Search in sources :

Example 6 with ACL

use of org.apache.flink.shaded.zookeeper3.org.apache.zookeeper.data.ACL in project hadoop by apache.

the class CuratorService method addWriteAccessor.

/**
   * Add a new write access entry for all future write operations.
   * @param id ID to use
   * @param pass password
   * @throws IOException on any failure to build the digest
   */
public boolean addWriteAccessor(String id, String pass) throws IOException {
    RegistrySecurity security = getRegistrySecurity();
    ACL digestACL = new ACL(ZooDefs.Perms.ALL, security.toDigestId(security.digest(id, pass)));
    return security.addDigestACL(digestACL);
}
Also used : ACL(org.apache.zookeeper.data.ACL)

Example 7 with ACL

use of org.apache.flink.shaded.zookeeper3.org.apache.zookeeper.data.ACL in project hadoop by apache.

the class RegistrySecurity method buildACLs.

/**
   * Parse the IDs, adding a realm if needed, setting the permissions
   * @param principalList id string
   * @param realm realm to add
   * @param perms permissions
   * @return the relevant ACLs
   * @throws IOException
   */
public List<ACL> buildACLs(String principalList, String realm, int perms) throws IOException {
    List<String> aclPairs = splitAclPairs(principalList, realm);
    List<ACL> ids = new ArrayList<ACL>(aclPairs.size());
    for (String aclPair : aclPairs) {
        ACL newAcl = new ACL();
        newAcl.setId(parse(aclPair, realm));
        newAcl.setPerms(perms);
        ids.add(newAcl);
    }
    return ids;
}
Also used : ArrayList(java.util.ArrayList) CopyOnWriteArrayList(java.util.concurrent.CopyOnWriteArrayList) ACL(org.apache.zookeeper.data.ACL)

Example 8 with ACL

use of org.apache.flink.shaded.zookeeper3.org.apache.zookeeper.data.ACL in project hadoop by apache.

the class RegistrySecurity method initSecurity.

/**
   * Init security.
   *
   * After this operation, the {@link #systemACLs} list is valid.
   * @throws IOException
   */
private void initSecurity() throws IOException {
    secureRegistry = getConfig().getBoolean(KEY_REGISTRY_SECURE, DEFAULT_REGISTRY_SECURE);
    systemACLs.clear();
    if (secureRegistry) {
        addSystemACL(ALL_READ_ACCESS);
        // determine the kerberos realm from JVM and settings
        kerberosRealm = getConfig().get(KEY_REGISTRY_KERBEROS_REALM, getDefaultRealmInJVM());
        // System Accounts
        String system = getOrFail(KEY_REGISTRY_SYSTEM_ACCOUNTS, DEFAULT_REGISTRY_SYSTEM_ACCOUNTS);
        usesRealm = system.contains("@");
        systemACLs.addAll(buildACLs(system, kerberosRealm, ZooDefs.Perms.ALL));
        // user accounts (may be empty, but for digest one user AC must
        // be built up
        String user = getConfig().get(KEY_REGISTRY_USER_ACCOUNTS, DEFAULT_REGISTRY_USER_ACCOUNTS);
        List<ACL> userACLs = buildACLs(user, kerberosRealm, ZooDefs.Perms.ALL);
        // add self if the current user can be determined
        ACL self;
        if (UserGroupInformation.isSecurityEnabled()) {
            self = createSaslACLFromCurrentUser(ZooDefs.Perms.ALL);
            if (self != null) {
                userACLs.add(self);
            }
        }
        // here check for UGI having secure on or digest + ID
        switch(access) {
            case sasl:
                // secure + SASL => has to be authenticated
                if (!UserGroupInformation.isSecurityEnabled()) {
                    throw new IOException("Kerberos required for secure registry access");
                }
                UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
                jaasClientContext = getOrFail(KEY_REGISTRY_CLIENT_JAAS_CONTEXT, DEFAULT_REGISTRY_CLIENT_JAAS_CONTEXT);
                jaasClientIdentity = currentUser.getShortUserName();
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Auth is SASL user=\"{}\" JAAS context=\"{}\"", jaasClientIdentity, jaasClientContext);
                }
                break;
            case digest:
                String id = getOrFail(KEY_REGISTRY_CLIENT_AUTHENTICATION_ID, "");
                String pass = getOrFail(KEY_REGISTRY_CLIENT_AUTHENTICATION_PASSWORD, "");
                if (userACLs.isEmpty()) {
                    //
                    throw new ServiceStateException(E_NO_USER_DETERMINED_FOR_ACLS);
                }
                digest(id, pass);
                ACL acl = new ACL(ZooDefs.Perms.ALL, toDigestId(id, pass));
                userACLs.add(acl);
                digestAuthUser = id;
                digestAuthPassword = pass;
                String authPair = id + ":" + pass;
                digestAuthData = authPair.getBytes("UTF-8");
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Auth is Digest ACL: {}", aclToString(acl));
                }
                break;
            case anon:
                // nothing is needed; account is read only.
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Auth is anonymous");
                }
                userACLs = new ArrayList<ACL>(0);
                break;
        }
        systemACLs.addAll(userACLs);
    } else {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Registry has no security");
        }
        // wide open cluster, adding system acls
        systemACLs.addAll(WorldReadWriteACL);
    }
}
Also used : ACL(org.apache.zookeeper.data.ACL) IOException(java.io.IOException) ServiceStateException(org.apache.hadoop.service.ServiceStateException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 9 with ACL

use of org.apache.flink.shaded.zookeeper3.org.apache.zookeeper.data.ACL in project hadoop by apache.

the class ZKPathDumper method expand.

/**
   * Recursively expand the path into the supplied string builder, increasing
   * the indentation by {@link #INDENT} as it proceeds (depth first) down
   * the tree
   * @param builder string build to append to
   * @param path path to examine
   * @param indent current indentation
   */
private void expand(StringBuilder builder, String path, int indent) {
    try {
        GetChildrenBuilder childrenBuilder = curator.getChildren();
        List<String> children = childrenBuilder.forPath(path);
        for (String child : children) {
            String childPath = path + "/" + child;
            String body;
            Stat stat = curator.checkExists().forPath(childPath);
            StringBuilder bodyBuilder = new StringBuilder(256);
            bodyBuilder.append("  [").append(stat.getDataLength()).append("]");
            if (stat.getEphemeralOwner() > 0) {
                bodyBuilder.append("*");
            }
            if (verbose) {
                // verbose: extract ACLs
                builder.append(" -- ");
                List<ACL> acls = curator.getACL().forPath(childPath);
                for (ACL acl : acls) {
                    builder.append(RegistrySecurity.aclToString(acl));
                    builder.append(" ");
                }
            }
            body = bodyBuilder.toString();
            // print each child
            append(builder, indent, ' ');
            builder.append('/').append(child);
            builder.append(body);
            builder.append('\n');
            // recurse
            expand(builder, childPath, indent + INDENT);
        }
    } catch (Exception e) {
        builder.append(e.toString()).append("\n");
    }
}
Also used : Stat(org.apache.zookeeper.data.Stat) GetChildrenBuilder(org.apache.curator.framework.api.GetChildrenBuilder) ACL(org.apache.zookeeper.data.ACL)

Example 10 with ACL

use of org.apache.flink.shaded.zookeeper3.org.apache.zookeeper.data.ACL in project hadoop by apache.

the class RegistryAdminService method aclsForUser.

/**
   * Set up the ACL for the user.
   * <b>Important: this must run client-side as it needs
   * to know the id:pass tuple for a user</b>
   * @param username user name
   * @param perms permissions
   * @return an ACL list
   * @throws IOException ACL creation/parsing problems
   */
public List<ACL> aclsForUser(String username, int perms) throws IOException {
    List<ACL> clientACLs = getClientAcls();
    RegistrySecurity security = getRegistrySecurity();
    if (security.isSecureRegistry()) {
        clientACLs.add(security.createACLfromUsername(username, perms));
    }
    return clientACLs;
}
Also used : RegistrySecurity(org.apache.hadoop.registry.client.impl.zk.RegistrySecurity) ACL(org.apache.zookeeper.data.ACL)

Aggregations

ACL (org.apache.zookeeper.data.ACL)215 Id (org.apache.zookeeper.data.Id)85 ArrayList (java.util.ArrayList)61 Test (org.junit.Test)56 Stat (org.apache.zookeeper.data.Stat)45 KeeperException (org.apache.zookeeper.KeeperException)35 Test (org.testng.annotations.Test)32 CuratorFramework (org.apache.curator.framework.CuratorFramework)20 Test (org.junit.jupiter.api.Test)18 Configuration (org.apache.hadoop.conf.Configuration)17 ZooKeeper (org.apache.zookeeper.ZooKeeper)16 ACLProvider (org.apache.curator.framework.api.ACLProvider)15 List (java.util.List)11 IOException (java.io.IOException)10 CountDownLatch (java.util.concurrent.CountDownLatch)9 ExponentialBackoffRetry (org.apache.curator.retry.ExponentialBackoffRetry)8 TestableZooKeeper (org.apache.zookeeper.TestableZooKeeper)7 ByteArrayOutputStream (java.io.ByteArrayOutputStream)6 HashMap (java.util.HashMap)6 CreateMode (org.apache.zookeeper.CreateMode)6