Examples with Id org.apache.zookeeper.data.Id used on opensource projects

Example 1 with Id

use of org.apache.zookeeper.data.Id in project hadoop by apache.

the class ZKUtil method parseACLs.

/**
   * Parse comma separated list of ACL entries to secure generated nodes, e.g.
   * <code>sasl:hdfs/host1@MY.DOMAIN:cdrwa,sasl:hdfs/host2@MY.DOMAIN:cdrwa</code>
   *
   * @return ACL list
   * @throws {@link BadAclFormatException} if an ACL is invalid
   */
public static List<ACL> parseACLs(String aclString) throws BadAclFormatException {
    List<ACL> acl = Lists.newArrayList();
    if (aclString == null) {
        return acl;
    }
    List<String> aclComps = Lists.newArrayList(Splitter.on(',').omitEmptyStrings().trimResults().split(aclString));
    for (String a : aclComps) {
        // from ZooKeeperMain private method
        int firstColon = a.indexOf(':');
        int lastColon = a.lastIndexOf(':');
        if (firstColon == -1 || lastColon == -1 || firstColon == lastColon) {
            throw new BadAclFormatException("ACL '" + a + "' not of expected form scheme:id:perm");
        }
        ACL newAcl = new ACL();
        newAcl.setId(new Id(a.substring(0, firstColon), a.substring(firstColon + 1, lastColon)));
        newAcl.setPerms(getPermFromString(a.substring(lastColon + 1)));
        acl.add(newAcl);
    }
    return acl;
}

Example 2 with Id

use of org.apache.zookeeper.data.Id in project hadoop by apache.

the class ZKRMStateStore method constructZkRootNodeACL.

/**
   * Given the {@link Configuration} and {@link ACL}s used (sourceACLs) for
   * ZooKeeper access, construct the {@link ACL}s for the store's root node.
   * In the constructed {@link ACL}, all the users allowed by sourceACLs are
   * given read-write-admin access, while the current RM has exclusive
   * create-delete access.
   *
   * To be called only when HA is enabled and the configuration doesn't set an
   * ACL for the root node.
   * @param conf the configuration
   * @param sourceACLs the source ACLs
   * @return ACLs for the store's root node
   * @throws java.security.NoSuchAlgorithmException thrown if the digest
   * algorithm used by Zookeeper cannot be found
   */
@VisibleForTesting
@Private
@Unstable
protected List<ACL> constructZkRootNodeACL(Configuration conf, List<ACL> sourceACLs) throws NoSuchAlgorithmException {
    List<ACL> zkRootNodeAclList = new ArrayList<>();
    for (ACL acl : sourceACLs) {
        zkRootNodeAclList.add(new ACL(ZKUtil.removeSpecificPerms(acl.getPerms(), CREATE_DELETE_PERMS), acl.getId()));
    }
    zkRootNodeUsername = HAUtil.getConfValueForRMInstance(YarnConfiguration.RM_ADDRESS, YarnConfiguration.DEFAULT_RM_ADDRESS, conf);
    Id rmId = new Id(zkRootNodeAuthScheme, DigestAuthenticationProvider.generateDigest(zkRootNodeUsername + ":" + resourceManager.getZkRootNodePassword()));
    zkRootNodeAclList.add(new ACL(CREATE_DELETE_PERMS, rmId));
    return zkRootNodeAclList;
}

Example 3 with Id

use of org.apache.zookeeper.data.Id in project hive by apache.

the class ZooKeeperTokenStore method parseACLs.

/**
   * Parse comma separated list of ACL entries to secure generated nodes, e.g.
   * <code>sasl:hive/host1@MY.DOMAIN:cdrwa,sasl:hive/host2@MY.DOMAIN:cdrwa</code>
   * @param aclString
   * @return ACL list
   */
public static List<ACL> parseACLs(String aclString) {
    String[] aclComps = StringUtils.splitByWholeSeparator(aclString, ",");
    List<ACL> acl = new ArrayList<ACL>(aclComps.length);
    for (String a : aclComps) {
        if (StringUtils.isBlank(a)) {
            continue;
        }
        a = a.trim();
        // from ZooKeeperMain private method
        int firstColon = a.indexOf(':');
        int lastColon = a.lastIndexOf(':');
        if (firstColon == -1 || lastColon == -1 || firstColon == lastColon) {
            LOGGER.error(a + " does not have the form scheme:id:perm");
            continue;
        }
        ACL newAcl = new ACL();
        newAcl.setId(new Id(a.substring(0, firstColon), a.substring(firstColon + 1, lastColon)));
        newAcl.setPerms(getPermFromString(a.substring(lastColon + 1)));
        acl.add(newAcl);
    }
    return acl;
}

Example 4 with Id

use of org.apache.zookeeper.data.Id in project hive by apache.

the class SecretManager method checkRootAcls.

private static void checkRootAcls(Configuration conf, String path, String user) {
    int stime = conf.getInt(ZK_DTSM_ZK_SESSION_TIMEOUT, ZK_DTSM_ZK_SESSION_TIMEOUT_DEFAULT), ctime = conf.getInt(ZK_DTSM_ZK_CONNECTION_TIMEOUT, ZK_DTSM_ZK_CONNECTION_TIMEOUT_DEFAULT);
    CuratorFramework zkClient = CuratorFrameworkFactory.builder().namespace(null).retryPolicy(new RetryOneTime(10)).sessionTimeoutMs(stime).connectionTimeoutMs(ctime).ensembleProvider(new FixedEnsembleProvider(conf.get(ZK_DTSM_ZK_CONNECTION_STRING))).build();
    // Hardcoded from a private field in ZKDelegationTokenSecretManager.
    // We need to check the path under what it sets for namespace, since the namespace is
    // created with world ACLs.
    String nsPath = "/" + path + "/ZKDTSMRoot";
    Id currentUser = new Id("sasl", user);
    try {
        zkClient.start();
        List<String> children = zkClient.getChildren().forPath(nsPath);
        for (String child : children) {
            String childPath = nsPath + "/" + child;
            checkAcls(zkClient, currentUser, childPath);
        }
    } catch (Exception e) {
        throw new RuntimeException(e);
    } finally {
        zkClient.close();
    }
}

Example 5 with Id

use of org.apache.zookeeper.data.Id in project zookeeper by apache.

the class PrepRequestProcessor method checkACL.

/**
     * Grant or deny authorization to an operation on a node as a function of:
     * @param zks :     the ZooKeeper server
     * @param cnxn :    the server connection
     * @param acl :     set of ACLs for the node
     * @param perm :    the permission that the client is requesting
     * @param ids :     the credentials supplied by the client
     * @param path :    the ZNode path
     * @param setAcls : for set ACL operations, the list of ACLs being set. Otherwise null.
     */
static void checkACL(ZooKeeperServer zks, ServerCnxn cnxn, List<ACL> acl, int perm, List<Id> ids, String path, List<ACL> setAcls) throws KeeperException.NoAuthException {
    if (skipACL) {
        return;
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("Permission requested: {} ", perm);
        LOG.debug("ACLs for node: {}", acl);
        LOG.debug("Client credentials: {}", ids);
    }
    if (acl == null || acl.size() == 0) {
        return;
    }
    for (Id authId : ids) {
        if (authId.getScheme().equals("super")) {
            return;
        }
    }
    for (ACL a : acl) {
        Id id = a.getId();
        if ((a.getPerms() & perm) != 0) {
            if (id.getScheme().equals("world") && id.getId().equals("anyone")) {
                return;
            }
            ServerAuthenticationProvider ap = ProviderRegistry.getServerProvider(id.getScheme());
            if (ap != null) {
                for (Id authId : ids) {
                    if (authId.getScheme().equals(id.getScheme()) && ap.matches(new ServerAuthenticationProvider.ServerObjs(zks, cnxn), new ServerAuthenticationProvider.MatchValues(path, authId.getId(), id.getId(), perm, setAcls))) {
                        return;
                    }
                }
            }
        }
    }
    throw new KeeperException.NoAuthException();
}