Example 41 with Id
use of org.apache.zookeeper.data.Id in project zookeeper by apache.
the class KeyAuthenticationProvider method handleAuthentication.
@Override
public KeeperException.Code handleAuthentication(ServerObjs serverObjs, byte[] authData) {
byte[] key = getKey(serverObjs.getZks());
String authStr = "";
String keyStr = "";
try {
authStr = new String(authData, "UTF-8");
} catch (Exception e) {
LOG.error("UTF-8", e);
}
if (key != null) {
if (!validate(key, authData)) {
try {
keyStr = new String(key, "UTF-8");
} catch (Exception e) {
LOG.error("UTF-8", e);
// empty key
keyStr = authStr;
}
LOG.debug("KeyAuthenticationProvider handleAuthentication (" + keyStr + ", " + authStr + ") -> FAIL.\n");
return KeeperException.Code.AUTHFAILED;
}
}
// default to allow, so the key can be initially written
LOG.debug("KeyAuthenticationProvider handleAuthentication -> OK.\n");
// NOTE: keyStr in addAuthInfo() sticks with the created node ACLs.
// For transient keys or certificates, this presents a problem.
// In that case, replace it with something non-ephemeral (or punt with null).
//
// BOTH addAuthInfo and an OK return-code are needed for authentication.
serverObjs.getCnxn().addAuthInfo(new Id(getScheme(), keyStr));
return KeeperException.Code.OK;
}
Also used :
Id(org.apache.zookeeper.data.Id)
KeeperException(org.apache.zookeeper.KeeperException)
NoNodeException(org.apache.zookeeper.KeeperException.NoNodeException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
Example 42 with Id
use of org.apache.zookeeper.data.Id in project zookeeper by apache.
the class X509AuthenticationProvider method handleAuthentication.
@Override
public KeeperException.Code handleAuthentication(ServerCnxn cnxn, byte[] authData) {
X509Certificate[] certChain = (X509Certificate[]) cnxn.getClientCertificateChain();
if (certChain == null || certChain.length == 0) {
return KeeperException.Code.AUTHFAILED;
}
if (trustManager == null) {
LOG.error("No trust manager available to authenticate session 0x{}", Long.toHexString(cnxn.getSessionId()));
return KeeperException.Code.AUTHFAILED;
}
X509Certificate clientCert = certChain[0];
try {
// Authenticate client certificate
trustManager.checkClientTrusted(certChain, clientCert.getPublicKey().getAlgorithm());
} catch (CertificateException ce) {
LOG.error("Failed to trust certificate for session 0x" + Long.toHexString(cnxn.getSessionId()), ce);
return KeeperException.Code.AUTHFAILED;
}
String clientId = getClientId(clientCert);
if (clientId.equals(System.getProperty(ZOOKEEPER_X509AUTHENTICATIONPROVIDER_SUPERUSER))) {
cnxn.addAuthInfo(new Id("super", clientId));
LOG.info("Authenticated Id '{}' as super user", clientId);
}
Id authInfo = new Id(getScheme(), clientId);
cnxn.addAuthInfo(authInfo);
LOG.info("Authenticated Id '{}' for Scheme '{}'", authInfo.getId(), authInfo.getScheme());
return KeeperException.Code.OK;
}
Also used :
CertificateException(java.security.cert.CertificateException)
Id(org.apache.zookeeper.data.Id)
X509Certificate(java.security.cert.X509Certificate)
Example 43 with Id
use of org.apache.zookeeper.data.Id in project hadoop by apache.
the class TestZKDelegationTokenSecretManager method testACLs.
@Test
public void testACLs() throws Exception {
DelegationTokenManager tm1;
String connectString = zkServer.getConnectString();
Configuration conf = getSecretConf(connectString);
RetryPolicy retryPolicy = new ExponentialBackoffRetry(1000, 3);
String userPass = "myuser:mypass";
final ACL digestACL = new ACL(ZooDefs.Perms.ALL, new Id("digest", DigestAuthenticationProvider.generateDigest(userPass)));
ACLProvider digestAclProvider = new ACLProvider() {
@Override
public List<ACL> getAclForPath(String path) {
return getDefaultAcl();
}
@Override
public List<ACL> getDefaultAcl() {
List<ACL> ret = new ArrayList<ACL>();
ret.add(digestACL);
return ret;
}
};
CuratorFramework curatorFramework = CuratorFrameworkFactory.builder().connectString(connectString).retryPolicy(retryPolicy).aclProvider(digestAclProvider).authorization("digest", userPass.getBytes("UTF-8")).build();
curatorFramework.start();
ZKDelegationTokenSecretManager.setCurator(curatorFramework);
tm1 = new DelegationTokenManager(conf, new Text("bla"));
tm1.init();
// check ACL
String workingPath = conf.get(ZKDelegationTokenSecretManager.ZK_DTSM_ZNODE_WORKING_PATH);
verifyACL(curatorFramework, "/" + workingPath, digestACL);
tm1.destroy();
ZKDelegationTokenSecretManager.setCurator(null);
curatorFramework.close();
}
Also used :
ACLProvider(org.apache.curator.framework.api.ACLProvider)
CuratorFramework(org.apache.curator.framework.CuratorFramework)
Configuration(org.apache.hadoop.conf.Configuration)
ExponentialBackoffRetry(org.apache.curator.retry.ExponentialBackoffRetry)
ArrayList(java.util.ArrayList)
ACL(org.apache.zookeeper.data.ACL)
Text(org.apache.hadoop.io.Text)
Id(org.apache.zookeeper.data.Id)
RetryPolicy(org.apache.curator.RetryPolicy)
DelegationTokenManager(org.apache.hadoop.security.token.delegation.web.DelegationTokenManager)
Test(org.junit.Test)
Example 44 with Id
use of org.apache.zookeeper.data.Id in project hadoop by apache.
the class TestSecureRMRegistryOperations method testUserHomedirsPermissionsRestricted.
@Test
public void testUserHomedirsPermissionsRestricted() throws Throwable {
// test that the /users/$user permissions are restricted
RMRegistryOperationsService rmRegistryOperations = startRMRegistryOperations();
// create Alice's dir, so it should have an ACL for Alice
final String home = rmRegistryOperations.initUserRegistry(ALICE);
List<ACL> acls = rmRegistryOperations.zkGetACLS(home);
ACL aliceACL = null;
for (ACL acl : acls) {
LOG.info(RegistrySecurity.aclToString(acl));
Id id = acl.getId();
if (id.getScheme().equals(ZookeeperConfigOptions.SCHEME_SASL) && id.getId().startsWith(ALICE)) {
aliceACL = acl;
break;
}
}
assertNotNull(aliceACL);
assertEquals(RegistryAdminService.USER_HOMEDIR_ACL_PERMISSIONS, aliceACL.getPerms());
}
Also used :
ACL(org.apache.zookeeper.data.ACL)
Id(org.apache.zookeeper.data.Id)
RMRegistryOperationsService(org.apache.hadoop.registry.server.integration.RMRegistryOperationsService)
Test(org.junit.Test)
Example 45 with Id
use of org.apache.zookeeper.data.Id in project helios by spotify.
the class RuleBasedZooKeeperAclProvider method getAclForPath.
@Override
public List<ACL> getAclForPath(final String path) {
// id -> permissions
final Map<Id, Integer> matching = Maps.newHashMap();
for (final Rule rule : rules) {
if (rule.matches(path)) {
final int existingPerms = matching.containsKey(rule.id) ? matching.get(rule.id) : 0;
matching.put(rule.id, rule.perms | existingPerms);
}
}
if (matching.isEmpty()) {
return null;
}
final List<ACL> acls = Lists.newArrayList();
for (final Map.Entry<Id, Integer> e : matching.entrySet()) {
acls.add(new ACL(e.getValue(), e.getKey()));
}
return acls;
}Aggregations
Id (org.apache.zookeeper.data.Id)50
ACL (org.apache.zookeeper.data.ACL)39
ArrayList (java.util.ArrayList)19
Test (org.junit.Test)18
KeeperException (org.apache.zookeeper.KeeperException)8
ZooKeeper (org.apache.zookeeper.ZooKeeper)8
Stat (org.apache.zookeeper.data.Stat)5
ByteArrayOutputStream (java.io.ByteArrayOutputStream)4
BinaryOutputArchive (org.apache.jute.BinaryOutputArchive)4
TestableZooKeeper (org.apache.zookeeper.TestableZooKeeper)4
ByteBuffer (java.nio.ByteBuffer)3
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3
Configuration (org.apache.hadoop.conf.Configuration)3
CreateRequest (org.apache.zookeeper.proto.CreateRequest)3
IOException (java.io.IOException)2
LinkedHashSet (java.util.LinkedHashSet)2
SetupStep (org.apache.atlas.setup.SetupStep)2
CuratorFramework (org.apache.curator.framework.CuratorFramework)2
ACLProvider (org.apache.curator.framework.api.ACLProvider)2
CreateBuilder (org.apache.curator.framework.api.CreateBuilder)2
