Example 11 with ACL
use of org.apache.zookeeper.data.ACL in project hadoop by apache.
the class TestRegistrySecurityHelper method testUGIProperties.
@Test
public void testUGIProperties() throws Throwable {
UserGroupInformation user = UserGroupInformation.getCurrentUser();
ACL acl = registrySecurity.createACLForUser(user, ZooDefs.Perms.ALL);
assertFalse(RegistrySecurity.ALL_READWRITE_ACCESS.equals(acl));
LOG.info("User {} has ACL {}", user, acl);
}
Also used :
ACL(org.apache.zookeeper.data.ACL)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Example 12 with ACL
use of org.apache.zookeeper.data.ACL in project hadoop by apache.
the class TestSecureLogins method testUGILogin.
@Test
public void testUGILogin() throws Throwable {
UserGroupInformation ugi = loginUGI(ZOOKEEPER, keytab_zk);
RegistrySecurity.UgiInfo ugiInfo = new RegistrySecurity.UgiInfo(ugi);
LOG.info("logged in as: {}", ugiInfo);
assertTrue("security is not enabled: " + ugiInfo, UserGroupInformation.isSecurityEnabled());
assertTrue("login is keytab based: " + ugiInfo, ugi.isFromKeytab());
// now we are here, build a SASL ACL
ACL acl = ugi.doAs(new PrivilegedExceptionAction<ACL>() {
@Override
public ACL run() throws Exception {
return registrySecurity.createSaslACLFromCurrentUser(0);
}
});
assertEquals(ZOOKEEPER_REALM, acl.getId().getId());
assertEquals(ZookeeperConfigOptions.SCHEME_SASL, acl.getId().getScheme());
registrySecurity.addSystemACL(acl);
}
Also used :
RegistrySecurity(org.apache.hadoop.registry.client.impl.zk.RegistrySecurity)
ACL(org.apache.zookeeper.data.ACL)
LoginException(javax.security.auth.login.LoginException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Example 13 with ACL
use of org.apache.zookeeper.data.ACL in project hadoop by apache.
the class ZKRMStateStore method constructZkRootNodeACL.
/**
* Given the {@link Configuration} and {@link ACL}s used (sourceACLs) for
* ZooKeeper access, construct the {@link ACL}s for the store's root node.
* In the constructed {@link ACL}, all the users allowed by sourceACLs are
* given read-write-admin access, while the current RM has exclusive
* create-delete access.
*
* To be called only when HA is enabled and the configuration doesn't set an
* ACL for the root node.
* @param conf the configuration
* @param sourceACLs the source ACLs
* @return ACLs for the store's root node
* @throws java.security.NoSuchAlgorithmException thrown if the digest
* algorithm used by Zookeeper cannot be found
*/
@VisibleForTesting
@Private
@Unstable
protected List<ACL> constructZkRootNodeACL(Configuration conf, List<ACL> sourceACLs) throws NoSuchAlgorithmException {
List<ACL> zkRootNodeAclList = new ArrayList<>();
for (ACL acl : sourceACLs) {
zkRootNodeAclList.add(new ACL(ZKUtil.removeSpecificPerms(acl.getPerms(), CREATE_DELETE_PERMS), acl.getId()));
}
zkRootNodeUsername = HAUtil.getConfValueForRMInstance(YarnConfiguration.RM_ADDRESS, YarnConfiguration.DEFAULT_RM_ADDRESS, conf);
Id rmId = new Id(zkRootNodeAuthScheme, DigestAuthenticationProvider.generateDigest(zkRootNodeUsername + ":" + resourceManager.getZkRootNodePassword()));
zkRootNodeAclList.add(new ACL(CREATE_DELETE_PERMS, rmId));
return zkRootNodeAclList;
}
Also used :
ArrayList(java.util.ArrayList)
ACL(org.apache.zookeeper.data.ACL)
ApplicationAttemptId(org.apache.hadoop.yarn.api.records.ApplicationAttemptId)
ApplicationId(org.apache.hadoop.yarn.api.records.ApplicationId)
ReservationId(org.apache.hadoop.yarn.api.records.ReservationId)
Id(org.apache.zookeeper.data.Id)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
Private(org.apache.hadoop.classification.InterfaceAudience.Private)
Unstable(org.apache.hadoop.classification.InterfaceStability.Unstable)
Example 14 with ACL
use of org.apache.zookeeper.data.ACL in project hadoop by apache.
the class ZKRMStateStore method logRootNodeAcls.
private void logRootNodeAcls(String prefix) throws Exception {
Stat getStat = new Stat();
List<ACL> getAcls = getACL(zkRootNodePath);
StringBuilder builder = new StringBuilder();
builder.append(prefix);
for (ACL acl : getAcls) {
builder.append(acl.toString());
}
builder.append(getStat.toString());
LOG.debug(builder.toString());
}Example 15 with ACL
use of org.apache.zookeeper.data.ACL in project hadoop by apache.
the class TestZKUtil method testGoodACLs.
@Test
public void testGoodACLs() {
List<ACL> result = ZKUtil.parseACLs("sasl:hdfs/host1@MY.DOMAIN:cdrwa, sasl:hdfs/host2@MY.DOMAIN:ca");
ACL acl0 = result.get(0);
assertEquals(Perms.CREATE | Perms.DELETE | Perms.READ | Perms.WRITE | Perms.ADMIN, acl0.getPerms());
assertEquals("sasl", acl0.getId().getScheme());
assertEquals("hdfs/host1@MY.DOMAIN", acl0.getId().getId());
ACL acl1 = result.get(1);
assertEquals(Perms.CREATE | Perms.ADMIN, acl1.getPerms());
assertEquals("sasl", acl1.getId().getScheme());
assertEquals("hdfs/host2@MY.DOMAIN", acl1.getId().getId());
}Aggregations
ACL (org.apache.zookeeper.data.ACL)214
Id (org.apache.zookeeper.data.Id)83
ArrayList (java.util.ArrayList)58
Test (org.junit.Test)58
Stat (org.apache.zookeeper.data.Stat)53
KeeperException (org.apache.zookeeper.KeeperException)35
Test (org.testng.annotations.Test)32
CuratorFramework (org.apache.curator.framework.CuratorFramework)19
Test (org.junit.jupiter.api.Test)18
Configuration (org.apache.hadoop.conf.Configuration)17
ZooKeeper (org.apache.zookeeper.ZooKeeper)16
ACLProvider (org.apache.curator.framework.api.ACLProvider)15
List (java.util.List)11
IOException (java.io.IOException)10
CountDownLatch (java.util.concurrent.CountDownLatch)9
TestableZooKeeper (org.apache.zookeeper.TestableZooKeeper)7
ByteArrayOutputStream (java.io.ByteArrayOutputStream)6
ExponentialBackoffRetry (org.apache.curator.retry.ExponentialBackoffRetry)6
RetryOneTime (org.apache.curator.retry.RetryOneTime)6
CreateMode (org.apache.zookeeper.CreateMode)6
