use of org.apache.zookeeper.data.Id in project zookeeper by apache.
the class KeyAuthenticationProvider method handleAuthentication.
@Override
public KeeperException.Code handleAuthentication(ServerObjs serverObjs, byte[] authData) {
byte[] key = getKey(serverObjs.getZks());
String authStr = "";
String keyStr = "";
try {
authStr = new String(authData, "UTF-8");
} catch (Exception e) {
LOG.error("UTF-8", e);
}
if (key != null) {
if (!validate(key, authData)) {
try {
keyStr = new String(key, "UTF-8");
} catch (Exception e) {
LOG.error("UTF-8", e);
// empty key
keyStr = authStr;
}
LOG.debug("KeyAuthenticationProvider handleAuthentication (" + keyStr + ", " + authStr + ") -> FAIL.\n");
return KeeperException.Code.AUTHFAILED;
}
}
// default to allow, so the key can be initially written
LOG.debug("KeyAuthenticationProvider handleAuthentication -> OK.\n");
// NOTE: keyStr in addAuthInfo() sticks with the created node ACLs.
// For transient keys or certificates, this presents a problem.
// In that case, replace it with something non-ephemeral (or punt with null).
//
// BOTH addAuthInfo and an OK return-code are needed for authentication.
serverObjs.getCnxn().addAuthInfo(new Id(getScheme(), keyStr));
return KeeperException.Code.OK;
}
use of org.apache.zookeeper.data.Id in project zookeeper by apache.
the class X509AuthenticationProvider method handleAuthentication.
@Override
public KeeperException.Code handleAuthentication(ServerCnxn cnxn, byte[] authData) {
X509Certificate[] certChain = (X509Certificate[]) cnxn.getClientCertificateChain();
if (certChain == null || certChain.length == 0) {
return KeeperException.Code.AUTHFAILED;
}
if (trustManager == null) {
LOG.error("No trust manager available to authenticate session 0x{}", Long.toHexString(cnxn.getSessionId()));
return KeeperException.Code.AUTHFAILED;
}
X509Certificate clientCert = certChain[0];
try {
// Authenticate client certificate
trustManager.checkClientTrusted(certChain, clientCert.getPublicKey().getAlgorithm());
} catch (CertificateException ce) {
LOG.error("Failed to trust certificate for session 0x" + Long.toHexString(cnxn.getSessionId()), ce);
return KeeperException.Code.AUTHFAILED;
}
String clientId = getClientId(clientCert);
if (clientId.equals(System.getProperty(ZOOKEEPER_X509AUTHENTICATIONPROVIDER_SUPERUSER))) {
cnxn.addAuthInfo(new Id("super", clientId));
LOG.info("Authenticated Id '{}' as super user", clientId);
}
Id authInfo = new Id(getScheme(), clientId);
cnxn.addAuthInfo(authInfo);
LOG.info("Authenticated Id '{}' for Scheme '{}'", authInfo.getId(), authInfo.getScheme());
return KeeperException.Code.OK;
}
use of org.apache.zookeeper.data.Id in project hadoop by apache.
the class TestZKDelegationTokenSecretManager method testACLs.
@Test
public void testACLs() throws Exception {
DelegationTokenManager tm1;
String connectString = zkServer.getConnectString();
Configuration conf = getSecretConf(connectString);
RetryPolicy retryPolicy = new ExponentialBackoffRetry(1000, 3);
String userPass = "myuser:mypass";
final ACL digestACL = new ACL(ZooDefs.Perms.ALL, new Id("digest", DigestAuthenticationProvider.generateDigest(userPass)));
ACLProvider digestAclProvider = new ACLProvider() {
@Override
public List<ACL> getAclForPath(String path) {
return getDefaultAcl();
}
@Override
public List<ACL> getDefaultAcl() {
List<ACL> ret = new ArrayList<ACL>();
ret.add(digestACL);
return ret;
}
};
CuratorFramework curatorFramework = CuratorFrameworkFactory.builder().connectString(connectString).retryPolicy(retryPolicy).aclProvider(digestAclProvider).authorization("digest", userPass.getBytes("UTF-8")).build();
curatorFramework.start();
ZKDelegationTokenSecretManager.setCurator(curatorFramework);
tm1 = new DelegationTokenManager(conf, new Text("bla"));
tm1.init();
// check ACL
String workingPath = conf.get(ZKDelegationTokenSecretManager.ZK_DTSM_ZNODE_WORKING_PATH);
verifyACL(curatorFramework, "/" + workingPath, digestACL);
tm1.destroy();
ZKDelegationTokenSecretManager.setCurator(null);
curatorFramework.close();
}
use of org.apache.zookeeper.data.Id in project hadoop by apache.
the class TestSecureRMRegistryOperations method testUserHomedirsPermissionsRestricted.
@Test
public void testUserHomedirsPermissionsRestricted() throws Throwable {
// test that the /users/$user permissions are restricted
RMRegistryOperationsService rmRegistryOperations = startRMRegistryOperations();
// create Alice's dir, so it should have an ACL for Alice
final String home = rmRegistryOperations.initUserRegistry(ALICE);
List<ACL> acls = rmRegistryOperations.zkGetACLS(home);
ACL aliceACL = null;
for (ACL acl : acls) {
LOG.info(RegistrySecurity.aclToString(acl));
Id id = acl.getId();
if (id.getScheme().equals(ZookeeperConfigOptions.SCHEME_SASL) && id.getId().startsWith(ALICE)) {
aliceACL = acl;
break;
}
}
assertNotNull(aliceACL);
assertEquals(RegistryAdminService.USER_HOMEDIR_ACL_PERMISSIONS, aliceACL.getPerms());
}
use of org.apache.zookeeper.data.Id in project helios by spotify.
the class RuleBasedZooKeeperAclProvider method getAclForPath.
@Override
public List<ACL> getAclForPath(final String path) {
// id -> permissions
final Map<Id, Integer> matching = Maps.newHashMap();
for (final Rule rule : rules) {
if (rule.matches(path)) {
final int existingPerms = matching.containsKey(rule.id) ? matching.get(rule.id) : 0;
matching.put(rule.id, rule.perms | existingPerms);
}
}
if (matching.isEmpty()) {
return null;
}
final List<ACL> acls = Lists.newArrayList();
for (final Map.Entry<Id, Integer> e : matching.entrySet()) {
acls.add(new ACL(e.getValue(), e.getKey()));
}
return acls;
}
Aggregations