use of org.apache.zookeeper.data.Id in project zookeeper by apache.
the class DigestAuthenticationProvider method handleAuthentication.
public KeeperException.Code handleAuthentication(ServerCnxn cnxn, byte[] authData) {
String id = new String(authData);
try {
String digest = generateDigest(id);
if (digest.equals(superDigest)) {
cnxn.addAuthInfo(new Id("super", ""));
}
cnxn.addAuthInfo(new Id(getScheme(), digest));
return KeeperException.Code.OK;
} catch (NoSuchAlgorithmException e) {
LOG.error("Missing algorithm", e);
}
return KeeperException.Code.AUTHFAILED;
}
use of org.apache.zookeeper.data.Id in project zookeeper by apache.
the class X509AuthenticationProvider method handleAuthentication.
@Override
public KeeperException.Code handleAuthentication(ServerCnxn cnxn, byte[] authData) {
X509Certificate[] certChain = (X509Certificate[]) cnxn.getClientCertificateChain();
if (certChain == null || certChain.length == 0) {
return KeeperException.Code.AUTHFAILED;
}
if (trustManager == null) {
LOG.error("No trust manager available to authenticate session 0x{}", Long.toHexString(cnxn.getSessionId()));
return KeeperException.Code.AUTHFAILED;
}
X509Certificate clientCert = certChain[0];
try {
// Authenticate client certificate
trustManager.checkClientTrusted(certChain, clientCert.getPublicKey().getAlgorithm());
} catch (CertificateException ce) {
LOG.error("Failed to trust certificate for session 0x" + Long.toHexString(cnxn.getSessionId()), ce);
return KeeperException.Code.AUTHFAILED;
}
String clientId = getClientId(clientCert);
if (clientId.equals(System.getProperty(ZOOKEEPER_X509AUTHENTICATIONPROVIDER_SUPERUSER))) {
cnxn.addAuthInfo(new Id("super", clientId));
LOG.info("Authenticated Id '{}' as super user", clientId);
}
Id authInfo = new Id(getScheme(), clientId);
cnxn.addAuthInfo(authInfo);
LOG.info("Authenticated Id '{}' for Scheme '{}'", authInfo.getId(), authInfo.getScheme());
return KeeperException.Code.OK;
}
use of org.apache.zookeeper.data.Id in project hive by apache.
the class LlapZookeeperRegistryImpl method checkAndSetAcls.
private void checkAndSetAcls() throws Exception {
if (!UserGroupInformation.isSecurityEnabled())
return;
// We are trying to check ACLs on the "workers" directory, which noone except us should be
// able to write to. Higher-level directories shouldn't matter - we don't read them.
String pathToCheck = workersPath;
List<ACL> acls = zooKeeperClient.getACL().forPath(pathToCheck);
if (acls == null || acls.isEmpty()) {
// Can there be no ACLs? There's some access (to get ACLs), so assume it means free for all.
LOG.warn("No ACLs on " + pathToCheck + "; setting up ACLs. " + DISABLE_MESSAGE);
setUpAcls(pathToCheck);
return;
}
// This could be brittle.
assert userNameFromPrincipal != null;
Id currentUser = new Id("sasl", userNameFromPrincipal);
for (ACL acl : acls) {
if ((acl.getPerms() & ~ZooDefs.Perms.READ) == 0 || currentUser.equals(acl.getId())) {
// Read permission/no permissions, or the expected user.
continue;
}
LOG.warn("The ACL " + acl + " is unnacceptable for " + pathToCheck + "; setting up ACLs. " + DISABLE_MESSAGE);
setUpAcls(pathToCheck);
return;
}
}
use of org.apache.zookeeper.data.Id in project zookeeper by apache.
the class SaslAuthDesignatedClientTest method testReadAccessUser.
@Test
public void testReadAccessUser() throws Exception {
System.setProperty("zookeeper.letAnySaslUserDoX", "anyone");
ZooKeeper zk = createClient();
List<ACL> aclList = new ArrayList<ACL>();
ACL acl = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE, new Id("sasl", "fakeuser"));
ACL acl1 = new ACL(Perms.READ, new Id("sasl", "anyone"));
aclList.add(acl);
aclList.add(acl1);
try {
zk.create("/abc", "testData".getBytes(), aclList, CreateMode.PERSISTENT);
} catch (KeeperException e) {
Assert.fail("Unable to create znode");
}
zk.close();
Thread.sleep(100);
// try to access it with different user (myuser)
zk = createClient();
try {
zk.setData("/abc", "testData1".getBytes(), -1);
Assert.fail("Should not be able to set data");
} catch (KeeperException.NoAuthException e) {
// success
}
try {
byte[] bytedata = zk.getData("/abc", null, null);
String data = new String(bytedata);
Assert.assertTrue("testData".equals(data));
} catch (KeeperException e) {
Assert.fail("failed to get data");
}
zk.close();
Thread.sleep(100);
// disable Client Sasl
System.setProperty(ZKClientConfig.ENABLE_CLIENT_SASL_KEY, "false");
try {
zk = createClient();
try {
zk.getData("/abc", null, null);
Assert.fail("Should not be able to read data when not authenticated");
} catch (KeeperException.NoAuthException e) {
// success
}
zk.close();
} finally {
// enable Client Sasl
System.setProperty(ZKClientConfig.ENABLE_CLIENT_SASL_KEY, "true");
}
}
use of org.apache.zookeeper.data.Id in project zookeeper by apache.
the class SaslAuthTest method testInvalidSaslIds.
@Test
public void testInvalidSaslIds() throws Exception {
ZooKeeper zk = createClient();
List<String> invalidIds = new ArrayList<String>();
invalidIds.add("user@KERB.REALM/server.com");
invalidIds.add("user@KERB.REALM1@KERB.REALM2");
int i = 0;
for (String invalidId : invalidIds) {
List<ACL> aclList = new ArrayList<ACL>();
try {
ACL acl = new ACL(0, new Id("sasl", invalidId));
aclList.add(acl);
zk.create("/invalid" + i, null, aclList, CreateMode.PERSISTENT);
Assert.fail("SASLAuthenticationProvider.isValid() failed to catch invalid Id.");
} catch (KeeperException.InvalidACLException e) {
// ok.
} finally {
i++;
}
}
}
Aggregations