private static void checkAcls(CuratorFramework zkClient, Id user, String path) { List<ACL> acls = null; try { acls = zkClient.getACL().forPath(path); } catch (Exception ex) { throw new RuntimeException("Error during the ACL check. " + DISABLE_MESSAGE, ex); } if (acls == null || acls.isEmpty()) { // There's some access (to get ACLs), so assume it means free for all. throw new SecurityException("No ACLs on " + path + ". " + DISABLE_MESSAGE); } for (ACL acl : acls) { if (!user.equals(acl.getId())) { throw new SecurityException("The ACL " + acl + " is unnacceptable for " + path + "; only " + user + " is allowed. " + DISABLE_MESSAGE); } } }
private boolean checkACLForSuperUsers(String[] superUsers, List<ACL> acls) { for (String user : superUsers) { boolean hasAccess = false; // TODO: Validate super group members also when ZK supports setting node ACL for groups. if (!AuthUtil.isGroupPrincipal(user)) { for (ACL acl : acls) { if (user.equals(acl.getId().getId())) { if (acl.getPerms() == Perms.ALL) { hasAccess = true; } else { if (LOG.isDebugEnabled()) { LOG.debug(String.format( "superuser '%s' does not have correct permissions: have 0x%x, want 0x%x", acl.getId().getId(), acl.getPerms(), Perms.ALL)); } } break; } } if (!hasAccess) { return false; } } } return true; }
Id id = acl.getId();
@Override public boolean exec() throws CliException { String path = args[1]; Stat stat = new Stat(); List<ACL> acl; try { acl = zk.getACL(path, stat); } catch (IllegalArgumentException ex) { throw new MalformedPathException(ex.getMessage()); } catch (KeeperException|InterruptedException ex) { throw new CliWrapperException(ex); } for (ACL a : acl) { out.println(a.getId() + ": " + getPermString(a.getPerms())); } if (cl.hasOption("s")) { new StatPrinter(out).print(stat); } return false; }
Id id = a.getId(); if ((a.getPerms() & perm) != 0) { if (id.getScheme().equals("world")
private void checkAndSetAcls() throws Exception { if (!UserGroupInformation.isSecurityEnabled()) return; // We are trying to check ACLs on the "workers" directory, which noone except us should be // able to write to. Higher-level directories shouldn't matter - we don't read them. String pathToCheck = workersPath; List<ACL> acls = zooKeeperClient.getACL().forPath(pathToCheck); if (acls == null || acls.isEmpty()) { // Can there be no ACLs? There's some access (to get ACLs), so assume it means free for all. LOG.warn("No ACLs on " + pathToCheck + "; setting up ACLs. " + disableMessage); setUpAcls(pathToCheck); return; } // This could be brittle. assert userNameFromPrincipal != null; Id currentUser = new Id("sasl", userNameFromPrincipal); for (ACL acl : acls) { if ((acl.getPerms() & ~ZooDefs.Perms.READ) == 0 || currentUser.equals(acl.getId())) { continue; // Read permission/no permissions, or the expected user. } LOG.warn("The ACL " + acl + " is unnacceptable for " + pathToCheck + "; setting up ACLs. " + disableMessage); setUpAcls(pathToCheck); return; } }
while (it.hasNext()) { ACL a = it.next(); Id id = a.getId(); if (id.getScheme().equals("world") && id.getId().equals("anyone")) {
throw new KeeperException.InvalidACLException(path); Id id = a.getId(); if (id == null || id.getScheme() == null) { throw new KeeperException.InvalidACLException(path);
acl = zk.getACL(path, stat); for (ACL a : acl) { System.out.println(a.getId() + ": " + getPermString(a.getPerms()));
Id id = a.getId(); if ((a.getPerms() & perm) != 0) { if (id.getScheme().equals("world")
boolean foundHBaseOwnerAcl = false; for(int i = 0; i < 2; i++) { if (acls.get(i).getId().getScheme().equals("world") == true) { assertEquals("anyone", acls.get(0).getId().getId()); assertEquals(ZooDefs.Perms.READ, acls.get(0).getPerms()); foundWorldReadableAcl = true; } else { if (acls.get(i).getId().getScheme().equals("sasl") == true) { assertEquals("hbase", acls.get(1).getId().getId()); assertEquals("sasl", acls.get(1).getId().getScheme()); foundHBaseOwnerAcl = true; } else { // error: should not get here: test fails.
/** * Finally, we check the ACLs of a node outside of the /hbase hierarchy and * verify that its ACL is simply 'hbase:Perms.ALL'. */ @Test public void testOutsideHBaseNodeACL() throws Exception { if (!secureZKAvailable) { return; } ZKUtil.createWithParents(zkw, "/testACLNode"); List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper() .getACL("/testACLNode", new Stat()); assertEquals(1, acls.size()); assertEquals("sasl", acls.get(0).getId().getScheme()); assertEquals("hbase", acls.get(0).getId().getId()); assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); }
boolean foundHBaseOwnerAcl = false; for(int i = 0; i < 2; i++) { if (acls.get(i).getId().getScheme().equals("world") == true) { assertEquals("anyone", acls.get(0).getId().getId()); assertEquals(ZooDefs.Perms.READ, acls.get(0).getPerms()); foundWorldReadableAcl = true; } else { if (acls.get(i).getId().getScheme().equals("sasl") == true) { assertEquals("hbase", acls.get(1).getId().getId()); assertEquals("sasl", acls.get(1).getId().getScheme()); foundHBaseOwnerAcl = true; } else { // error: should not get here: test fails.
boolean foundHBaseOwnerAcl = false; for(int i = 0; i < 2; i++) { if (acls.get(i).getId().getScheme().equals("world") == true) { assertEquals("anyone", acls.get(0).getId().getId()); assertEquals(ZooDefs.Perms.READ, acls.get(0).getPerms()); foundWorldReadableAcl = true; if (acls.get(i).getId().getScheme().equals("sasl") == true) { assertEquals("hbase", acls.get(1).getId().getId()); assertEquals("sasl", acls.get(1).getId().getScheme()); foundHBaseOwnerAcl = true; } else { // error: should not get here: test fails.
/** * Create a node and check its ACL. When authentication is enabled on * ZooKeeper, all nodes (except /hbase/root-region-server, /hbase/master * and /hbase/hbaseid) should be created so that only the hbase server user * (master or region server user) that created them can access them, and * this user should have all permissions on this node. For * /hbase/root-region-server, /hbase/master, and /hbase/hbaseid the * permissions should be as above, but should also be world-readable. First * we check the general case of /hbase nodes in the following test, and * then check the subset of world-readable nodes in the three tests after * that. */ @Test public void testHBaseRootZNodeACL() throws Exception { if (!secureZKAvailable) { return; } List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper() .getACL("/hbase", new Stat()); assertEquals(1, acls.size()); assertEquals("sasl", acls.get(0).getId().getScheme()); assertEquals("hbase", acls.get(0).getId().getId()); assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); }
Id id = acl.getId();
if (acls.size() == 1) { ACL actualAcl = acls.get(0), expectedAcl = ZooUtil.PRIVATE.get(0); Id actualId = actualAcl.getId();
@Test public void testBuildAclsRealmed() throws Throwable { List<ACL> acls = registrySecurity.buildACLs( SASL_YARN_EXAMPLE_COM + ", " + SASL_MAPRED_EXAMPLE_COM, "", ZooDefs.Perms.ALL); assertEquals(YARN_EXAMPLE_COM, acls.get(0).getId().getId()); assertEquals(MAPRED_EXAMPLE_COM, acls.get(1).getId().getId()); }