Search in sources :

Example 1 with ServerAuthenticationProvider

use of org.apache.zookeeper.server.auth.ServerAuthenticationProvider in project zookeeper by apache.

the class PrepRequestProcessor method checkACL.

/**
 * Grant or deny authorization to an operation on a node as a function of:
 * @param zks :     the ZooKeeper server
 * @param cnxn :    the server connection
 * @param acl :     set of ACLs for the node
 * @param perm :    the permission that the client is requesting
 * @param ids :     the credentials supplied by the client
 * @param path :    the ZNode path
 * @param setAcls : for set ACL operations, the list of ACLs being set. Otherwise null.
 */
static void checkACL(ZooKeeperServer zks, ServerCnxn cnxn, List<ACL> acl, int perm, List<Id> ids, String path, List<ACL> setAcls) throws KeeperException.NoAuthException {
    if (skipACL) {
        return;
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("Permission requested: {} ", perm);
        LOG.debug("ACLs for node: {}", acl);
        LOG.debug("Client credentials: {}", ids);
    }
    if (acl == null || acl.size() == 0) {
        return;
    }
    for (Id authId : ids) {
        if (authId.getScheme().equals("super")) {
            return;
        }
    }
    for (ACL a : acl) {
        Id id = a.getId();
        if ((a.getPerms() & perm) != 0) {
            if (id.getScheme().equals("world") && id.getId().equals("anyone")) {
                return;
            }
            ServerAuthenticationProvider ap = ProviderRegistry.getServerProvider(id.getScheme());
            if (ap != null) {
                for (Id authId : ids) {
                    if (authId.getScheme().equals(id.getScheme()) && ap.matches(new ServerAuthenticationProvider.ServerObjs(zks, cnxn), new ServerAuthenticationProvider.MatchValues(path, authId.getId(), id.getId(), perm, setAcls))) {
                        return;
                    }
                }
            }
        }
    }
    throw new KeeperException.NoAuthException();
}
Also used : ACL(org.apache.zookeeper.data.ACL) Id(org.apache.zookeeper.data.Id) ServerAuthenticationProvider(org.apache.zookeeper.server.auth.ServerAuthenticationProvider)

Example 2 with ServerAuthenticationProvider

use of org.apache.zookeeper.server.auth.ServerAuthenticationProvider in project zookeeper by apache.

the class PrepRequestProcessor method fixupACL.

/**
 * This method checks out the acl making sure it isn't null or empty,
 * it has valid schemes and ids, and expanding any relative ids that
 * depend on the requestor's authentication information.
 *
 * @param authInfo list of ACL IDs associated with the client connection
 * @param acls list of ACLs being assigned to the node (create or setACL operation)
 * @return verified and expanded ACLs
 * @throws KeeperException.InvalidACLException
 */
public static List<ACL> fixupACL(String path, List<Id> authInfo, List<ACL> acls) throws KeeperException.InvalidACLException {
    // check for well formed ACLs
    // This resolves https://issues.apache.org/jira/browse/ZOOKEEPER-1877
    List<ACL> uniqacls = removeDuplicates(acls);
    if (uniqacls == null || uniqacls.size() == 0) {
        throw new KeeperException.InvalidACLException(path);
    }
    List<ACL> rv = new ArrayList<>();
    for (ACL a : uniqacls) {
        LOG.debug("Processing ACL: {}", a);
        if (a == null) {
            throw new KeeperException.InvalidACLException(path);
        }
        Id id = a.getId();
        if (id == null || id.getScheme() == null) {
            throw new KeeperException.InvalidACLException(path);
        }
        if (id.getScheme().equals("world") && id.getId().equals("anyone")) {
            rv.add(a);
        } else if (id.getScheme().equals("auth")) {
            // This is the "auth" id, so we have to expand it to the
            // authenticated ids of the requestor
            boolean authIdValid = false;
            for (Id cid : authInfo) {
                ServerAuthenticationProvider ap = ProviderRegistry.getServerProvider(cid.getScheme());
                if (ap == null) {
                    LOG.error("Missing AuthenticationProvider for {}", cid.getScheme());
                } else if (ap.isAuthenticated()) {
                    authIdValid = true;
                    rv.add(new ACL(a.getPerms(), cid));
                }
            }
            if (!authIdValid) {
                throw new KeeperException.InvalidACLException(path);
            }
        } else {
            ServerAuthenticationProvider ap = ProviderRegistry.getServerProvider(id.getScheme());
            if (ap == null || !ap.isValid(id.getId())) {
                throw new KeeperException.InvalidACLException(path);
            }
            rv.add(a);
        }
    }
    return rv;
}
Also used : ArrayList(java.util.ArrayList) ACL(org.apache.zookeeper.data.ACL) Id(org.apache.zookeeper.data.Id) ServerAuthenticationProvider(org.apache.zookeeper.server.auth.ServerAuthenticationProvider) KeeperException(org.apache.zookeeper.KeeperException)

Example 3 with ServerAuthenticationProvider

use of org.apache.zookeeper.server.auth.ServerAuthenticationProvider in project zookeeper by apache.

the class ZooKeeperServer method processPacket.

public void processPacket(ServerCnxn cnxn, ByteBuffer incomingBuffer) throws IOException {
    // We have the request, now process and setup for next
    InputStream bais = new ByteBufferInputStream(incomingBuffer);
    BinaryInputArchive bia = BinaryInputArchive.getArchive(bais);
    RequestHeader h = new RequestHeader();
    h.deserialize(bia, "header");
    // Need to increase the outstanding request count first, otherwise
    // there might be a race condition that it enabled recv after
    // processing request and then disabled when check throttling.
    // 
    // Be aware that we're actually checking the global outstanding
    // request before this request.
    // 
    // It's fine if the IOException thrown before we decrease the count
    // in cnxn, since it will close the cnxn anyway.
    cnxn.incrOutstandingAndCheckThrottle(h);
    // Through the magic of byte buffers, txn will not be
    // pointing
    // to the start of the txn
    incomingBuffer = incomingBuffer.slice();
    if (h.getType() == OpCode.auth) {
        LOG.info("got auth packet {}", cnxn.getRemoteSocketAddress());
        AuthPacket authPacket = new AuthPacket();
        ByteBufferInputStream.byteBuffer2Record(incomingBuffer, authPacket);
        String scheme = authPacket.getScheme();
        ServerAuthenticationProvider ap = ProviderRegistry.getServerProvider(scheme);
        Code authReturn = KeeperException.Code.AUTHFAILED;
        if (ap != null) {
            try {
                // handleAuthentication may close the connection, to allow the client to choose
                // a different server to connect to.
                authReturn = ap.handleAuthentication(new ServerAuthenticationProvider.ServerObjs(this, cnxn), authPacket.getAuth());
            } catch (RuntimeException e) {
                LOG.warn("Caught runtime exception from AuthenticationProvider: {}", scheme, e);
                authReturn = KeeperException.Code.AUTHFAILED;
            }
        }
        if (authReturn == KeeperException.Code.OK) {
            LOG.info("Session 0x{}: auth success for scheme {} and address {}", Long.toHexString(cnxn.getSessionId()), scheme, cnxn.getRemoteSocketAddress());
            ReplyHeader rh = new ReplyHeader(h.getXid(), 0, KeeperException.Code.OK.intValue());
            cnxn.sendResponse(rh, null, null);
        } else {
            if (ap == null) {
                LOG.warn("No authentication provider for scheme: {} has {}", scheme, ProviderRegistry.listProviders());
            } else {
                LOG.warn("Authentication failed for scheme: {}", scheme);
            }
            // send a response...
            ReplyHeader rh = new ReplyHeader(h.getXid(), 0, KeeperException.Code.AUTHFAILED.intValue());
            cnxn.sendResponse(rh, null, null);
            // ... and close connection
            cnxn.sendBuffer(ServerCnxnFactory.closeConn);
            cnxn.disableRecv();
        }
        return;
    } else if (h.getType() == OpCode.sasl) {
        processSasl(incomingBuffer, cnxn, h);
    } else {
        if (!authHelper.enforceAuthentication(cnxn, h.getXid())) {
            // Already sent response to user about failure and closed the session, lets return
            return;
        } else {
            Request si = new Request(cnxn, cnxn.getSessionId(), h.getXid(), h.getType(), incomingBuffer, cnxn.getAuthInfo());
            int length = incomingBuffer.limit();
            if (isLargeRequest(length)) {
                // checkRequestSize will throw IOException if request is rejected
                checkRequestSizeWhenMessageReceived(length);
                si.setLargeRequestSize(length);
            }
            si.setOwner(ServerCnxn.me);
            submitRequest(si);
        }
    }
}
Also used : BinaryInputArchive(org.apache.jute.BinaryInputArchive) ReplyHeader(org.apache.zookeeper.proto.ReplyHeader) InputStream(java.io.InputStream) AuthPacket(org.apache.zookeeper.proto.AuthPacket) ConnectRequest(org.apache.zookeeper.proto.ConnectRequest) DeleteRequest(org.apache.zookeeper.proto.DeleteRequest) CreateRequest(org.apache.zookeeper.proto.CreateRequest) SetACLRequest(org.apache.zookeeper.proto.SetACLRequest) GetSASLRequest(org.apache.zookeeper.proto.GetSASLRequest) SetDataRequest(org.apache.zookeeper.proto.SetDataRequest) RequestHeader(org.apache.zookeeper.proto.RequestHeader) ServerAuthenticationProvider(org.apache.zookeeper.server.auth.ServerAuthenticationProvider) Code(org.apache.zookeeper.KeeperException.Code) OpCode(org.apache.zookeeper.ZooDefs.OpCode)

Example 4 with ServerAuthenticationProvider

use of org.apache.zookeeper.server.auth.ServerAuthenticationProvider in project zookeeper by apache.

the class ZooKeeperServer method checkACL.

/**
 * Grant or deny authorization to an operation on a node as a function of:
 * @param cnxn :    the server connection
 * @param acl :     set of ACLs for the node
 * @param perm :    the permission that the client is requesting
 * @param ids :     the credentials supplied by the client
 * @param path :    the ZNode path
 * @param setAcls : for set ACL operations, the list of ACLs being set. Otherwise null.
 */
public void checkACL(ServerCnxn cnxn, List<ACL> acl, int perm, List<Id> ids, String path, List<ACL> setAcls) throws KeeperException.NoAuthException {
    if (skipACL) {
        return;
    }
    LOG.debug("Permission requested: {} ", perm);
    LOG.debug("ACLs for node: {}", acl);
    LOG.debug("Client credentials: {}", ids);
    if (acl == null || acl.size() == 0) {
        return;
    }
    for (Id authId : ids) {
        if (authId.getScheme().equals("super")) {
            return;
        }
    }
    for (ACL a : acl) {
        Id id = a.getId();
        if ((a.getPerms() & perm) != 0) {
            if (id.getScheme().equals("world") && id.getId().equals("anyone")) {
                return;
            }
            ServerAuthenticationProvider ap = ProviderRegistry.getServerProvider(id.getScheme());
            if (ap != null) {
                for (Id authId : ids) {
                    if (authId.getScheme().equals(id.getScheme()) && ap.matches(new ServerAuthenticationProvider.ServerObjs(this, cnxn), new ServerAuthenticationProvider.MatchValues(path, authId.getId(), id.getId(), perm, setAcls))) {
                        return;
                    }
                }
            }
        }
    }
    throw new KeeperException.NoAuthException();
}
Also used : ACL(org.apache.zookeeper.data.ACL) Id(org.apache.zookeeper.data.Id) ServerAuthenticationProvider(org.apache.zookeeper.server.auth.ServerAuthenticationProvider)

Aggregations

ServerAuthenticationProvider (org.apache.zookeeper.server.auth.ServerAuthenticationProvider)4 ACL (org.apache.zookeeper.data.ACL)3 Id (org.apache.zookeeper.data.Id)3 InputStream (java.io.InputStream)1 ArrayList (java.util.ArrayList)1 BinaryInputArchive (org.apache.jute.BinaryInputArchive)1 KeeperException (org.apache.zookeeper.KeeperException)1 Code (org.apache.zookeeper.KeeperException.Code)1 OpCode (org.apache.zookeeper.ZooDefs.OpCode)1 AuthPacket (org.apache.zookeeper.proto.AuthPacket)1 ConnectRequest (org.apache.zookeeper.proto.ConnectRequest)1 CreateRequest (org.apache.zookeeper.proto.CreateRequest)1 DeleteRequest (org.apache.zookeeper.proto.DeleteRequest)1 GetSASLRequest (org.apache.zookeeper.proto.GetSASLRequest)1 ReplyHeader (org.apache.zookeeper.proto.ReplyHeader)1 RequestHeader (org.apache.zookeeper.proto.RequestHeader)1 SetACLRequest (org.apache.zookeeper.proto.SetACLRequest)1 SetDataRequest (org.apache.zookeeper.proto.SetDataRequest)1