use of org.apache.zookeeper.data.ACL in project knox by apache.
the class RemoteConfigurationRegistryClientServiceTest method initializeTestClientAndZNodes.
/**
* Create a ZooKeeper client with SASL digest auth configured, and initialize the test znodes.
*/
private CuratorFramework initializeTestClientAndZNodes(TestingCluster zkCluster, String principal) throws Exception {
// Create the client for the test cluster
CuratorFramework setupClient = CuratorFrameworkFactory.builder().connectString(zkCluster.getConnectString()).retryPolicy(new ExponentialBackoffRetry(100, 3)).build();
assertNotNull(setupClient);
setupClient.start();
List<ACL> acls = new ArrayList<>();
if (principal != null) {
acls.add(new ACL(ZooDefs.Perms.ALL, new Id("sasl", principal)));
} else {
acls.add(new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.ANYONE_ID_UNSAFE));
}
setupClient.create().creatingParentsIfNeeded().withACL(acls).forPath("/knox/config/descriptors");
setupClient.create().creatingParentsIfNeeded().withACL(acls).forPath("/knox/config/shared-providers");
List<ACL> negativeACLs = new ArrayList<>();
if (principal != null) {
negativeACLs.add(new ACL(ZooDefs.Perms.ALL, new Id("sasl", "notyou")));
} else {
negativeACLs.add(new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.ANYONE_ID_UNSAFE));
}
setupClient.create().creatingParentsIfNeeded().withACL(negativeACLs).forPath("/someotherconfig");
return setupClient;
}
use of org.apache.zookeeper.data.ACL in project knox by apache.
the class RemoteConfigurationMonitorTest method testZooKeeperConfigMonitorSASLNodesExistWithUnacceptableACL.
@Test
public void testZooKeeperConfigMonitorSASLNodesExistWithUnacceptableACL() throws Exception {
final String configMonitorName = "zkConfigClient";
final String alias = "zkPass";
// Setup the base GatewayConfig mock
GatewayConfig gc = EasyMock.createNiceMock(GatewayConfig.class);
EasyMock.expect(gc.getGatewayProvidersConfigDir()).andReturn(providersDir.getAbsolutePath()).anyTimes();
EasyMock.expect(gc.getGatewayDescriptorsDir()).andReturn(descriptorsDir.getAbsolutePath()).anyTimes();
EasyMock.expect(gc.getRemoteRegistryConfigurationNames()).andReturn(Collections.singletonList(configMonitorName)).anyTimes();
final String registryConfig = GatewayConfig.REMOTE_CONFIG_REGISTRY_TYPE + "=" + ZooKeeperClientService.TYPE + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_ADDRESS + "=" + zkCluster.getConnectString() + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_PRINCIPAL + "=" + ZK_USERNAME + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_AUTH_TYPE + "=Digest;" + GatewayConfig.REMOTE_CONFIG_REGISTRY_CREDENTIAL_ALIAS + "=" + alias;
EasyMock.expect(gc.getRemoteRegistryConfiguration(configMonitorName)).andReturn(registryConfig).anyTimes();
EasyMock.expect(gc.getRemoteConfigurationMonitorClientName()).andReturn(configMonitorName).anyTimes();
EasyMock.replay(gc);
AliasService aliasService = EasyMock.createNiceMock(AliasService.class);
EasyMock.expect(aliasService.getPasswordFromAliasForGateway(alias)).andReturn(ZK_PASSWORD.toCharArray()).anyTimes();
EasyMock.replay(aliasService);
RemoteConfigurationRegistryClientService clientService = (new ZooKeeperClientServiceProvider()).newInstance();
clientService.setAliasService(aliasService);
clientService.init(gc, Collections.emptyMap());
clientService.start();
RemoteConfigurationMonitorFactory.setClientService(clientService);
RemoteConfigurationMonitor cm = RemoteConfigurationMonitorFactory.get(gc);
assertNotNull("Failed to load RemoteConfigurationMonitor", cm);
final ACL ANY_AUTHENTICATED_USER_ALL = new ACL(ZooDefs.Perms.ALL, new Id("auth", ""));
List<ACL> acls = Arrays.asList(ANY_AUTHENTICATED_USER_ALL, new ACL(ZooDefs.Perms.WRITE, ZooDefs.Ids.ANYONE_ID_UNSAFE));
client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX);
client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX_CONFIG);
client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX_PROVIDERS);
client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX_DESCRIPTORS);
// Make sure both ACLs were applied
List<ACL> preACLs = client.getACL().forPath(PATH_KNOX);
assertEquals(2, preACLs.size());
// Check that the config nodes really do exist (the monitor will NOT create them if they're present)
assertNotNull(client.checkExists().forPath(PATH_KNOX));
assertNotNull(client.checkExists().forPath(PATH_KNOX_CONFIG));
assertNotNull(client.checkExists().forPath(PATH_KNOX_PROVIDERS));
assertNotNull(client.checkExists().forPath(PATH_KNOX_DESCRIPTORS));
try {
cm.start();
} catch (Exception e) {
fail("Failed to start monitor: " + e.getMessage());
}
// Validate the expected ACLs on the Knox config znodes (make sure the monitor removed the world:anyone ACL)
List<ACL> expectedACLs = Collections.singletonList(SASL_TESTUSER_ALL);
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX));
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_CONFIG));
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_PROVIDERS));
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_DESCRIPTORS));
}
use of org.apache.zookeeper.data.ACL in project knox by apache.
the class RemoteConfigurationMonitorTest method testZooKeeperConfigMonitorSASLCreateNodes.
@Test
public void testZooKeeperConfigMonitorSASLCreateNodes() throws Exception {
final String configMonitorName = "zkConfigClient";
final String alias = "zkPass";
// Setup the base GatewayConfig mock
GatewayConfig gc = EasyMock.createNiceMock(GatewayConfig.class);
EasyMock.expect(gc.getGatewayProvidersConfigDir()).andReturn(providersDir.getAbsolutePath()).anyTimes();
EasyMock.expect(gc.getGatewayDescriptorsDir()).andReturn(descriptorsDir.getAbsolutePath()).anyTimes();
EasyMock.expect(gc.getRemoteRegistryConfigurationNames()).andReturn(Collections.singletonList(configMonitorName)).anyTimes();
final String registryConfig = GatewayConfig.REMOTE_CONFIG_REGISTRY_TYPE + "=" + ZooKeeperClientService.TYPE + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_ADDRESS + "=" + zkCluster.getConnectString() + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_PRINCIPAL + "=" + ZK_USERNAME + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_AUTH_TYPE + "=Digest;" + GatewayConfig.REMOTE_CONFIG_REGISTRY_CREDENTIAL_ALIAS + "=" + alias;
EasyMock.expect(gc.getRemoteRegistryConfiguration(configMonitorName)).andReturn(registryConfig).anyTimes();
EasyMock.expect(gc.getRemoteConfigurationMonitorClientName()).andReturn(configMonitorName).anyTimes();
EasyMock.replay(gc);
AliasService aliasService = EasyMock.createNiceMock(AliasService.class);
EasyMock.expect(aliasService.getPasswordFromAliasForGateway(alias)).andReturn(ZK_PASSWORD.toCharArray()).anyTimes();
EasyMock.replay(aliasService);
RemoteConfigurationRegistryClientService clientService = (new ZooKeeperClientServiceProvider()).newInstance();
clientService.setAliasService(aliasService);
clientService.init(gc, Collections.emptyMap());
clientService.start();
RemoteConfigurationMonitorFactory.setClientService(clientService);
RemoteConfigurationMonitor cm = RemoteConfigurationMonitorFactory.get(gc);
assertNotNull("Failed to load RemoteConfigurationMonitor", cm);
// Check that the config nodes really don't yet exist (the monitor will create them if they're not present)
assertNull(client.checkExists().forPath(PATH_KNOX));
assertNull(client.checkExists().forPath(PATH_KNOX_CONFIG));
assertNull(client.checkExists().forPath(PATH_KNOX_PROVIDERS));
assertNull(client.checkExists().forPath(PATH_KNOX_DESCRIPTORS));
try {
cm.start();
} catch (Exception e) {
fail("Failed to start monitor: " + e.getMessage());
}
// Test auth violation
clientService.get(configMonitorName).createEntry("/auth_test/child_node/test1");
assertNull("Creation should have been prevented since write access is not granted to the test client.", client.checkExists().forPath("/auth_test/child_node/test1"));
assertTrue("Creation should have been prevented since write access is not granted to the test client.", client.getChildren().forPath("/auth_test/child_node").isEmpty());
// Validate the expected ACLs on the Knox config znodes (make sure the monitor created them correctly)
List<ACL> expectedACLs = Collections.singletonList(SASL_TESTUSER_ALL);
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX));
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_CONFIG));
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_PROVIDERS));
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_DESCRIPTORS));
// Test the Knox config nodes, for which authentication should be sufficient for access
try {
final String pc_one_znode = getProviderPath("providers-config1.xml");
final File pc_one = new File(providersDir, "providers-config1.xml");
final String pc_two_znode = getProviderPath("providers-config2.xml");
final File pc_two = new File(providersDir, "providers-config2.xml");
client.create().withMode(CreateMode.PERSISTENT).forPath(pc_one_znode, TEST_PROVIDERS_CONFIG_1.getBytes());
Thread.sleep(100);
assertTrue(pc_one.exists());
assertEquals(TEST_PROVIDERS_CONFIG_1, FileUtils.readFileToString(pc_one));
client.create().withMode(CreateMode.PERSISTENT).forPath(getProviderPath("providers-config2.xml"), TEST_PROVIDERS_CONFIG_2.getBytes());
Thread.sleep(100);
assertTrue(pc_two.exists());
assertEquals(TEST_PROVIDERS_CONFIG_2, FileUtils.readFileToString(pc_two));
client.setData().forPath(pc_two_znode, TEST_PROVIDERS_CONFIG_1.getBytes());
Thread.sleep(100);
assertTrue(pc_two.exists());
assertEquals(TEST_PROVIDERS_CONFIG_1, FileUtils.readFileToString(pc_two));
client.delete().forPath(pc_two_znode);
Thread.sleep(100);
assertFalse(pc_two.exists());
client.delete().forPath(pc_one_znode);
Thread.sleep(100);
assertFalse(pc_one.exists());
final String desc_one_znode = getDescriptorPath("test1.json");
final String desc_two_znode = getDescriptorPath("test2.json");
final String desc_three_znode = getDescriptorPath("test3.json");
final File desc_one = new File(descriptorsDir, "test1.json");
final File desc_two = new File(descriptorsDir, "test2.json");
final File desc_three = new File(descriptorsDir, "test3.json");
client.create().withMode(CreateMode.PERSISTENT).forPath(desc_one_znode, TEST_DESCRIPTOR_1.getBytes());
Thread.sleep(100);
assertTrue(desc_one.exists());
assertEquals(TEST_DESCRIPTOR_1, FileUtils.readFileToString(desc_one));
client.create().withMode(CreateMode.PERSISTENT).forPath(desc_two_znode, TEST_DESCRIPTOR_1.getBytes());
Thread.sleep(100);
assertTrue(desc_two.exists());
assertEquals(TEST_DESCRIPTOR_1, FileUtils.readFileToString(desc_two));
client.setData().forPath(desc_two_znode, TEST_DESCRIPTOR_2.getBytes());
Thread.sleep(100);
assertTrue(desc_two.exists());
assertEquals(TEST_DESCRIPTOR_2, FileUtils.readFileToString(desc_two));
client.create().withMode(CreateMode.PERSISTENT).forPath(desc_three_znode, TEST_DESCRIPTOR_1.getBytes());
Thread.sleep(100);
assertTrue(desc_three.exists());
assertEquals(TEST_DESCRIPTOR_1, FileUtils.readFileToString(desc_three));
client.delete().forPath(desc_two_znode);
Thread.sleep(100);
assertFalse("Expected test2.json to have been deleted.", desc_two.exists());
client.delete().forPath(desc_three_znode);
Thread.sleep(100);
assertFalse(desc_three.exists());
client.delete().forPath(desc_one_znode);
Thread.sleep(100);
assertFalse(desc_one.exists());
} finally {
cm.stop();
}
}
use of org.apache.zookeeper.data.ACL in project parseq by linkedin.
the class TestZKClient method testGetData.
@Test
public void testGetData() {
final String path = "/testGetData";
final byte[] data = "hello world2".getBytes();
Task<String> create = _zkClient.create(path, data, ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.EPHEMERAL);
runAndWait("create", create);
Task<ZKData> getData = _zkClient.getData(path);
runAndWait("getData", getData);
byte[] dataResult = getData.get().getBytes();
Stat statResult = getData.get().getStat();
List<ACL> acl = getData.get().getAclList();
Assert.assertNotNull(dataResult);
Assert.assertNotNull(statResult);
Assert.assertEquals(dataResult, data);
Assert.assertEquals(statResult.getVersion(), 0);
Assert.assertEquals(statResult.getDataLength(), data.length);
Assert.assertEquals(acl, ZooDefs.Ids.OPEN_ACL_UNSAFE);
}
use of org.apache.zookeeper.data.ACL in project parseq by linkedin.
the class TestZKClient method testAcl.
@Test
public void testAcl() throws NoSuchAlgorithmException {
final String path = "/testAcl";
final byte[] data = "hello world".getBytes();
final String scheme = "digest";
final String authString = "test:test";
final Id authId = new Id(scheme, DigestAuthenticationProvider.generateDigest(authString));
final List<ACL> creatorDelete = new ArrayList<>(Collections.singletonList(new ACL(25, authId)));
_zkClient.addAuthInfo(scheme, authString.getBytes());
Task<String> create = _zkClient.create(path, data, ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.EPHEMERAL);
runAndWait("create", create);
Task<ZKData> getData = _zkClient.getData(path);
Task<Stat> setACL = getData.flatMap(results -> _zkClient.setACL(path, creatorDelete, results.getStat().getVersion()));
runAndWait("setACL", setACL);
// before #setACL
Assert.assertEquals(getData.get().getAclList(), OPEN_ACL_UNSAFE);
// after #setACL: setACL will not change the version number
Assert.assertEquals(setACL.get().getVersion(), 0);
getData = _zkClient.getData(path);
runAndWait("getData", getData);
Assert.assertEquals(getData.get().getAclList(), creatorDelete);
}
Aggregations