Search in sources :

Example 1 with Id

use of org.apache.storm.shade.org.apache.zookeeper.data.Id in project storm by apache.

the class ClusterUtils method mkTopoAcls.

private static List<ACL> mkTopoAcls(Map<String, Object> topoConf, int perms) {
    List<ACL> aclList = null;
    String payload = (String) topoConf.get(Config.STORM_ZOOKEEPER_TOPOLOGY_AUTH_PAYLOAD);
    if (Utils.isZkAuthenticationConfiguredTopology(topoConf)) {
        aclList = new ArrayList<>();
        ACL acl1 = ZooDefs.Ids.CREATOR_ALL_ACL.get(0);
        aclList.add(acl1);
        try {
            ACL acl2 = new ACL(perms, new Id("digest", DigestAuthenticationProvider.generateDigest(payload)));
            aclList.add(acl2);
        } catch (NoSuchAlgorithmException e) {
            // Should only happen on a badly configured system
            throw new RuntimeException(e);
        }
    }
    return aclList;
}
Also used : ACL(org.apache.storm.shade.org.apache.zookeeper.data.ACL) Id(org.apache.storm.shade.org.apache.zookeeper.data.Id) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)

Example 2 with Id

use of org.apache.storm.shade.org.apache.zookeeper.data.Id in project storm by apache.

the class DaemonTypeTest method getDefaultZkAclsSecureWorkerConf.

@Test
public void getDefaultZkAclsSecureWorkerConf() {
    Map<String, Object> conf = ConfigUtils.readStormConfig();
    conf.put(Config.STORM_ZOOKEEPER_TOPOLOGY_AUTH_SCHEME, "digest");
    conf.put(Config.STORM_ZOOKEEPER_TOPOLOGY_AUTH_PAYLOAD, "storm:thisisapoorpassword");
    conf.put(Config.STORM_ZOOKEEPER_SUPERACL, "sasl:nimbus");
    conf.put(Config.STORM_PRINCIPAL_TO_LOCAL_PLUGIN, DefaultPrincipalToLocal.class.getName());
    conf.put(Config.NIMBUS_THRIFT_PORT, 6666);
    assertNull(DaemonType.UNKNOWN.getDefaultZkAcls(conf));
    assertNull(DaemonType.PACEMAKER.getDefaultZkAcls(conf));
    assertNull(DaemonType.SUPERVISOR.getDefaultZkAcls(conf));
    assertNull(DaemonType.NIMBUS.getDefaultZkAcls(conf));
    List<ACL> expected = new ArrayList<>(ZooDefs.Ids.CREATOR_ALL_ACL);
    expected.add(new ACL(ZooDefs.Perms.ALL, new Id("sasl", "nimbus")));
    assertEquals(expected, DaemonType.WORKER.getDefaultZkAcls(conf));
}
Also used : ArrayList(java.util.ArrayList) ACL(org.apache.storm.shade.org.apache.zookeeper.data.ACL) Id(org.apache.storm.shade.org.apache.zookeeper.data.Id) DefaultPrincipalToLocal(org.apache.storm.security.auth.DefaultPrincipalToLocal) Test(org.junit.Test)

Example 3 with Id

use of org.apache.storm.shade.org.apache.zookeeper.data.Id in project storm by apache.

the class AclEnforcement method getTopoAcl.

private static List<ACL> getTopoAcl(String path, String topoId, Map<String, Id> topoToZkCreds, ACL superAcl, boolean fixUp, int perms) {
    Id id = topoToZkCreds.get(topoId);
    if (id == null) {
        String error = "Could not find credentials for topology " + topoId + " at path " + path + ".";
        if (fixUp) {
            error += " Don't know how to fix this automatically. Please add needed ACLs, or delete the path.";
        }
        throw new IllegalStateException(error);
    }
    List<ACL> ret = new ArrayList<>(2);
    ret.add(superAcl);
    ret.add(new ACL(perms, id));
    return ret;
}
Also used : ArrayList(java.util.ArrayList) ACL(org.apache.storm.shade.org.apache.zookeeper.data.ACL) Id(org.apache.storm.shade.org.apache.zookeeper.data.Id)

Example 4 with Id

use of org.apache.storm.shade.org.apache.zookeeper.data.Id in project storm by apache.

the class AclEnforcement method verifyAcls.

/**
 * Verify the ZK ACLs are correct and optionally fix them if needed.
 * @param conf the cluster config.
 * @param fixUp true if we want to fix the ACLs else false.
 * @throws Exception on any error.
 */
public static void verifyAcls(Map<String, Object> conf, final boolean fixUp) throws Exception {
    if (!Utils.isZkAuthenticationConfiguredStormServer(conf)) {
        LOG.info("SECURITY IS DISABLED NO FURTHER CHECKS...");
        // There is no security so we are done.
        return;
    }
    ACL superUserAcl = Utils.getSuperUserAcl(conf);
    List<ACL> superAcl = new ArrayList<>(1);
    superAcl.add(superUserAcl);
    List<ACL> drpcFullAcl = new ArrayList<>(2);
    drpcFullAcl.add(superUserAcl);
    String drpcAclString = (String) conf.get(Config.STORM_ZOOKEEPER_DRPC_ACL);
    if (drpcAclString != null) {
        Id drpcAclId = Utils.parseZkId(drpcAclString, Config.STORM_ZOOKEEPER_DRPC_ACL);
        ACL drpcUserAcl = new ACL(ZooDefs.Perms.READ, drpcAclId);
        drpcFullAcl.add(drpcUserAcl);
    }
    List<String> zkServers = (List<String>) conf.get(Config.STORM_ZOOKEEPER_SERVERS);
    int port = ObjectReader.getInt(conf.get(Config.STORM_ZOOKEEPER_PORT));
    String stormRoot = (String) conf.get(Config.STORM_ZOOKEEPER_ROOT);
    try (CuratorFramework zk = ClientZookeeper.mkClient(conf, zkServers, port, "", new DefaultWatcherCallBack(), conf, DaemonType.NIMBUS)) {
        if (zk.checkExists().forPath(stormRoot) != null) {
            // First off we want to verify that ROOT is good
            verifyAclStrict(zk, superAcl, stormRoot, fixUp);
        } else {
            LOG.warn("{} does not exist no need to check any more...", stormRoot);
            return;
        }
    }
    // Now that the root is fine we can start to look at the other paths under it.
    try (CuratorFramework zk = ClientZookeeper.mkClient(conf, zkServers, port, stormRoot, new DefaultWatcherCallBack(), conf, DaemonType.NIMBUS)) {
        // Next verify that the blob store is correct before we start it up.
        if (zk.checkExists().forPath(ClusterUtils.BLOBSTORE_SUBTREE) != null) {
            verifyAclStrictRecursive(zk, superAcl, ClusterUtils.BLOBSTORE_SUBTREE, fixUp);
        }
        if (zk.checkExists().forPath(ClusterUtils.BLOBSTORE_MAX_KEY_SEQUENCE_NUMBER_SUBTREE) != null) {
            verifyAclStrict(zk, superAcl, ClusterUtils.BLOBSTORE_MAX_KEY_SEQUENCE_NUMBER_SUBTREE, fixUp);
        }
        // The blobstore is good, now lets get the list of all topo Ids
        Set<String> topoIds = new HashSet<>();
        if (zk.checkExists().forPath(ClusterUtils.STORMS_SUBTREE) != null) {
            topoIds.addAll(zk.getChildren().forPath(ClusterUtils.STORMS_SUBTREE));
        }
        Map<String, Id> topoToZkCreds = new HashMap<>();
        // Now lets get the creds for the topos so we can verify those as well.
        BlobStore bs = ServerUtils.getNimbusBlobStore(conf, NimbusInfo.fromConf(conf), null);
        try {
            Subject nimbusSubject = new Subject();
            nimbusSubject.getPrincipals().add(new NimbusPrincipal());
            for (String topoId : topoIds) {
                try {
                    String blobKey = topoId + "-stormconf.ser";
                    Map<String, Object> topoConf = Utils.fromCompressedJsonConf(bs.readBlob(blobKey, nimbusSubject));
                    String payload = (String) topoConf.get(Config.STORM_ZOOKEEPER_TOPOLOGY_AUTH_PAYLOAD);
                    try {
                        topoToZkCreds.put(topoId, new Id("digest", DigestAuthenticationProvider.generateDigest(payload)));
                    } catch (NoSuchAlgorithmException e) {
                        throw new RuntimeException(e);
                    }
                } catch (KeyNotFoundException knf) {
                    LOG.debug("topo removed {}", topoId, knf);
                }
            }
        } finally {
            if (bs != null) {
                bs.shutdown();
            }
        }
        verifyParentWithReadOnlyTopoChildren(zk, superUserAcl, ClusterUtils.STORMS_SUBTREE, topoToZkCreds, fixUp);
        verifyParentWithReadOnlyTopoChildren(zk, superUserAcl, ClusterUtils.ASSIGNMENTS_SUBTREE, topoToZkCreds, fixUp);
        // There is a race on credentials where they can be leaked in some versions of storm.
        verifyParentWithReadOnlyTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.CREDENTIALS_SUBTREE, topoToZkCreds, fixUp);
        // There is a race on logconfig where they can be leaked in some versions of storm.
        verifyParentWithReadOnlyTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.LOGCONFIG_SUBTREE, topoToZkCreds, fixUp);
        // There is a race on backpressure too...
        verifyParentWithReadWriteTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.BACKPRESSURE_SUBTREE, topoToZkCreds, fixUp);
        if (zk.checkExists().forPath(ClusterUtils.ERRORS_SUBTREE) != null) {
            // because of this it means we need to auto create at least the topo-id directory for all running topos.
            for (String topoId : topoToZkCreds.keySet()) {
                String path = ClusterUtils.errorStormRoot(topoId);
                if (zk.checkExists().forPath(path) == null) {
                    LOG.warn("Creating missing errors location {}", path);
                    zk.create().withACL(getTopoReadWrite(path, topoId, topoToZkCreds, superUserAcl, fixUp)).forPath(path);
                }
            }
        }
        // Error should not be leaked according to the code, but they are not important enough to fail the build if
        // for some odd reason they are leaked.
        verifyParentWithReadWriteTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.ERRORS_SUBTREE, topoToZkCreds, fixUp);
        if (zk.checkExists().forPath(ClusterUtils.SECRET_KEYS_SUBTREE) != null) {
            verifyAclStrict(zk, superAcl, ClusterUtils.SECRET_KEYS_SUBTREE, fixUp);
            verifyAclStrictRecursive(zk, superAcl, ClusterUtils.secretKeysPath(WorkerTokenServiceType.NIMBUS), fixUp);
            verifyAclStrictRecursive(zk, drpcFullAcl, ClusterUtils.secretKeysPath(WorkerTokenServiceType.DRPC), fixUp);
        }
        if (zk.checkExists().forPath(ClusterUtils.NIMBUSES_SUBTREE) != null) {
            verifyAclStrictRecursive(zk, superAcl, ClusterUtils.NIMBUSES_SUBTREE, fixUp);
        }
        if (zk.checkExists().forPath("/leader-lock") != null) {
            verifyAclStrictRecursive(zk, superAcl, "/leader-lock", fixUp);
        }
        if (zk.checkExists().forPath(ClusterUtils.PROFILERCONFIG_SUBTREE) != null) {
            verifyAclStrictRecursive(zk, superAcl, ClusterUtils.PROFILERCONFIG_SUBTREE, fixUp);
        }
        if (zk.checkExists().forPath(ClusterUtils.SUPERVISORS_SUBTREE) != null) {
            verifyAclStrictRecursive(zk, superAcl, ClusterUtils.SUPERVISORS_SUBTREE, fixUp);
        }
        // When moving to pacemaker workerbeats can be leaked too...
        verifyParentWithReadWriteTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.WORKERBEATS_SUBTREE, topoToZkCreds, fixUp);
    }
}
Also used : HashMap(java.util.HashMap) DefaultWatcherCallBack(org.apache.storm.callback.DefaultWatcherCallBack) ArrayList(java.util.ArrayList) ACL(org.apache.storm.shade.org.apache.zookeeper.data.ACL) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) Subject(javax.security.auth.Subject) NimbusPrincipal(org.apache.storm.security.auth.NimbusPrincipal) CuratorFramework(org.apache.storm.shade.org.apache.curator.framework.CuratorFramework) ArrayList(java.util.ArrayList) List(java.util.List) Id(org.apache.storm.shade.org.apache.zookeeper.data.Id) BlobStore(org.apache.storm.blobstore.BlobStore) KeyNotFoundException(org.apache.storm.generated.KeyNotFoundException) HashSet(java.util.HashSet)

Aggregations

ACL (org.apache.storm.shade.org.apache.zookeeper.data.ACL)4 Id (org.apache.storm.shade.org.apache.zookeeper.data.Id)4 ArrayList (java.util.ArrayList)3 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2 HashMap (java.util.HashMap)1 HashSet (java.util.HashSet)1 List (java.util.List)1 Subject (javax.security.auth.Subject)1 BlobStore (org.apache.storm.blobstore.BlobStore)1 DefaultWatcherCallBack (org.apache.storm.callback.DefaultWatcherCallBack)1 KeyNotFoundException (org.apache.storm.generated.KeyNotFoundException)1 DefaultPrincipalToLocal (org.apache.storm.security.auth.DefaultPrincipalToLocal)1 NimbusPrincipal (org.apache.storm.security.auth.NimbusPrincipal)1 CuratorFramework (org.apache.storm.shade.org.apache.curator.framework.CuratorFramework)1 Test (org.junit.Test)1