Refine search
/** * parse string into list of ACL * @param aclString * @return */ public static List<ACL> parse(String aclString) { List<ACL> acl; String acls[] = aclString.split(","); acl = new ArrayList<ACL>(); for (String a : acls) { int firstColon = a.indexOf(':'); int lastColon = a.lastIndexOf(':'); if (firstColon == -1 || lastColon == -1 || firstColon == lastColon) { System.err.println(a + " does not have the form scheme:id:perm"); continue; } ACL newAcl = new ACL(); newAcl.setId(new Id(a.substring(0, firstColon), a.substring( firstColon + 1, lastColon))); newAcl.setPerms(getPermFromString(a.substring(lastColon + 1))); acl.add(newAcl); } return acl; }
private boolean checkACLForSuperUsers(String[] superUsers, List<ACL> acls) { for (String user : superUsers) { boolean hasAccess = false; // TODO: Validate super group members also when ZK supports setting node ACL for groups. if (!AuthUtil.isGroupPrincipal(user)) { for (ACL acl : acls) { if (user.equals(acl.getId().getId())) { if (acl.getPerms() == Perms.ALL) { hasAccess = true; } else { if (LOG.isDebugEnabled()) { LOG.debug(String.format( "superuser '%s' does not have correct permissions: have 0x%x, want 0x%x", acl.getId().getId(), acl.getPerms(), Perms.ALL)); } } break; } } if (!hasAccess) { return false; } } } return true; }
private void checkAndSetAcls() throws Exception { if (!UserGroupInformation.isSecurityEnabled()) return; // We are trying to check ACLs on the "workers" directory, which noone except us should be // able to write to. Higher-level directories shouldn't matter - we don't read them. String pathToCheck = workersPath; List<ACL> acls = zooKeeperClient.getACL().forPath(pathToCheck); if (acls == null || acls.isEmpty()) { // Can there be no ACLs? There's some access (to get ACLs), so assume it means free for all. LOG.warn("No ACLs on " + pathToCheck + "; setting up ACLs. " + disableMessage); setUpAcls(pathToCheck); return; } // This could be brittle. assert userNameFromPrincipal != null; Id currentUser = new Id("sasl", userNameFromPrincipal); for (ACL acl : acls) { if ((acl.getPerms() & ~ZooDefs.Perms.READ) == 0 || currentUser.equals(acl.getId())) { continue; // Read permission/no permissions, or the expected user. } LOG.warn("The ACL " + acl + " is unnacceptable for " + pathToCheck + "; setting up ACLs. " + disableMessage); setUpAcls(pathToCheck); return; } }
RetryPolicy retryPolicy = new ExponentialBackoffRetry(1000, 3); String userPass = "myuser:mypass"; final ACL digestACL = new ACL(ZooDefs.Perms.ALL, new Id("digest", DigestAuthenticationProvider.generateDigest(userPass))); ACLProvider digestAclProvider = new ACLProvider() { .authorization("digest", userPass.getBytes("UTF-8")) .build(); curatorFramework.start(); ZKDelegationTokenSecretManager.setCurator(curatorFramework); tm1 = new DelegationTokenManager(conf, new Text("bla")); curatorFramework.close();
private void createClient() throws Exception { // Connect to the ZooKeeper server RetryPolicy retryPolicy = ZKUtils.getRetryPolicy(); String zkConnectionString = ConfigurationService.get(ZK_CONNECTION_STRING); String zkNamespace = getZKNameSpace(); int zkConnectionTimeout = ConfigurationService.getInt(ZK_CONNECTION_TIMEOUT); int zkSessionTimeout = ConfigurationService.getInt(ZK_SESSION_TIMEOUT, 300); ACLProvider aclProvider; if (Services.get().getConf().getBoolean(ZK_SECURE, false)) { log.info("Connecting to ZooKeeper with SASL/Kerberos and using 'sasl' ACLs"); setJaasConfiguration(); System.setProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client"); System.setProperty("zookeeper.authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider"); saslACL = Collections.singletonList(new ACL(Perms.ALL, new Id("sasl", getServicePrincipal()))); aclProvider = new SASLOwnerACLProvider(); } else { log.info("Connecting to ZooKeeper without authentication"); aclProvider = new DefaultACLProvider(); // open to everyone } client = CuratorFrameworkFactory.builder() .namespace(zkNamespace) .connectString(zkConnectionString) .retryPolicy(retryPolicy) .aclProvider(aclProvider) .connectionTimeoutMs(zkConnectionTimeout * 1000) // in ms .sessionTimeoutMs(zkSessionTimeout * 1000) //in ms .build(); client.start(); client.getConnectionStateListenable().addListener(new ZKConnectionListener()); }
ACL worldReadPermissionACL = new ACL(ZooDefs.Perms.READ, new Id("world", "anyone")); acls.add(worldReadPermissionACL); Stat serverInfo = client.checkExists().forPath(getZnodePath(zookeeperProperties)); if (serverInfo == null) { client.create(). withMode(CreateMode.EPHEMERAL). withACL(acls). forPath(getZnodePath(zookeeperProperties)); client.setData().forPath(getZnodePath(zookeeperProperties), atlasServerAddress.getBytes(Charset.forName("UTF-8"))); } catch (Exception e) {
private void checkAndSetACLs() throws Exception { if (zkSecure && !aclChecked) { // If znodes were previously created without security enabled, and now it is, we need to go through all existing znodes // and set the ACLs for them. This is done just once at the startup // We can't get the namespace znode through curator; have to go through zk client startCuratorFramework(); String namespace = "/" + curatorFramework.getNamespace(); if (curatorFramework.getZookeeperClient().getZooKeeper().exists(namespace, null) != null) { List<ACL> acls = curatorFramework.getZookeeperClient().getZooKeeper().getACL(namespace, new Stat()); if (acls.isEmpty() || !acls.get(0).getId().getScheme().equals("sasl")) { LOGGER.info("'sasl' ACLs not set; setting..."); List<String> children = curatorFramework.getZookeeperClient().getZooKeeper().getChildren(namespace, null); for (String child : children) { checkAndSetACLs("/" + child); } curatorFramework.getZookeeperClient().getZooKeeper().setACL(namespace, saslACL, -1); } } aclChecked = true; } }
/** * createNodeWithACL * Create a node under ACL mode * @param path * @param payload * @throws Exception */ public void createNodeWithACL(String path, byte[] payload) throws Exception { ACL acl = new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.AUTH_IDS); List<ACL> aclList = Lists.newArrayList(acl); try { client.create().withACL(aclList).forPath(path, payload); } catch (Exception e) { logger.error("Create security file failed."); e.printStackTrace(); } }
@Override public List<ACL> getAclForPath(final String path) { // id -> permissions final Map<Id, Integer> matching = Maps.newHashMap(); for (final Rule rule : rules) { if (rule.matches(path)) { final int existingPerms = matching.containsKey(rule.id) ? matching.get(rule.id) : 0; matching.put(rule.id, rule.perms | existingPerms); } } if (matching.isEmpty()) { return null; } final List<ACL> acls = Lists.newArrayList(); for (final Map.Entry<Id, Integer> e : matching.entrySet()) { acls.add(new ACL(e.getValue(), e.getKey())); } return acls; }
for (int j = 100; j < 200; j++) { path = "/" + j; ACL acl = new ACL(); acl.setPerms(0); Id id = new Id(); id.setId("1.1.1."+j); id.setScheme("ip"); acl.setId(id); List<ACL> list = new ArrayList<ACL>(); list.add(acl); for (int j = 200; j < 205; j++) { path = "/" + j; ACL acl = new ACL(); acl.setPerms(0); Id id = new Id(); id.setId("1.1.1."+j); id.setScheme("ip"); acl.setId(id); ArrayList<ACL> list = new ArrayList<ACL>(); list.add(acl);
private List<ACL> createAclsForExclusiveReadAccess() throws LlamaException { List<ACL> acls = new ArrayList<ACL>(); for (ACL acl : conf.getZkAcls()) { acls.add(new ACL( ZKUtil.removeSpecificPerms(acl.getPerms(), ZooDefs.Perms.READ), acl.getId())); } Id llamaId; try { llamaId = new Id(authScheme, DigestAuthenticationProvider.generateDigest( fencingUsername + ":" + fencingPassword)); } catch (NoSuchAlgorithmException e) { throw new LlamaException(ErrorCode.INTERNAL_ERROR, "Unable to create username:password digest for ZK"); } acls.add(new ACL(ZooDefs.Perms.READ, llamaId)); return acls; }
/** * Parse the IDs, adding a realm if needed, setting the permissions * @param principalList id string * @param realm realm to add * @param perms permissions * @return the relevant ACLs * @throws IOException */ public List<ACL> buildACLs(String principalList, String realm, int perms) throws IOException { List<String> aclPairs = splitAclPairs(principalList, realm); List<ACL> ids = new ArrayList<ACL>(aclPairs.size()); for (String aclPair : aclPairs) { ACL newAcl = new ACL(); newAcl.setId(parse(aclPair, realm)); newAcl.setPerms(perms); ids.add(newAcl); } return ids; }
@Override public void setACL(String path, List<EntryACL> entryACLs) { // Translate the abstract ACLs into ZooKeeper ACLs List<ACL> delegateACLs = new ArrayList<>(); for (EntryACL entryACL : entryACLs) { String scheme = entryACL.getType(); String id = entryACL.getId(); int permissions = 0; if (entryACL.canWrite()) { permissions = ZooDefs.Perms.ALL; } else if (entryACL.canRead()){ permissions = ZooDefs.Perms.READ; } delegateACLs.add(new ACL(permissions, new Id(scheme, id))); } try { // Set the ACLs for the path delegate.setACL().withACL(delegateACLs).forPath(path); } catch (Exception e) { log.errorSettingEntryACL(path, e); } }
@Override public boolean exec() throws CliException { String path = args[1]; Stat stat = new Stat(); List<ACL> acl; try { acl = zk.getACL(path, stat); } catch (IllegalArgumentException ex) { throw new MalformedPathException(ex.getMessage()); } catch (KeeperException|InterruptedException ex) { throw new CliWrapperException(ex); } for (ACL a : acl) { out.println(a.getId() + ": " + getPermString(a.getPerms())); } if (cl.hasOption("s")) { new StatPrinter(out).print(stat); } return false; }
@Test public void testBuildAclsRealmed() throws Throwable { List<ACL> acls = registrySecurity.buildACLs( SASL_YARN_EXAMPLE_COM + ", " + SASL_MAPRED_EXAMPLE_COM, "", ZooDefs.Perms.ALL); assertEquals(YARN_EXAMPLE_COM, acls.get(0).getId().getId()); assertEquals(MAPRED_EXAMPLE_COM, acls.get(1).getId().getId()); }
public synchronized void deserialize(InputArchive ia) throws IOException { clear(); int i = ia.readInt("map"); while (i > 0) { Long val = ia.readLong("long"); if (aclIndex < val) { aclIndex = val; } List<ACL> aclList = new ArrayList<ACL>(); Index j = ia.startVector("acls"); if (j == null) { throw new RuntimeException("Incorrent format of InputArchive when deserialize DataTree - missing acls"); } while (!j.done()) { ACL acl = new ACL(); acl.deserialize(ia, "acl"); aclList.add(acl); j.incr(); } longKeyMap.put(val, aclList); aclKeyMap.put(aclList, val); referenceCounter.put(val, new AtomicLongWithEquals(0)); i--; } }
private static void checkAcls(CuratorFramework zkClient, Id user, String path) { List<ACL> acls = null; try { acls = zkClient.getACL().forPath(path); } catch (Exception ex) { throw new RuntimeException("Error during the ACL check. " + DISABLE_MESSAGE, ex); } if (acls == null || acls.isEmpty()) { // There's some access (to get ACLs), so assume it means free for all. throw new SecurityException("No ACLs on " + path + ". " + DISABLE_MESSAGE); } for (ACL acl : acls) { if (!user.equals(acl.getId())) { throw new SecurityException("The ACL " + acl + " is unnacceptable for " + path + "; only " + user + " is allowed. " + DISABLE_MESSAGE); } } }
public String toString(List<ACL> acls) { if (acls == null) { return ""; } StringBuilder result = new StringBuilder(); for(ACL acl : acls) { result.append(acl.getPerms()).append("::"); } return result.toString(); }