use of org.apache.zookeeper.data.Id in project hadoop by apache.
the class ZKUtil method parseACLs.
/**
* Parse comma separated list of ACL entries to secure generated nodes, e.g.
* <code>sasl:hdfs/host1@MY.DOMAIN:cdrwa,sasl:hdfs/host2@MY.DOMAIN:cdrwa</code>
*
* @return ACL list
* @throws {@link BadAclFormatException} if an ACL is invalid
*/
public static List<ACL> parseACLs(String aclString) throws BadAclFormatException {
List<ACL> acl = Lists.newArrayList();
if (aclString == null) {
return acl;
}
List<String> aclComps = Lists.newArrayList(Splitter.on(',').omitEmptyStrings().trimResults().split(aclString));
for (String a : aclComps) {
// from ZooKeeperMain private method
int firstColon = a.indexOf(':');
int lastColon = a.lastIndexOf(':');
if (firstColon == -1 || lastColon == -1 || firstColon == lastColon) {
throw new BadAclFormatException("ACL '" + a + "' not of expected form scheme:id:perm");
}
ACL newAcl = new ACL();
newAcl.setId(new Id(a.substring(0, firstColon), a.substring(firstColon + 1, lastColon)));
newAcl.setPerms(getPermFromString(a.substring(lastColon + 1)));
acl.add(newAcl);
}
return acl;
}
use of org.apache.zookeeper.data.Id in project hadoop by apache.
the class ZKRMStateStore method constructZkRootNodeACL.
/**
* Given the {@link Configuration} and {@link ACL}s used (sourceACLs) for
* ZooKeeper access, construct the {@link ACL}s for the store's root node.
* In the constructed {@link ACL}, all the users allowed by sourceACLs are
* given read-write-admin access, while the current RM has exclusive
* create-delete access.
*
* To be called only when HA is enabled and the configuration doesn't set an
* ACL for the root node.
* @param conf the configuration
* @param sourceACLs the source ACLs
* @return ACLs for the store's root node
* @throws java.security.NoSuchAlgorithmException thrown if the digest
* algorithm used by Zookeeper cannot be found
*/
@VisibleForTesting
@Private
@Unstable
protected List<ACL> constructZkRootNodeACL(Configuration conf, List<ACL> sourceACLs) throws NoSuchAlgorithmException {
List<ACL> zkRootNodeAclList = new ArrayList<>();
for (ACL acl : sourceACLs) {
zkRootNodeAclList.add(new ACL(ZKUtil.removeSpecificPerms(acl.getPerms(), CREATE_DELETE_PERMS), acl.getId()));
}
zkRootNodeUsername = HAUtil.getConfValueForRMInstance(YarnConfiguration.RM_ADDRESS, YarnConfiguration.DEFAULT_RM_ADDRESS, conf);
Id rmId = new Id(zkRootNodeAuthScheme, DigestAuthenticationProvider.generateDigest(zkRootNodeUsername + ":" + resourceManager.getZkRootNodePassword()));
zkRootNodeAclList.add(new ACL(CREATE_DELETE_PERMS, rmId));
return zkRootNodeAclList;
}
use of org.apache.zookeeper.data.Id in project hive by apache.
the class ZooKeeperTokenStore method parseACLs.
/**
* Parse comma separated list of ACL entries to secure generated nodes, e.g.
* <code>sasl:hive/host1@MY.DOMAIN:cdrwa,sasl:hive/host2@MY.DOMAIN:cdrwa</code>
* @param aclString
* @return ACL list
*/
public static List<ACL> parseACLs(String aclString) {
String[] aclComps = StringUtils.splitByWholeSeparator(aclString, ",");
List<ACL> acl = new ArrayList<ACL>(aclComps.length);
for (String a : aclComps) {
if (StringUtils.isBlank(a)) {
continue;
}
a = a.trim();
// from ZooKeeperMain private method
int firstColon = a.indexOf(':');
int lastColon = a.lastIndexOf(':');
if (firstColon == -1 || lastColon == -1 || firstColon == lastColon) {
LOGGER.error(a + " does not have the form scheme:id:perm");
continue;
}
ACL newAcl = new ACL();
newAcl.setId(new Id(a.substring(0, firstColon), a.substring(firstColon + 1, lastColon)));
newAcl.setPerms(getPermFromString(a.substring(lastColon + 1)));
acl.add(newAcl);
}
return acl;
}
use of org.apache.zookeeper.data.Id in project hive by apache.
the class SecretManager method checkRootAcls.
private static void checkRootAcls(Configuration conf, String path, String user) {
int stime = conf.getInt(ZK_DTSM_ZK_SESSION_TIMEOUT, ZK_DTSM_ZK_SESSION_TIMEOUT_DEFAULT), ctime = conf.getInt(ZK_DTSM_ZK_CONNECTION_TIMEOUT, ZK_DTSM_ZK_CONNECTION_TIMEOUT_DEFAULT);
CuratorFramework zkClient = CuratorFrameworkFactory.builder().namespace(null).retryPolicy(new RetryOneTime(10)).sessionTimeoutMs(stime).connectionTimeoutMs(ctime).ensembleProvider(new FixedEnsembleProvider(conf.get(ZK_DTSM_ZK_CONNECTION_STRING))).build();
// Hardcoded from a private field in ZKDelegationTokenSecretManager.
// We need to check the path under what it sets for namespace, since the namespace is
// created with world ACLs.
String nsPath = "/" + path + "/ZKDTSMRoot";
Id currentUser = new Id("sasl", user);
try {
zkClient.start();
List<String> children = zkClient.getChildren().forPath(nsPath);
for (String child : children) {
String childPath = nsPath + "/" + child;
checkAcls(zkClient, currentUser, childPath);
}
} catch (Exception e) {
throw new RuntimeException(e);
} finally {
zkClient.close();
}
}
use of org.apache.zookeeper.data.Id in project zookeeper by apache.
the class PrepRequestProcessor method checkACL.
/**
* Grant or deny authorization to an operation on a node as a function of:
* @param zks : the ZooKeeper server
* @param cnxn : the server connection
* @param acl : set of ACLs for the node
* @param perm : the permission that the client is requesting
* @param ids : the credentials supplied by the client
* @param path : the ZNode path
* @param setAcls : for set ACL operations, the list of ACLs being set. Otherwise null.
*/
static void checkACL(ZooKeeperServer zks, ServerCnxn cnxn, List<ACL> acl, int perm, List<Id> ids, String path, List<ACL> setAcls) throws KeeperException.NoAuthException {
if (skipACL) {
return;
}
if (LOG.isDebugEnabled()) {
LOG.debug("Permission requested: {} ", perm);
LOG.debug("ACLs for node: {}", acl);
LOG.debug("Client credentials: {}", ids);
}
if (acl == null || acl.size() == 0) {
return;
}
for (Id authId : ids) {
if (authId.getScheme().equals("super")) {
return;
}
}
for (ACL a : acl) {
Id id = a.getId();
if ((a.getPerms() & perm) != 0) {
if (id.getScheme().equals("world") && id.getId().equals("anyone")) {
return;
}
ServerAuthenticationProvider ap = ProviderRegistry.getServerProvider(id.getScheme());
if (ap != null) {
for (Id authId : ids) {
if (authId.getScheme().equals(id.getScheme()) && ap.matches(new ServerAuthenticationProvider.ServerObjs(zks, cnxn), new ServerAuthenticationProvider.MatchValues(path, authId.getId(), id.getId(), perm, setAcls))) {
return;
}
}
}
}
}
throw new KeeperException.NoAuthException();
}
Aggregations