Search in sources :

Example 6 with CuratorFramework

use of org.apache.storm.shade.org.apache.curator.framework.CuratorFramework in project storm by apache.

the class ClientZookeeper method mkClientImpl.

public CuratorFramework mkClientImpl(Map<String, Object> conf, List<String> servers, Object port, String root, final WatcherCallBack watcher, Map<String, Object> authConf, DaemonType type) {
    CuratorFramework fk;
    if (authConf != null) {
        fk = CuratorUtils.newCurator(conf, servers, port, root, new ZookeeperAuthInfo(authConf), type.getDefaultZkAcls(conf));
    } else {
        fk = CuratorUtils.newCurator(conf, servers, port, root, null, type.getDefaultZkAcls(conf));
    }
    fk.getCuratorListenable().addListener((unused, e) -> {
        if (e.getType().equals(CuratorEventType.WATCHED)) {
            WatchedEvent event = e.getWatchedEvent();
            watcher.execute(event.getState(), event.getType(), event.getPath());
        }
    });
    LOG.info("Starting ZK Curator");
    fk.start();
    return fk;
}
Also used : WatchedEvent(org.apache.storm.shade.org.apache.zookeeper.WatchedEvent) CuratorFramework(org.apache.storm.shade.org.apache.curator.framework.CuratorFramework) ZookeeperAuthInfo(org.apache.storm.utils.ZookeeperAuthInfo)

Example 7 with CuratorFramework

use of org.apache.storm.shade.org.apache.curator.framework.CuratorFramework in project storm by apache.

the class AclEnforcement method verifyAcls.

/**
 * Verify the ZK ACLs are correct and optionally fix them if needed.
 * @param conf the cluster config.
 * @param fixUp true if we want to fix the ACLs else false.
 * @throws Exception on any error.
 */
public static void verifyAcls(Map<String, Object> conf, final boolean fixUp) throws Exception {
    if (!Utils.isZkAuthenticationConfiguredStormServer(conf)) {
        LOG.info("SECURITY IS DISABLED NO FURTHER CHECKS...");
        // There is no security so we are done.
        return;
    }
    ACL superUserAcl = Utils.getSuperUserAcl(conf);
    List<ACL> superAcl = new ArrayList<>(1);
    superAcl.add(superUserAcl);
    List<ACL> drpcFullAcl = new ArrayList<>(2);
    drpcFullAcl.add(superUserAcl);
    String drpcAclString = (String) conf.get(Config.STORM_ZOOKEEPER_DRPC_ACL);
    if (drpcAclString != null) {
        Id drpcAclId = Utils.parseZkId(drpcAclString, Config.STORM_ZOOKEEPER_DRPC_ACL);
        ACL drpcUserAcl = new ACL(ZooDefs.Perms.READ, drpcAclId);
        drpcFullAcl.add(drpcUserAcl);
    }
    List<String> zkServers = (List<String>) conf.get(Config.STORM_ZOOKEEPER_SERVERS);
    int port = ObjectReader.getInt(conf.get(Config.STORM_ZOOKEEPER_PORT));
    String stormRoot = (String) conf.get(Config.STORM_ZOOKEEPER_ROOT);
    try (CuratorFramework zk = ClientZookeeper.mkClient(conf, zkServers, port, "", new DefaultWatcherCallBack(), conf, DaemonType.NIMBUS)) {
        if (zk.checkExists().forPath(stormRoot) != null) {
            // First off we want to verify that ROOT is good
            verifyAclStrict(zk, superAcl, stormRoot, fixUp);
        } else {
            LOG.warn("{} does not exist no need to check any more...", stormRoot);
            return;
        }
    }
    // Now that the root is fine we can start to look at the other paths under it.
    try (CuratorFramework zk = ClientZookeeper.mkClient(conf, zkServers, port, stormRoot, new DefaultWatcherCallBack(), conf, DaemonType.NIMBUS)) {
        // Next verify that the blob store is correct before we start it up.
        if (zk.checkExists().forPath(ClusterUtils.BLOBSTORE_SUBTREE) != null) {
            verifyAclStrictRecursive(zk, superAcl, ClusterUtils.BLOBSTORE_SUBTREE, fixUp);
        }
        if (zk.checkExists().forPath(ClusterUtils.BLOBSTORE_MAX_KEY_SEQUENCE_NUMBER_SUBTREE) != null) {
            verifyAclStrict(zk, superAcl, ClusterUtils.BLOBSTORE_MAX_KEY_SEQUENCE_NUMBER_SUBTREE, fixUp);
        }
        // The blobstore is good, now lets get the list of all topo Ids
        Set<String> topoIds = new HashSet<>();
        if (zk.checkExists().forPath(ClusterUtils.STORMS_SUBTREE) != null) {
            topoIds.addAll(zk.getChildren().forPath(ClusterUtils.STORMS_SUBTREE));
        }
        Map<String, Id> topoToZkCreds = new HashMap<>();
        // Now lets get the creds for the topos so we can verify those as well.
        BlobStore bs = ServerUtils.getNimbusBlobStore(conf, NimbusInfo.fromConf(conf), null);
        try {
            Subject nimbusSubject = new Subject();
            nimbusSubject.getPrincipals().add(new NimbusPrincipal());
            for (String topoId : topoIds) {
                try {
                    String blobKey = topoId + "-stormconf.ser";
                    Map<String, Object> topoConf = Utils.fromCompressedJsonConf(bs.readBlob(blobKey, nimbusSubject));
                    String payload = (String) topoConf.get(Config.STORM_ZOOKEEPER_TOPOLOGY_AUTH_PAYLOAD);
                    try {
                        topoToZkCreds.put(topoId, new Id("digest", DigestAuthenticationProvider.generateDigest(payload)));
                    } catch (NoSuchAlgorithmException e) {
                        throw new RuntimeException(e);
                    }
                } catch (KeyNotFoundException knf) {
                    LOG.debug("topo removed {}", topoId, knf);
                }
            }
        } finally {
            if (bs != null) {
                bs.shutdown();
            }
        }
        verifyParentWithReadOnlyTopoChildren(zk, superUserAcl, ClusterUtils.STORMS_SUBTREE, topoToZkCreds, fixUp);
        verifyParentWithReadOnlyTopoChildren(zk, superUserAcl, ClusterUtils.ASSIGNMENTS_SUBTREE, topoToZkCreds, fixUp);
        // There is a race on credentials where they can be leaked in some versions of storm.
        verifyParentWithReadOnlyTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.CREDENTIALS_SUBTREE, topoToZkCreds, fixUp);
        // There is a race on logconfig where they can be leaked in some versions of storm.
        verifyParentWithReadOnlyTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.LOGCONFIG_SUBTREE, topoToZkCreds, fixUp);
        // There is a race on backpressure too...
        verifyParentWithReadWriteTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.BACKPRESSURE_SUBTREE, topoToZkCreds, fixUp);
        if (zk.checkExists().forPath(ClusterUtils.ERRORS_SUBTREE) != null) {
            // because of this it means we need to auto create at least the topo-id directory for all running topos.
            for (String topoId : topoToZkCreds.keySet()) {
                String path = ClusterUtils.errorStormRoot(topoId);
                if (zk.checkExists().forPath(path) == null) {
                    LOG.warn("Creating missing errors location {}", path);
                    zk.create().withACL(getTopoReadWrite(path, topoId, topoToZkCreds, superUserAcl, fixUp)).forPath(path);
                }
            }
        }
        // Error should not be leaked according to the code, but they are not important enough to fail the build if
        // for some odd reason they are leaked.
        verifyParentWithReadWriteTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.ERRORS_SUBTREE, topoToZkCreds, fixUp);
        if (zk.checkExists().forPath(ClusterUtils.SECRET_KEYS_SUBTREE) != null) {
            verifyAclStrict(zk, superAcl, ClusterUtils.SECRET_KEYS_SUBTREE, fixUp);
            verifyAclStrictRecursive(zk, superAcl, ClusterUtils.secretKeysPath(WorkerTokenServiceType.NIMBUS), fixUp);
            verifyAclStrictRecursive(zk, drpcFullAcl, ClusterUtils.secretKeysPath(WorkerTokenServiceType.DRPC), fixUp);
        }
        if (zk.checkExists().forPath(ClusterUtils.NIMBUSES_SUBTREE) != null) {
            verifyAclStrictRecursive(zk, superAcl, ClusterUtils.NIMBUSES_SUBTREE, fixUp);
        }
        if (zk.checkExists().forPath("/leader-lock") != null) {
            verifyAclStrictRecursive(zk, superAcl, "/leader-lock", fixUp);
        }
        if (zk.checkExists().forPath(ClusterUtils.PROFILERCONFIG_SUBTREE) != null) {
            verifyAclStrictRecursive(zk, superAcl, ClusterUtils.PROFILERCONFIG_SUBTREE, fixUp);
        }
        if (zk.checkExists().forPath(ClusterUtils.SUPERVISORS_SUBTREE) != null) {
            verifyAclStrictRecursive(zk, superAcl, ClusterUtils.SUPERVISORS_SUBTREE, fixUp);
        }
        // When moving to pacemaker workerbeats can be leaked too...
        verifyParentWithReadWriteTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.WORKERBEATS_SUBTREE, topoToZkCreds, fixUp);
    }
}
Also used : HashMap(java.util.HashMap) DefaultWatcherCallBack(org.apache.storm.callback.DefaultWatcherCallBack) ArrayList(java.util.ArrayList) ACL(org.apache.storm.shade.org.apache.zookeeper.data.ACL) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) Subject(javax.security.auth.Subject) NimbusPrincipal(org.apache.storm.security.auth.NimbusPrincipal) CuratorFramework(org.apache.storm.shade.org.apache.curator.framework.CuratorFramework) ArrayList(java.util.ArrayList) List(java.util.List) Id(org.apache.storm.shade.org.apache.zookeeper.data.Id) BlobStore(org.apache.storm.blobstore.BlobStore) KeyNotFoundException(org.apache.storm.generated.KeyNotFoundException) HashSet(java.util.HashSet)

Example 8 with CuratorFramework

use of org.apache.storm.shade.org.apache.curator.framework.CuratorFramework in project storm by apache.

the class Nimbus method makeZKClient.

@SuppressWarnings("checkstyle:AbbreviationAsWordInName")
private static CuratorFramework makeZKClient(Map<String, Object> conf) {
    List<String> servers = (List<String>) conf.get(Config.STORM_ZOOKEEPER_SERVERS);
    Object port = conf.get(Config.STORM_ZOOKEEPER_PORT);
    String root = (String) conf.get(Config.STORM_ZOOKEEPER_ROOT);
    CuratorFramework ret = null;
    if (servers != null && port != null) {
        ret = ClientZookeeper.mkClient(conf, servers, port, root, new DefaultWatcherCallBack(), conf, DaemonType.NIMBUS);
    }
    return ret;
}
Also used : CuratorFramework(org.apache.storm.shade.org.apache.curator.framework.CuratorFramework) DefaultWatcherCallBack(org.apache.storm.callback.DefaultWatcherCallBack) ArrayList(java.util.ArrayList) List(java.util.List)

Aggregations

CuratorFramework (org.apache.storm.shade.org.apache.curator.framework.CuratorFramework)8 ArrayList (java.util.ArrayList)3 List (java.util.List)3 DefaultWatcherCallBack (org.apache.storm.callback.DefaultWatcherCallBack)2 ZookeeperAuthInfo (org.apache.storm.utils.ZookeeperAuthInfo)2 Test (org.junit.Test)2 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 HashMap (java.util.HashMap)1 HashSet (java.util.HashSet)1 Subject (javax.security.auth.Subject)1 TestingServer (org.apache.curator.test.TestingServer)1 BlobStore (org.apache.storm.blobstore.BlobStore)1 KeyNotFoundException (org.apache.storm.generated.KeyNotFoundException)1 NimbusInfo (org.apache.storm.nimbus.NimbusInfo)1 NimbusPrincipal (org.apache.storm.security.auth.NimbusPrincipal)1 ExponentialBackoffRetry (org.apache.storm.shade.org.apache.curator.retry.ExponentialBackoffRetry)1 WatchedEvent (org.apache.storm.shade.org.apache.zookeeper.WatchedEvent)1 ACL (org.apache.storm.shade.org.apache.zookeeper.data.ACL)1 Id (org.apache.storm.shade.org.apache.zookeeper.data.Id)1