Example 81 with ACL
use of org.apache.zookeeper.data.ACL in project storm by apache.
the class Utils method getWorkerACL.
public static List<ACL> getWorkerACL(Map conf) {
//This is a work around to an issue with ZK where a sasl super user is not super unless there is an open SASL ACL so we are trying to give the correct perms
if (!isZkAuthenticationConfiguredTopology(conf)) {
return null;
}
String stormZKUser = (String) conf.get(Config.STORM_ZOOKEEPER_SUPERACL);
if (stormZKUser == null) {
throw new IllegalArgumentException("Authentication is enabled but " + Config.STORM_ZOOKEEPER_SUPERACL + " is not set");
}
String[] split = stormZKUser.split(":", 2);
if (split.length != 2) {
throw new IllegalArgumentException(Config.STORM_ZOOKEEPER_SUPERACL + " does not appear to be in the form scheme:acl, i.e. sasl:storm-user");
}
ArrayList<ACL> ret = new ArrayList<ACL>(ZooDefs.Ids.CREATOR_ALL_ACL);
ret.add(new ACL(ZooDefs.Perms.ALL, new Id(split[0], split[1])));
return ret;
}
Also used :
ArrayList(java.util.ArrayList)
ACL(org.apache.zookeeper.data.ACL)
Id(org.apache.zookeeper.data.Id)
GlobalStreamId(org.apache.storm.generated.GlobalStreamId)
Example 82 with ACL
use of org.apache.zookeeper.data.ACL in project hbase by apache.
the class ZooKeeperWatcher method isBaseZnodeAclSetup.
/**
* Checks whether the ACLs returned from the base znode (/hbase) is set for secure setup.
* @param acls acls from zookeeper
* @return whether ACLs are set for the base znode
* @throws IOException
*/
private boolean isBaseZnodeAclSetup(List<ACL> acls) throws IOException {
if (LOG.isDebugEnabled()) {
LOG.debug("Checking znode ACLs");
}
String[] superUsers = conf.getStrings(Superusers.SUPERUSER_CONF_KEY);
// Check whether ACL set for all superusers
if (superUsers != null && !checkACLForSuperUsers(superUsers, acls)) {
return false;
}
// this assumes that current authenticated user is the same as zookeeper client user
// configured via JAAS
String hbaseUser = UserGroupInformation.getCurrentUser().getShortUserName();
if (acls.isEmpty()) {
if (LOG.isDebugEnabled()) {
LOG.debug("ACL is empty");
}
return false;
}
for (ACL acl : acls) {
int perms = acl.getPerms();
Id id = acl.getId();
// and one for the hbase user
if (Ids.ANYONE_ID_UNSAFE.equals(id)) {
if (perms != Perms.READ) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("permissions for '%s' are not correct: have 0x%x, want 0x%x", id, perms, Perms.READ));
}
return false;
}
} else if (superUsers != null && isSuperUserId(superUsers, id)) {
if (perms != Perms.ALL) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("permissions for '%s' are not correct: have 0x%x, want 0x%x", id, perms, Perms.ALL));
}
return false;
}
} else if ("sasl".equals(id.getScheme())) {
String name = id.getId();
// If ZooKeeper recorded the Kerberos full name in the ACL, use only the shortname
Matcher match = NAME_PATTERN.matcher(name);
if (match.matches()) {
name = match.group(1);
}
if (name.equals(hbaseUser)) {
if (perms != Perms.ALL) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("permissions for '%s' are not correct: have 0x%x, want 0x%x", id, perms, Perms.ALL));
}
return false;
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("Unexpected shortname in SASL ACL: " + id);
}
return false;
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("unexpected ACL id '" + id + "'");
}
return false;
}
}
return true;
}Example 83 with ACL
use of org.apache.zookeeper.data.ACL in project hbase by apache.
the class ZooKeeperWatcher method checkAndSetZNodeAcls.
/**
* On master start, we check the znode ACLs under the root directory and set the ACLs properly
* if needed. If the cluster goes from an unsecure setup to a secure setup, this step is needed
* so that the existing znodes created with open permissions are now changed with restrictive
* perms.
*/
public void checkAndSetZNodeAcls() {
if (!ZKUtil.isSecureZooKeeper(getConfiguration())) {
LOG.info("not a secure deployment, proceeding");
return;
}
// correct.
try {
List<ACL> actualAcls = recoverableZooKeeper.getAcl(znodePaths.baseZNode, new Stat());
if (!isBaseZnodeAclSetup(actualAcls)) {
LOG.info("setting znode ACLs");
setZnodeAclsRecursive(znodePaths.baseZNode);
}
} catch (KeeperException.NoNodeException nne) {
return;
} catch (InterruptedException ie) {
interruptedException(ie);
} catch (IOException | KeeperException e) {
LOG.warn("Received exception while checking and setting zookeeper ACLs", e);
}
}
Also used :
Stat(org.apache.zookeeper.data.Stat)
ACL(org.apache.zookeeper.data.ACL)
IOException(java.io.IOException)
KeeperException(org.apache.zookeeper.KeeperException)
Example 84 with ACL
use of org.apache.zookeeper.data.ACL in project hbase by apache.
the class ZKUtil method createACL.
public static ArrayList<ACL> createACL(ZooKeeperWatcher zkw, String node, boolean isSecureZooKeeper) {
if (!node.startsWith(zkw.znodePaths.baseZNode)) {
return Ids.OPEN_ACL_UNSAFE;
}
if (isSecureZooKeeper) {
ArrayList<ACL> acls = new ArrayList<>();
// add permission to hbase supper user
String[] superUsers = zkw.getConfiguration().getStrings(Superusers.SUPERUSER_CONF_KEY);
if (superUsers != null) {
List<String> groups = new ArrayList<>();
for (String user : superUsers) {
if (AuthUtil.isGroupPrincipal(user)) {
// TODO: Set node ACL for groups when ZK supports this feature
groups.add(user);
} else {
acls.add(new ACL(Perms.ALL, new Id("sasl", user)));
}
}
if (!groups.isEmpty()) {
LOG.warn("Znode ACL setting for group " + groups + " is skipped, ZooKeeper doesn't support this feature presently.");
}
}
// so they must be readable by non-authenticated clients
if (zkw.isClientReadable(node)) {
acls.addAll(Ids.CREATOR_ALL_ACL);
acls.addAll(Ids.READ_ACL_UNSAFE);
} else {
acls.addAll(Ids.CREATOR_ALL_ACL);
}
return acls;
} else {
return Ids.OPEN_ACL_UNSAFE;
}
}Example 85 with ACL
use of org.apache.zookeeper.data.ACL in project hadoop by apache.
the class TestSecureRMRegistryOperations method testDigestAccess.
@Test
public void testDigestAccess() throws Throwable {
RMRegistryOperationsService registryAdmin = startRMRegistryOperations();
String id = "username";
String pass = "password";
registryAdmin.addWriteAccessor(id, pass);
List<ACL> clientAcls = registryAdmin.getClientAcls();
LOG.info("Client ACLS=\n{}", RegistrySecurity.aclsToString(clientAcls));
String base = "/digested";
registryAdmin.mknode(base, false);
List<ACL> baseACLs = registryAdmin.zkGetACLS(base);
String aclset = RegistrySecurity.aclsToString(baseACLs);
LOG.info("Base ACLs=\n{}", aclset);
ACL found = null;
for (ACL acl : baseACLs) {
if (ZookeeperConfigOptions.SCHEME_DIGEST.equals(acl.getId().getScheme())) {
found = acl;
break;
}
}
assertNotNull("Did not find digest entry in ACLs " + aclset, found);
zkClientConf.set(KEY_REGISTRY_USER_ACCOUNTS, "sasl:somebody@EXAMPLE.COM, sasl:other");
RegistryOperations operations = RegistryOperationsFactory.createAuthenticatedInstance(zkClientConf, id, pass);
addToTeardown(operations);
operations.start();
RegistryOperationsClient operationsClient = (RegistryOperationsClient) operations;
List<ACL> digestClientACLs = operationsClient.getClientAcls();
LOG.info("digest client ACLs=\n{}", RegistrySecurity.aclsToString(digestClientACLs));
operations.stat(base);
operations.mknode(base + "/subdir", false);
ZKPathDumper pathDumper = registryAdmin.dumpPath(true);
LOG.info(pathDumper.toString());
}
Also used :
ZKPathDumper(org.apache.hadoop.registry.client.impl.zk.ZKPathDumper)
RegistryOperationsClient(org.apache.hadoop.registry.client.impl.RegistryOperationsClient)
ACL(org.apache.zookeeper.data.ACL)
RegistryOperations(org.apache.hadoop.registry.client.api.RegistryOperations)
RMRegistryOperationsService(org.apache.hadoop.registry.server.integration.RMRegistryOperationsService)
Test(org.junit.Test)
Aggregations
ACL (org.apache.zookeeper.data.ACL)108
Id (org.apache.zookeeper.data.Id)43
Test (org.junit.Test)43
ArrayList (java.util.ArrayList)33
Stat (org.apache.zookeeper.data.Stat)19
KeeperException (org.apache.zookeeper.KeeperException)17
Configuration (org.apache.hadoop.conf.Configuration)10
ZooKeeper (org.apache.zookeeper.ZooKeeper)10
Test (org.testng.annotations.Test)9
CuratorFramework (org.apache.curator.framework.CuratorFramework)8
IOException (java.io.IOException)6
File (java.io.File)5
ACLProvider (org.apache.curator.framework.api.ACLProvider)5
TestableZooKeeper (org.apache.zookeeper.TestableZooKeeper)5
HashMap (java.util.HashMap)4
List (java.util.List)4
Map (java.util.Map)4
ByteArrayInputStream (java.io.ByteArrayInputStream)3
ByteArrayOutputStream (java.io.ByteArrayOutputStream)3
HBaseConfiguration (org.apache.hadoop.hbase.HBaseConfiguration)3
