use of org.apache.storm.shade.org.apache.curator.framework.CuratorFramework in project storm by apache.
the class ClientZookeeper method mkClientImpl.
public CuratorFramework mkClientImpl(Map<String, Object> conf, List<String> servers, Object port, String root, final WatcherCallBack watcher, Map<String, Object> authConf, DaemonType type) {
CuratorFramework fk;
if (authConf != null) {
fk = CuratorUtils.newCurator(conf, servers, port, root, new ZookeeperAuthInfo(authConf), type.getDefaultZkAcls(conf));
} else {
fk = CuratorUtils.newCurator(conf, servers, port, root, null, type.getDefaultZkAcls(conf));
}
fk.getCuratorListenable().addListener((unused, e) -> {
if (e.getType().equals(CuratorEventType.WATCHED)) {
WatchedEvent event = e.getWatchedEvent();
watcher.execute(event.getState(), event.getType(), event.getPath());
}
});
LOG.info("Starting ZK Curator");
fk.start();
return fk;
}
use of org.apache.storm.shade.org.apache.curator.framework.CuratorFramework in project storm by apache.
the class AclEnforcement method verifyAcls.
/**
* Verify the ZK ACLs are correct and optionally fix them if needed.
* @param conf the cluster config.
* @param fixUp true if we want to fix the ACLs else false.
* @throws Exception on any error.
*/
public static void verifyAcls(Map<String, Object> conf, final boolean fixUp) throws Exception {
if (!Utils.isZkAuthenticationConfiguredStormServer(conf)) {
LOG.info("SECURITY IS DISABLED NO FURTHER CHECKS...");
// There is no security so we are done.
return;
}
ACL superUserAcl = Utils.getSuperUserAcl(conf);
List<ACL> superAcl = new ArrayList<>(1);
superAcl.add(superUserAcl);
List<ACL> drpcFullAcl = new ArrayList<>(2);
drpcFullAcl.add(superUserAcl);
String drpcAclString = (String) conf.get(Config.STORM_ZOOKEEPER_DRPC_ACL);
if (drpcAclString != null) {
Id drpcAclId = Utils.parseZkId(drpcAclString, Config.STORM_ZOOKEEPER_DRPC_ACL);
ACL drpcUserAcl = new ACL(ZooDefs.Perms.READ, drpcAclId);
drpcFullAcl.add(drpcUserAcl);
}
List<String> zkServers = (List<String>) conf.get(Config.STORM_ZOOKEEPER_SERVERS);
int port = ObjectReader.getInt(conf.get(Config.STORM_ZOOKEEPER_PORT));
String stormRoot = (String) conf.get(Config.STORM_ZOOKEEPER_ROOT);
try (CuratorFramework zk = ClientZookeeper.mkClient(conf, zkServers, port, "", new DefaultWatcherCallBack(), conf, DaemonType.NIMBUS)) {
if (zk.checkExists().forPath(stormRoot) != null) {
// First off we want to verify that ROOT is good
verifyAclStrict(zk, superAcl, stormRoot, fixUp);
} else {
LOG.warn("{} does not exist no need to check any more...", stormRoot);
return;
}
}
// Now that the root is fine we can start to look at the other paths under it.
try (CuratorFramework zk = ClientZookeeper.mkClient(conf, zkServers, port, stormRoot, new DefaultWatcherCallBack(), conf, DaemonType.NIMBUS)) {
// Next verify that the blob store is correct before we start it up.
if (zk.checkExists().forPath(ClusterUtils.BLOBSTORE_SUBTREE) != null) {
verifyAclStrictRecursive(zk, superAcl, ClusterUtils.BLOBSTORE_SUBTREE, fixUp);
}
if (zk.checkExists().forPath(ClusterUtils.BLOBSTORE_MAX_KEY_SEQUENCE_NUMBER_SUBTREE) != null) {
verifyAclStrict(zk, superAcl, ClusterUtils.BLOBSTORE_MAX_KEY_SEQUENCE_NUMBER_SUBTREE, fixUp);
}
// The blobstore is good, now lets get the list of all topo Ids
Set<String> topoIds = new HashSet<>();
if (zk.checkExists().forPath(ClusterUtils.STORMS_SUBTREE) != null) {
topoIds.addAll(zk.getChildren().forPath(ClusterUtils.STORMS_SUBTREE));
}
Map<String, Id> topoToZkCreds = new HashMap<>();
// Now lets get the creds for the topos so we can verify those as well.
BlobStore bs = ServerUtils.getNimbusBlobStore(conf, NimbusInfo.fromConf(conf), null);
try {
Subject nimbusSubject = new Subject();
nimbusSubject.getPrincipals().add(new NimbusPrincipal());
for (String topoId : topoIds) {
try {
String blobKey = topoId + "-stormconf.ser";
Map<String, Object> topoConf = Utils.fromCompressedJsonConf(bs.readBlob(blobKey, nimbusSubject));
String payload = (String) topoConf.get(Config.STORM_ZOOKEEPER_TOPOLOGY_AUTH_PAYLOAD);
try {
topoToZkCreds.put(topoId, new Id("digest", DigestAuthenticationProvider.generateDigest(payload)));
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
} catch (KeyNotFoundException knf) {
LOG.debug("topo removed {}", topoId, knf);
}
}
} finally {
if (bs != null) {
bs.shutdown();
}
}
verifyParentWithReadOnlyTopoChildren(zk, superUserAcl, ClusterUtils.STORMS_SUBTREE, topoToZkCreds, fixUp);
verifyParentWithReadOnlyTopoChildren(zk, superUserAcl, ClusterUtils.ASSIGNMENTS_SUBTREE, topoToZkCreds, fixUp);
// There is a race on credentials where they can be leaked in some versions of storm.
verifyParentWithReadOnlyTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.CREDENTIALS_SUBTREE, topoToZkCreds, fixUp);
// There is a race on logconfig where they can be leaked in some versions of storm.
verifyParentWithReadOnlyTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.LOGCONFIG_SUBTREE, topoToZkCreds, fixUp);
// There is a race on backpressure too...
verifyParentWithReadWriteTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.BACKPRESSURE_SUBTREE, topoToZkCreds, fixUp);
if (zk.checkExists().forPath(ClusterUtils.ERRORS_SUBTREE) != null) {
// because of this it means we need to auto create at least the topo-id directory for all running topos.
for (String topoId : topoToZkCreds.keySet()) {
String path = ClusterUtils.errorStormRoot(topoId);
if (zk.checkExists().forPath(path) == null) {
LOG.warn("Creating missing errors location {}", path);
zk.create().withACL(getTopoReadWrite(path, topoId, topoToZkCreds, superUserAcl, fixUp)).forPath(path);
}
}
}
// Error should not be leaked according to the code, but they are not important enough to fail the build if
// for some odd reason they are leaked.
verifyParentWithReadWriteTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.ERRORS_SUBTREE, topoToZkCreds, fixUp);
if (zk.checkExists().forPath(ClusterUtils.SECRET_KEYS_SUBTREE) != null) {
verifyAclStrict(zk, superAcl, ClusterUtils.SECRET_KEYS_SUBTREE, fixUp);
verifyAclStrictRecursive(zk, superAcl, ClusterUtils.secretKeysPath(WorkerTokenServiceType.NIMBUS), fixUp);
verifyAclStrictRecursive(zk, drpcFullAcl, ClusterUtils.secretKeysPath(WorkerTokenServiceType.DRPC), fixUp);
}
if (zk.checkExists().forPath(ClusterUtils.NIMBUSES_SUBTREE) != null) {
verifyAclStrictRecursive(zk, superAcl, ClusterUtils.NIMBUSES_SUBTREE, fixUp);
}
if (zk.checkExists().forPath("/leader-lock") != null) {
verifyAclStrictRecursive(zk, superAcl, "/leader-lock", fixUp);
}
if (zk.checkExists().forPath(ClusterUtils.PROFILERCONFIG_SUBTREE) != null) {
verifyAclStrictRecursive(zk, superAcl, ClusterUtils.PROFILERCONFIG_SUBTREE, fixUp);
}
if (zk.checkExists().forPath(ClusterUtils.SUPERVISORS_SUBTREE) != null) {
verifyAclStrictRecursive(zk, superAcl, ClusterUtils.SUPERVISORS_SUBTREE, fixUp);
}
// When moving to pacemaker workerbeats can be leaked too...
verifyParentWithReadWriteTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.WORKERBEATS_SUBTREE, topoToZkCreds, fixUp);
}
}
use of org.apache.storm.shade.org.apache.curator.framework.CuratorFramework in project storm by apache.
the class Nimbus method makeZKClient.
@SuppressWarnings("checkstyle:AbbreviationAsWordInName")
private static CuratorFramework makeZKClient(Map<String, Object> conf) {
List<String> servers = (List<String>) conf.get(Config.STORM_ZOOKEEPER_SERVERS);
Object port = conf.get(Config.STORM_ZOOKEEPER_PORT);
String root = (String) conf.get(Config.STORM_ZOOKEEPER_ROOT);
CuratorFramework ret = null;
if (servers != null && port != null) {
ret = ClientZookeeper.mkClient(conf, servers, port, root, new DefaultWatcherCallBack(), conf, DaemonType.NIMBUS);
}
return ret;
}
Aggregations