionTxn(path, checkAndIncVersion(nodeRecord.stat.getVersion(), checkVersionRequest.getVersion(), path)));
break;
default:
LOG.warn("unknown type {}", type);
break;
}
// we just set the current tree digest in it
if (request.getTxnDigest() == null && digestEnabled) {
setTxnDigest(request);
}
}
Also used :
CheckVersionRequest(org.apache.zookeeper.proto.CheckVersionRequest)
HashMap(java.util.HashMap)
QuorumServer(org.apache.zookeeper.server.quorum.QuorumPeer.QuorumServer)
QuorumMaj(org.apache.zookeeper.server.quorum.flexible.QuorumMaj)
QuorumOracleMaj(org.apache.zookeeper.server.quorum.flexible.QuorumOracleMaj)
ArrayList(java.util.ArrayList)
ConfigException(org.apache.zookeeper.server.quorum.QuorumPeerConfig.ConfigException)
Properties(java.util.Properties)
ReconfigRequest(org.apache.zookeeper.proto.ReconfigRequest)
DeleteTxn(org.apache.zookeeper.txn.DeleteTxn)
CreateSessionTxn(org.apache.zookeeper.txn.CreateSessionTxn)
BadArgumentsException(org.apache.zookeeper.KeeperException.BadArgumentsException)
StringReader(java.io.StringReader)
CloseSessionTxn(org.apache.zookeeper.txn.CloseSessionTxn)
SetACLRequest(org.apache.zookeeper.proto.SetACLRequest)
CheckVersionTxn(org.apache.zookeeper.txn.CheckVersionTxn)
ACL(org.apache.zookeeper.data.ACL)
SetDataRequest(org.apache.zookeeper.proto.SetDataRequest)
SetDataTxn(org.apache.zookeeper.txn.SetDataTxn)
IOException(java.io.IOException)
QuorumVerifier(org.apache.zookeeper.server.quorum.flexible.QuorumVerifier)
BadArgumentsException(org.apache.zookeeper.KeeperException.BadArgumentsException)
SetACLTxn(org.apache.zookeeper.txn.SetACLTxn)
ChangeRecord(org.apache.zookeeper.server.ZooKeeperServer.ChangeRecord)
DeleteRequest(org.apache.zookeeper.proto.DeleteRequest)
KeeperException(org.apache.zookeeper.KeeperException)
TxnHeader(org.apache.zookeeper.txn.TxnHeader)
LeaderZooKeeperServer(org.apache.zookeeper.server.quorum.LeaderZooKeeperServer)
Example 78 with ACL
use of org.apache.flink.shaded.zookeeper3.org.apache.zookeeper.data.ACL in project zookeeper by apache.
the class SaslSuperUserTest method connectAndPerformSuperOps.
private void connectAndPerformSuperOps() throws Exception {
ZooKeeper zk = createClient();
try {
zk.create("/digest_read", null, Arrays.asList(new ACL(Perms.READ, otherDigestUser)), CreateMode.PERSISTENT);
zk.create("/digest_read/sub", null, Arrays.asList(new ACL(Perms.READ, otherDigestUser)), CreateMode.PERSISTENT);
zk.create("/sasl_read", null, Arrays.asList(new ACL(Perms.READ, otherSaslUser)), CreateMode.PERSISTENT);
zk.create("/sasl_read/sub", null, Arrays.asList(new ACL(Perms.READ, otherSaslUser)), CreateMode.PERSISTENT);
zk.delete("/digest_read/sub", -1);
zk.delete("/digest_read", -1);
zk.delete("/sasl_read/sub", -1);
zk.delete("/sasl_read", -1);
} finally {
zk.close();
}
}
Also used :
ZooKeeper(org.apache.zookeeper.ZooKeeper)
TestableZooKeeper(org.apache.zookeeper.TestableZooKeeper)
ACL(org.apache.zookeeper.data.ACL)
Example 79 with ACL
use of org.apache.flink.shaded.zookeeper3.org.apache.zookeeper.data.ACL in project zookeeper by apache.
the class ReconfigExceptionTest method testReconfigEnabledWithAuthAndWrongACL.
@Test
@Timeout(value = 10)
public void testReconfigEnabledWithAuthAndWrongACL() throws InterruptedException {
resetZKAdmin();
try {
zkAdmin.addAuthInfo("digest", "super:test".getBytes());
// There is ACL however the permission is wrong - need WRITE permission at leaste.
ArrayList<ACL> acls = new ArrayList<ACL>(Collections.singletonList(new ACL(ZooDefs.Perms.READ, new Id("digest", "user:tl+z3z0vO6PfPfEENfLF96E6pM0="))));
zkAdmin.setACL(ZooDefs.CONFIG_NODE, acls, -1);
resetZKAdmin();
zkAdmin.addAuthInfo("digest", "user:test".getBytes());
reconfigPort();
fail("Reconfig should fail with an ACL that is read only!");
} catch (KeeperException e) {
assertTrue(e.code() == KeeperException.Code.NOAUTH);
}
}Example 80 with ACL
use of org.apache.flink.shaded.zookeeper3.org.apache.zookeeper.data.ACL in project zookeeper by apache.
the class SaslAuthTest method testInvalidSaslIds.
@Test
public void testInvalidSaslIds() throws Exception {
ZooKeeper zk = createClient();
List<String> invalidIds = new ArrayList<String>();
invalidIds.add("user@KERB.REALM/server.com");
invalidIds.add("user@KERB.REALM1@KERB.REALM2");
int i = 0;
for (String invalidId : invalidIds) {
List<ACL> aclList = new ArrayList<ACL>();
try {
ACL acl = new ACL(0, new Id("sasl", invalidId));
aclList.add(acl);
zk.create("/invalid" + i, null, aclList, CreateMode.PERSISTENT);
fail("SASLAuthenticationProvider.isValid() failed to catch invalid Id.");
} catch (KeeperException.InvalidACLException e) {
// ok.
} finally {
i++;
}
}
}Aggregations
ACL (org.apache.zookeeper.data.ACL)215
Id (org.apache.zookeeper.data.Id)85
ArrayList (java.util.ArrayList)61
Test (org.junit.Test)56
Stat (org.apache.zookeeper.data.Stat)45
KeeperException (org.apache.zookeeper.KeeperException)35
Test (org.testng.annotations.Test)32
CuratorFramework (org.apache.curator.framework.CuratorFramework)20
Test (org.junit.jupiter.api.Test)18
Configuration (org.apache.hadoop.conf.Configuration)17
ZooKeeper (org.apache.zookeeper.ZooKeeper)16
ACLProvider (org.apache.curator.framework.api.ACLProvider)15
List (java.util.List)11
IOException (java.io.IOException)10
CountDownLatch (java.util.concurrent.CountDownLatch)9
ExponentialBackoffRetry (org.apache.curator.retry.ExponentialBackoffRetry)8
TestableZooKeeper (org.apache.zookeeper.TestableZooKeeper)7
ByteArrayOutputStream (java.io.ByteArrayOutputStream)6
HashMap (java.util.HashMap)6
CreateMode (org.apache.zookeeper.CreateMode)6
