use of org.apache.zookeeper.data.Id in project hive by apache.
the class ZkRegistryBase method checkAndSetAcls.
private void checkAndSetAcls() throws Exception {
if (!UserGroupInformation.isSecurityEnabled())
return;
// We are trying to check ACLs on the "workers" directory, which noone except us should be
// able to write to. Higher-level directories shouldn't matter - we don't read them.
String pathToCheck = workersPath;
List<ACL> acls = zooKeeperClient.getACL().forPath(pathToCheck);
if (acls == null || acls.isEmpty()) {
// Can there be no ACLs? There's some access (to get ACLs), so assume it means free for all.
LOG.warn("No ACLs on " + pathToCheck + "; setting up ACLs. " + disableMessage);
setUpAcls(pathToCheck);
return;
}
// This could be brittle.
assert userNameFromPrincipal != null;
Id currentUser = new Id("sasl", userNameFromPrincipal);
for (ACL acl : acls) {
if ((acl.getPerms() & ~ZooDefs.Perms.READ) == 0 || currentUser.equals(acl.getId())) {
// Read permission/no permissions, or the expected user.
continue;
}
LOG.warn("The ACL " + acl + " is unnacceptable for " + pathToCheck + "; setting up ACLs. " + disableMessage);
setUpAcls(pathToCheck);
return;
}
}
use of org.apache.zookeeper.data.Id in project zookeeper by apache.
the class MultiOpSessionUpgradeTest method makeCreateRequest.
private Request makeCreateRequest(String path, long sessionId) throws IOException {
ByteArrayOutputStream boas = new ByteArrayOutputStream();
BinaryOutputArchive boa = BinaryOutputArchive.getArchive(boas);
CreateRequest createRequest = new CreateRequest(path, "data".getBytes(), ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.EPHEMERAL.toFlag());
createRequest.serialize(boa, "request");
ByteBuffer bb = ByteBuffer.wrap(boas.toByteArray());
return new Request(null, sessionId, 1, ZooDefs.OpCode.create2, bb, new ArrayList<Id>());
}
use of org.apache.zookeeper.data.Id in project zookeeper by apache.
the class MultiOpSessionUpgradeTest method makeGetDataRequest.
private Request makeGetDataRequest(String path, long sessionId) throws IOException {
ByteArrayOutputStream boas = new ByteArrayOutputStream();
BinaryOutputArchive boa = BinaryOutputArchive.getArchive(boas);
GetDataRequest getDataRequest = new GetDataRequest(path, false);
getDataRequest.serialize(boa, "request");
ByteBuffer bb = ByteBuffer.wrap(boas.toByteArray());
return new Request(null, sessionId, 1, ZooDefs.OpCode.getData, bb, new ArrayList<Id>());
}
use of org.apache.zookeeper.data.Id in project zookeeper by apache.
the class ZooKeeperServer method processSasl.
private Record processSasl(ByteBuffer incomingBuffer, ServerCnxn cnxn) throws IOException {
LOG.debug("Responding to client SASL token.");
GetSASLRequest clientTokenRecord = new GetSASLRequest();
ByteBufferInputStream.byteBuffer2Record(incomingBuffer, clientTokenRecord);
byte[] clientToken = clientTokenRecord.getToken();
LOG.debug("Size of client SASL token: " + clientToken.length);
byte[] responseToken = null;
try {
ZooKeeperSaslServer saslServer = cnxn.zooKeeperSaslServer;
try {
// note that clientToken might be empty (clientToken.length == 0):
// if using the DIGEST-MD5 mechanism, clientToken will be empty at the beginning of the
// SASL negotiation process.
responseToken = saslServer.evaluateResponse(clientToken);
if (saslServer.isComplete()) {
String authorizationID = saslServer.getAuthorizationID();
LOG.info("adding SASL authorization for authorizationID: " + authorizationID);
cnxn.addAuthInfo(new Id("sasl", authorizationID));
if (System.getProperty("zookeeper.superUser") != null && authorizationID.equals(System.getProperty("zookeeper.superUser"))) {
cnxn.addAuthInfo(new Id("super", ""));
}
}
} catch (SaslException e) {
LOG.warn("Client failed to SASL authenticate: " + e, e);
if ((System.getProperty("zookeeper.allowSaslFailedClients") != null) && (System.getProperty("zookeeper.allowSaslFailedClients").equals("true"))) {
LOG.warn("Maintaining client connection despite SASL authentication failure.");
} else {
LOG.warn("Closing client connection due to SASL authentication failure.");
cnxn.close();
}
}
} catch (NullPointerException e) {
LOG.error("cnxn.saslServer is null: cnxn object did not initialize its saslServer properly.");
}
if (responseToken != null) {
LOG.debug("Size of server SASL response: " + responseToken.length);
}
// wrap SASL response token to client inside a Response object.
return new SetSASLResponse(responseToken);
}
use of org.apache.zookeeper.data.Id in project zookeeper by apache.
the class KeyAuthenticationProvider method handleAuthentication.
@Override
public KeeperException.Code handleAuthentication(ServerObjs serverObjs, byte[] authData) {
byte[] key = getKey(serverObjs.getZks());
String authStr = "";
String keyStr = "";
try {
authStr = new String(authData, "UTF-8");
} catch (Exception e) {
LOG.error("UTF-8", e);
}
if (key != null) {
if (!validate(key, authData)) {
try {
keyStr = new String(key, "UTF-8");
} catch (Exception e) {
LOG.error("UTF-8", e);
// empty key
keyStr = authStr;
}
LOG.debug("KeyAuthenticationProvider handleAuthentication (" + keyStr + ", " + authStr + ") -> FAIL.\n");
return KeeperException.Code.AUTHFAILED;
}
}
// default to allow, so the key can be initially written
LOG.debug("KeyAuthenticationProvider handleAuthentication -> OK.\n");
// NOTE: keyStr in addAuthInfo() sticks with the created node ACLs.
// For transient keys or certificates, this presents a problem.
// In that case, replace it with something non-ephemeral (or punt with null).
//
// BOTH addAuthInfo and an OK return-code are needed for authentication.
serverObjs.getCnxn().addAuthInfo(new Id(getScheme(), keyStr));
return KeeperException.Code.OK;
}
Aggregations