/** * Get ACLs for a ZNode. * @param path Path of the ZNode. * @return The list of ACLs. * @throws Exception */ public List<ACL> getACL(final String path) throws Exception { return curator.getACL().forPath(path); }
private static void checkAcls(CuratorFramework zkClient, Id user, String path) { List<ACL> acls = null; try { acls = zkClient.getACL().forPath(path); } catch (Exception ex) { throw new RuntimeException("Error during the ACL check. " + DISABLE_MESSAGE, ex); } if (acls == null || acls.isEmpty()) { // There's some access (to get ACLs), so assume it means free for all. throw new SecurityException("No ACLs on " + path + ". " + DISABLE_MESSAGE); } for (ACL acl : acls) { if (!user.equals(acl.getId())) { throw new SecurityException("The ACL " + acl + " is unnacceptable for " + path + "; only " + user + " is allowed. " + DISABLE_MESSAGE); } } }
@Override public List<ACL> getAcl(final String path) throws KeeperException { assertClusterIdFlagTrue(); try { return client.getACL().forPath(path); } catch (Exception e) { throwIfInstanceOf(e, KeeperException.class); throw new RuntimeException(e); } }
/** * Verify that the master sets the correct ACLs on the root node on start-up. */ @Test public void testMasterSetsRootNodeAcls() throws Exception { startDefaultMaster(); final CuratorFramework curator = zk().curatorWithSuperAuth(); final List<ACL> acls = curator.getACL().forPath("/"); assertEquals( Sets.newHashSet(aclProvider.getAclForPath("/")), Sets.newHashSet(acls)); }
private void checkAndSetAcls() throws Exception { if (!UserGroupInformation.isSecurityEnabled()) return; // We are trying to check ACLs on the "workers" directory, which noone except us should be // able to write to. Higher-level directories shouldn't matter - we don't read them. String pathToCheck = workersPath; List<ACL> acls = zooKeeperClient.getACL().forPath(pathToCheck); if (acls == null || acls.isEmpty()) { // Can there be no ACLs? There's some access (to get ACLs), so assume it means free for all. LOG.warn("No ACLs on " + pathToCheck + "; setting up ACLs. " + disableMessage); setUpAcls(pathToCheck); return; } // This could be brittle. assert userNameFromPrincipal != null; Id currentUser = new Id("sasl", userNameFromPrincipal); for (ACL acl : acls) { if ((acl.getPerms() & ~ZooDefs.Perms.READ) == 0 || currentUser.equals(acl.getId())) { continue; // Read permission/no permissions, or the expected user. } LOG.warn("The ACL " + acl + " is unnacceptable for " + pathToCheck + "; setting up ACLs. " + disableMessage); setUpAcls(pathToCheck); return; } }
/** * Simple test to make sure nodes created by agents use the ACLs provided by the ACL provider. */ @Test public void testAgentCreatedNodesHaveAcls() throws Exception { startDefaultMaster(); startDefaultAgent(TEST_HOST); awaitHostRegistered(TEST_HOST, WAIT_TIMEOUT_SECONDS, TimeUnit.SECONDS); final CuratorFramework curator = zk().curatorWithSuperAuth(); final String path = Paths.configHost(TEST_HOST); final List<ACL> acls = curator.getACL().forPath(path); assertEquals( Sets.newHashSet(aclProvider.getAclForPath(path)), Sets.newHashSet(acls)); }
/** * Simple test to make sure nodes created by master use the ACLs provided by the ACL provider. */ @Test public void testMasterCreatedNodesHaveAcls() throws Exception { startDefaultMaster(); Polling.await(WAIT_TIMEOUT_SECONDS, TimeUnit.SECONDS, new Callable<Boolean>() { @Override public Boolean call() throws Exception { return defaultClient().listMasters().get().isEmpty() ? null : true; } }); final CuratorFramework curator = zk().curatorWithSuperAuth(); final String path = Paths.statusMasterUp(TEST_MASTER); final List<ACL> acls = curator.getACL().forPath(path); assertEquals( Sets.newHashSet(aclProvider.getAclForPath(path)), Sets.newHashSet(acls)); } }
@Override public GetACLBuilder getACL() { return new GetACLBuilderDecorator(inner.getACL()); }
@Override public List<RemoteConfigurationRegistryClient.EntryACL> getACL(String path) { List<RemoteConfigurationRegistryClient.EntryACL> acl = new ArrayList<>(); try { List<ACL> zkACL = delegate.getACL().forPath(path); if (zkACL != null) { for (ACL aclEntry : zkACL) { RemoteConfigurationRegistryClient.EntryACL entryACL = new ZooKeeperACLAdapter(aclEntry); acl.add(entryACL); } } } catch (Exception e) { log.errorHandlingRemoteConfigACL(path, e); } return acl; }
/** * 获得节点ACL信息 * @param path * @return * @throws Exception */ @Override public Map<String, Object> getACL(String path) throws Exception { ACL acl = client.getACL().forPath(path).get(0); Id id = acl.getId(); HashMap<String, Object> map = new HashMap<>(); map.put("perms",acl.getPerms()); map.put("id",id.getId()); map.put("scheme",id.getScheme()); return map; }
curator.getACL().forPath(childPath); for (ACL acl : acls) { builder.append(RegistrySecurity.aclToString(acl));
curator.getACL().forPath(childPath); for (ACL acl : acls) { builder.append(RegistrySecurity.aclToString(acl));
/** * Get the ACLs of a path * @param path path of operation * @return a possibly empty list of ACLs * @throws IOException */ public List<ACL> zkGetACLS(String path) throws IOException { checkServiceLive(); String fullpath = createFullPath(path); List<ACL> acls; try { if (LOG.isDebugEnabled()) { LOG.debug("GetACLS {}", fullpath); } acls = curator.getACL().forPath(fullpath); } catch (Exception e) { throw operationFailure(fullpath, "read()", e); } if (acls == null) { throw new PathNotFoundException(path); } return acls; }
private List<ZookeeperAclMetadata> collectAclMetadata(CuratorFramework curator, String path) throws Exception { List<ZookeeperAclMetadata> aclMetadata = Lists.newArrayList(); if (checkNodeExist(curator, path)) { List<ACL> acls = curator.getACL().forPath(path); if (null != acls && !acls.isEmpty()) { for (ACL acl : acls) {
/** * Get the ACLs of a path. * * @param path path of operation * @return a possibly empty list of ACLs * @throws IOException */ public List<ACL> zkGetACLS(String path) throws IOException { checkServiceLive(); String fullpath = createFullPath(path); List<ACL> acls; try { if (LOG.isDebugEnabled()) { LOG.debug("GetACLS {}", fullpath); } acls = curator.getACL().forPath(fullpath); } catch (Exception e) { throw operationFailure(fullpath, "read()", e); } if (acls == null) { throw new PathNotFoundException(path); } return acls; }
private void verifyACL(CuratorFramework curatorFramework, String path, ACL expectedACL) throws Exception { List<ACL> acls = curatorFramework.getACL().forPath(path); Assert.assertEquals(1, acls.size()); Assert.assertEquals(expectedACL, acls.get(0)); }
private void verifyACL(CuratorFramework curatorFramework, String path, ACL expectedACL) throws Exception { List<ACL> acls = curatorFramework.getACL().forPath(path); Assert.assertEquals(1, acls.size()); Assert.assertEquals(expectedACL, acls.get(0)); }
private void checkAndSetAcls() throws Exception { if (!UserGroupInformation.isSecurityEnabled()) return; // We are trying to check ACLs on the "workers" directory, which noone except us should be // able to write to. Higher-level directories shouldn't matter - we don't read them. String pathToCheck = workersPath; List<ACL> acls = zooKeeperClient.getACL().forPath(pathToCheck); if (acls == null || acls.isEmpty()) { // Can there be no ACLs? There's some access (to get ACLs), so assume it means free for all. LOG.warn("No ACLs on " + pathToCheck + "; setting up ACLs. " + disableMessage); setUpAcls(pathToCheck); return; } // This could be brittle. assert userNameFromPrincipal != null; Id currentUser = new Id("sasl", userNameFromPrincipal); for (ACL acl : acls) { if ((acl.getPerms() & ~ZooDefs.Perms.READ) == 0 || currentUser.equals(acl.getId())) { continue; // Read permission/no permissions, or the expected user. } LOG.warn("The ACL " + acl + " is unnacceptable for " + pathToCheck + "; setting up ACLs. " + disableMessage); setUpAcls(pathToCheck); return; } }