Example 31 with ACL
use of org.apache.zookeeper.data.ACL in project knox by apache.
the class RemoteConfigurationRegistryClientServiceTest method initializeTestClientAndZNodes.
/**
* Create a ZooKeeper client with SASL digest auth configured, and initialize the test znodes.
*/
private CuratorFramework initializeTestClientAndZNodes(TestingCluster zkCluster, String principal) throws Exception {
// Create the client for the test cluster
CuratorFramework setupClient = CuratorFrameworkFactory.builder().connectString(zkCluster.getConnectString()).retryPolicy(new ExponentialBackoffRetry(100, 3)).build();
assertNotNull(setupClient);
setupClient.start();
List<ACL> acls = new ArrayList<>();
if (principal != null) {
acls.add(new ACL(ZooDefs.Perms.ALL, new Id("sasl", principal)));
} else {
acls.add(new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.ANYONE_ID_UNSAFE));
}
setupClient.create().creatingParentsIfNeeded().withACL(acls).forPath("/knox/config/descriptors");
setupClient.create().creatingParentsIfNeeded().withACL(acls).forPath("/knox/config/shared-providers");
List<ACL> negativeACLs = new ArrayList<>();
if (principal != null) {
negativeACLs.add(new ACL(ZooDefs.Perms.ALL, new Id("sasl", "notyou")));
} else {
negativeACLs.add(new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.ANYONE_ID_UNSAFE));
}
setupClient.create().creatingParentsIfNeeded().withACL(negativeACLs).forPath("/someotherconfig");
return setupClient;
}
Also used :
CuratorFramework(org.apache.curator.framework.CuratorFramework)
ExponentialBackoffRetry(org.apache.curator.retry.ExponentialBackoffRetry)
ArrayList(java.util.ArrayList)
ACL(org.apache.zookeeper.data.ACL)
Id(org.apache.zookeeper.data.Id)
Example 32 with ACL
use of org.apache.zookeeper.data.ACL in project knox by apache.
the class RemoteConfigurationMonitorTest method testZooKeeperConfigMonitorSASLNodesExistWithUnacceptableACL.
@Test
public void testZooKeeperConfigMonitorSASLNodesExistWithUnacceptableACL() throws Exception {
final String configMonitorName = "zkConfigClient";
final String alias = "zkPass";
// Setup the base GatewayConfig mock
GatewayConfig gc = EasyMock.createNiceMock(GatewayConfig.class);
EasyMock.expect(gc.getGatewayProvidersConfigDir()).andReturn(providersDir.getAbsolutePath()).anyTimes();
EasyMock.expect(gc.getGatewayDescriptorsDir()).andReturn(descriptorsDir.getAbsolutePath()).anyTimes();
EasyMock.expect(gc.getRemoteRegistryConfigurationNames()).andReturn(Collections.singletonList(configMonitorName)).anyTimes();
final String registryConfig = GatewayConfig.REMOTE_CONFIG_REGISTRY_TYPE + "=" + ZooKeeperClientService.TYPE + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_ADDRESS + "=" + zkCluster.getConnectString() + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_PRINCIPAL + "=" + ZK_USERNAME + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_AUTH_TYPE + "=Digest;" + GatewayConfig.REMOTE_CONFIG_REGISTRY_CREDENTIAL_ALIAS + "=" + alias;
EasyMock.expect(gc.getRemoteRegistryConfiguration(configMonitorName)).andReturn(registryConfig).anyTimes();
EasyMock.expect(gc.getRemoteConfigurationMonitorClientName()).andReturn(configMonitorName).anyTimes();
EasyMock.replay(gc);
AliasService aliasService = EasyMock.createNiceMock(AliasService.class);
EasyMock.expect(aliasService.getPasswordFromAliasForGateway(alias)).andReturn(ZK_PASSWORD.toCharArray()).anyTimes();
EasyMock.replay(aliasService);
RemoteConfigurationRegistryClientService clientService = (new ZooKeeperClientServiceProvider()).newInstance();
clientService.setAliasService(aliasService);
clientService.init(gc, Collections.emptyMap());
clientService.start();
RemoteConfigurationMonitorFactory.setClientService(clientService);
RemoteConfigurationMonitor cm = RemoteConfigurationMonitorFactory.get(gc);
assertNotNull("Failed to load RemoteConfigurationMonitor", cm);
final ACL ANY_AUTHENTICATED_USER_ALL = new ACL(ZooDefs.Perms.ALL, new Id("auth", ""));
List<ACL> acls = Arrays.asList(ANY_AUTHENTICATED_USER_ALL, new ACL(ZooDefs.Perms.WRITE, ZooDefs.Ids.ANYONE_ID_UNSAFE));
client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX);
client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX_CONFIG);
client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX_PROVIDERS);
client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX_DESCRIPTORS);
// Make sure both ACLs were applied
List<ACL> preACLs = client.getACL().forPath(PATH_KNOX);
assertEquals(2, preACLs.size());
// Check that the config nodes really do exist (the monitor will NOT create them if they're present)
assertNotNull(client.checkExists().forPath(PATH_KNOX));
assertNotNull(client.checkExists().forPath(PATH_KNOX_CONFIG));
assertNotNull(client.checkExists().forPath(PATH_KNOX_PROVIDERS));
assertNotNull(client.checkExists().forPath(PATH_KNOX_DESCRIPTORS));
try {
cm.start();
} catch (Exception e) {
fail("Failed to start monitor: " + e.getMessage());
}
// Validate the expected ACLs on the Knox config znodes (make sure the monitor removed the world:anyone ACL)
List<ACL> expectedACLs = Collections.singletonList(SASL_TESTUSER_ALL);
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX));
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_CONFIG));
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_PROVIDERS));
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_DESCRIPTORS));
}
Also used :
AliasService(org.apache.knox.gateway.services.security.AliasService)
ZooKeeperClientServiceProvider(org.apache.knox.gateway.service.config.remote.zk.ZooKeeperClientServiceProvider)
RemoteConfigurationRegistryClientService(org.apache.knox.gateway.services.config.client.RemoteConfigurationRegistryClientService)
ACL(org.apache.zookeeper.data.ACL)
Id(org.apache.zookeeper.data.Id)
GatewayConfig(org.apache.knox.gateway.config.GatewayConfig)
Test(org.junit.Test)
Example 33 with ACL
use of org.apache.zookeeper.data.ACL in project knox by apache.
the class RemoteConfigurationMonitorTest method testZooKeeperConfigMonitorSASLCreateNodes.
@Test
public void testZooKeeperConfigMonitorSASLCreateNodes() throws Exception {
final String configMonitorName = "zkConfigClient";
final String alias = "zkPass";
// Setup the base GatewayConfig mock
GatewayConfig gc = EasyMock.createNiceMock(GatewayConfig.class);
EasyMock.expect(gc.getGatewayProvidersConfigDir()).andReturn(providersDir.getAbsolutePath()).anyTimes();
EasyMock.expect(gc.getGatewayDescriptorsDir()).andReturn(descriptorsDir.getAbsolutePath()).anyTimes();
EasyMock.expect(gc.getRemoteRegistryConfigurationNames()).andReturn(Collections.singletonList(configMonitorName)).anyTimes();
final String registryConfig = GatewayConfig.REMOTE_CONFIG_REGISTRY_TYPE + "=" + ZooKeeperClientService.TYPE + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_ADDRESS + "=" + zkCluster.getConnectString() + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_PRINCIPAL + "=" + ZK_USERNAME + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_AUTH_TYPE + "=Digest;" + GatewayConfig.REMOTE_CONFIG_REGISTRY_CREDENTIAL_ALIAS + "=" + alias;
EasyMock.expect(gc.getRemoteRegistryConfiguration(configMonitorName)).andReturn(registryConfig).anyTimes();
EasyMock.expect(gc.getRemoteConfigurationMonitorClientName()).andReturn(configMonitorName).anyTimes();
EasyMock.replay(gc);
AliasService aliasService = EasyMock.createNiceMock(AliasService.class);
EasyMock.expect(aliasService.getPasswordFromAliasForGateway(alias)).andReturn(ZK_PASSWORD.toCharArray()).anyTimes();
EasyMock.replay(aliasService);
RemoteConfigurationRegistryClientService clientService = (new ZooKeeperClientServiceProvider()).newInstance();
clientService.setAliasService(aliasService);
clientService.init(gc, Collections.emptyMap());
clientService.start();
RemoteConfigurationMonitorFactory.setClientService(clientService);
RemoteConfigurationMonitor cm = RemoteConfigurationMonitorFactory.get(gc);
assertNotNull("Failed to load RemoteConfigurationMonitor", cm);
// Check that the config nodes really don't yet exist (the monitor will create them if they're not present)
assertNull(client.checkExists().forPath(PATH_KNOX));
assertNull(client.checkExists().forPath(PATH_KNOX_CONFIG));
assertNull(client.checkExists().forPath(PATH_KNOX_PROVIDERS));
assertNull(client.checkExists().forPath(PATH_KNOX_DESCRIPTORS));
try {
cm.start();
} catch (Exception e) {
fail("Failed to start monitor: " + e.getMessage());
}
// Test auth violation
clientService.get(configMonitorName).createEntry("/auth_test/child_node/test1");
assertNull("Creation should have been prevented since write access is not granted to the test client.", client.checkExists().forPath("/auth_test/child_node/test1"));
assertTrue("Creation should have been prevented since write access is not granted to the test client.", client.getChildren().forPath("/auth_test/child_node").isEmpty());
// Validate the expected ACLs on the Knox config znodes (make sure the monitor created them correctly)
List<ACL> expectedACLs = Collections.singletonList(SASL_TESTUSER_ALL);
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX));
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_CONFIG));
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_PROVIDERS));
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_DESCRIPTORS));
// Test the Knox config nodes, for which authentication should be sufficient for access
try {
final String pc_one_znode = getProviderPath("providers-config1.xml");
final File pc_one = new File(providersDir, "providers-config1.xml");
final String pc_two_znode = getProviderPath("providers-config2.xml");
final File pc_two = new File(providersDir, "providers-config2.xml");
client.create().withMode(CreateMode.PERSISTENT).forPath(pc_one_znode, TEST_PROVIDERS_CONFIG_1.getBytes());
Thread.sleep(100);
assertTrue(pc_one.exists());
assertEquals(TEST_PROVIDERS_CONFIG_1, FileUtils.readFileToString(pc_one));
client.create().withMode(CreateMode.PERSISTENT).forPath(getProviderPath("providers-config2.xml"), TEST_PROVIDERS_CONFIG_2.getBytes());
Thread.sleep(100);
assertTrue(pc_two.exists());
assertEquals(TEST_PROVIDERS_CONFIG_2, FileUtils.readFileToString(pc_two));
client.setData().forPath(pc_two_znode, TEST_PROVIDERS_CONFIG_1.getBytes());
Thread.sleep(100);
assertTrue(pc_two.exists());
assertEquals(TEST_PROVIDERS_CONFIG_1, FileUtils.readFileToString(pc_two));
client.delete().forPath(pc_two_znode);
Thread.sleep(100);
assertFalse(pc_two.exists());
client.delete().forPath(pc_one_znode);
Thread.sleep(100);
assertFalse(pc_one.exists());
final String desc_one_znode = getDescriptorPath("test1.json");
final String desc_two_znode = getDescriptorPath("test2.json");
final String desc_three_znode = getDescriptorPath("test3.json");
final File desc_one = new File(descriptorsDir, "test1.json");
final File desc_two = new File(descriptorsDir, "test2.json");
final File desc_three = new File(descriptorsDir, "test3.json");
client.create().withMode(CreateMode.PERSISTENT).forPath(desc_one_znode, TEST_DESCRIPTOR_1.getBytes());
Thread.sleep(100);
assertTrue(desc_one.exists());
assertEquals(TEST_DESCRIPTOR_1, FileUtils.readFileToString(desc_one));
client.create().withMode(CreateMode.PERSISTENT).forPath(desc_two_znode, TEST_DESCRIPTOR_1.getBytes());
Thread.sleep(100);
assertTrue(desc_two.exists());
assertEquals(TEST_DESCRIPTOR_1, FileUtils.readFileToString(desc_two));
client.setData().forPath(desc_two_znode, TEST_DESCRIPTOR_2.getBytes());
Thread.sleep(100);
assertTrue(desc_two.exists());
assertEquals(TEST_DESCRIPTOR_2, FileUtils.readFileToString(desc_two));
client.create().withMode(CreateMode.PERSISTENT).forPath(desc_three_znode, TEST_DESCRIPTOR_1.getBytes());
Thread.sleep(100);
assertTrue(desc_three.exists());
assertEquals(TEST_DESCRIPTOR_1, FileUtils.readFileToString(desc_three));
client.delete().forPath(desc_two_znode);
Thread.sleep(100);
assertFalse("Expected test2.json to have been deleted.", desc_two.exists());
client.delete().forPath(desc_three_znode);
Thread.sleep(100);
assertFalse(desc_three.exists());
client.delete().forPath(desc_one_znode);
Thread.sleep(100);
assertFalse(desc_one.exists());
} finally {
cm.stop();
}
}
Also used :
AliasService(org.apache.knox.gateway.services.security.AliasService)
ZooKeeperClientServiceProvider(org.apache.knox.gateway.service.config.remote.zk.ZooKeeperClientServiceProvider)
RemoteConfigurationRegistryClientService(org.apache.knox.gateway.services.config.client.RemoteConfigurationRegistryClientService)
ACL(org.apache.zookeeper.data.ACL)
File(java.io.File)
GatewayConfig(org.apache.knox.gateway.config.GatewayConfig)
Test(org.junit.Test)
Example 34 with ACL
use of org.apache.zookeeper.data.ACL in project parseq by linkedin.
the class TestZKClient method testGetData.
@Test
public void testGetData() {
final String path = "/testGetData";
final byte[] data = "hello world2".getBytes();
Task<String> create = _zkClient.create(path, data, ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.EPHEMERAL);
runAndWait("create", create);
Task<ZKData> getData = _zkClient.getData(path);
runAndWait("getData", getData);
byte[] dataResult = getData.get().getBytes();
Stat statResult = getData.get().getStat();
List<ACL> acl = getData.get().getAclList();
Assert.assertNotNull(dataResult);
Assert.assertNotNull(statResult);
Assert.assertEquals(dataResult, data);
Assert.assertEquals(statResult.getVersion(), 0);
Assert.assertEquals(statResult.getDataLength(), data.length);
Assert.assertEquals(acl, ZooDefs.Ids.OPEN_ACL_UNSAFE);
}
Also used :
Stat(org.apache.zookeeper.data.Stat)
ACL(org.apache.zookeeper.data.ACL)
Test(org.testng.annotations.Test)
BaseEngineTest(com.linkedin.parseq.BaseEngineTest)
Example 35 with ACL
use of org.apache.zookeeper.data.ACL in project parseq by linkedin.
the class TestZKClient method testAcl.
@Test
public void testAcl() throws NoSuchAlgorithmException {
final String path = "/testAcl";
final byte[] data = "hello world".getBytes();
final String scheme = "digest";
final String authString = "test:test";
final Id authId = new Id(scheme, DigestAuthenticationProvider.generateDigest(authString));
final List<ACL> creatorDelete = new ArrayList<>(Collections.singletonList(new ACL(25, authId)));
_zkClient.addAuthInfo(scheme, authString.getBytes());
Task<String> create = _zkClient.create(path, data, ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.EPHEMERAL);
runAndWait("create", create);
Task<ZKData> getData = _zkClient.getData(path);
Task<Stat> setACL = getData.flatMap(results -> _zkClient.setACL(path, creatorDelete, results.getStat().getVersion()));
runAndWait("setACL", setACL);
// before #setACL
Assert.assertEquals(getData.get().getAclList(), OPEN_ACL_UNSAFE);
// after #setACL: setACL will not change the version number
Assert.assertEquals(setACL.get().getVersion(), 0);
getData = _zkClient.getData(path);
runAndWait("getData", getData);
Assert.assertEquals(getData.get().getAclList(), creatorDelete);
}Aggregations
ACL (org.apache.zookeeper.data.ACL)214
Id (org.apache.zookeeper.data.Id)83
ArrayList (java.util.ArrayList)58
Test (org.junit.Test)58
Stat (org.apache.zookeeper.data.Stat)53
KeeperException (org.apache.zookeeper.KeeperException)35
Test (org.testng.annotations.Test)32
CuratorFramework (org.apache.curator.framework.CuratorFramework)19
Test (org.junit.jupiter.api.Test)18
Configuration (org.apache.hadoop.conf.Configuration)17
ZooKeeper (org.apache.zookeeper.ZooKeeper)16
ACLProvider (org.apache.curator.framework.api.ACLProvider)15
List (java.util.List)11
IOException (java.io.IOException)10
CountDownLatch (java.util.concurrent.CountDownLatch)9
TestableZooKeeper (org.apache.zookeeper.TestableZooKeeper)7
ByteArrayOutputStream (java.io.ByteArrayOutputStream)6
ExponentialBackoffRetry (org.apache.curator.retry.ExponentialBackoffRetry)6
RetryOneTime (org.apache.curator.retry.RetryOneTime)6
CreateMode (org.apache.zookeeper.CreateMode)6
