public String toString(List<ACL> acls) { if (acls == null) { return ""; } StringBuilder result = new StringBuilder(); for(ACL acl : acls) { result.append(acl.getPerms()).append("::"); } return result.toString(); }
private boolean checkACLForSuperUsers(String[] superUsers, List<ACL> acls) { for (String user : superUsers) { boolean hasAccess = false; // TODO: Validate super group members also when ZK supports setting node ACL for groups. if (!AuthUtil.isGroupPrincipal(user)) { for (ACL acl : acls) { if (user.equals(acl.getId().getId())) { if (acl.getPerms() == Perms.ALL) { hasAccess = true; } else { if (LOG.isDebugEnabled()) { LOG.debug(String.format( "superuser '%s' does not have correct permissions: have 0x%x, want 0x%x", acl.getId().getId(), acl.getPerms(), Perms.ALL)); } } break; } } if (!hasAccess) { return false; } } } return true; }
int perms = acl.getPerms(); Id id = acl.getId();
@Override public boolean exec() throws CliException { String path = args[1]; Stat stat = new Stat(); List<ACL> acl; try { acl = zk.getACL(path, stat); } catch (IllegalArgumentException ex) { throw new MalformedPathException(ex.getMessage()); } catch (KeeperException|InterruptedException ex) { throw new CliWrapperException(ex); } for (ACL a : acl) { out.println(a.getId() + ": " + getPermString(a.getPerms())); } if (cl.hasOption("s")) { new StatPrinter(out).print(stat); } return false; }
if ((a.getPerms() & perm) != 0) { if (id.getScheme().equals("world") && id.getId().equals("anyone")) {
private void checkAndSetAcls() throws Exception { if (!UserGroupInformation.isSecurityEnabled()) return; // We are trying to check ACLs on the "workers" directory, which noone except us should be // able to write to. Higher-level directories shouldn't matter - we don't read them. String pathToCheck = workersPath; List<ACL> acls = zooKeeperClient.getACL().forPath(pathToCheck); if (acls == null || acls.isEmpty()) { // Can there be no ACLs? There's some access (to get ACLs), so assume it means free for all. LOG.warn("No ACLs on " + pathToCheck + "; setting up ACLs. " + disableMessage); setUpAcls(pathToCheck); return; } // This could be brittle. assert userNameFromPrincipal != null; Id currentUser = new Id("sasl", userNameFromPrincipal); for (ACL acl : acls) { if ((acl.getPerms() & ~ZooDefs.Perms.READ) == 0 || currentUser.equals(acl.getId())) { continue; // Read permission/no permissions, or the expected user. } LOG.warn("The ACL " + acl + " is unnacceptable for " + pathToCheck + "; setting up ACLs. " + disableMessage); setUpAcls(pathToCheck); return; } }
} else if (ap.isAuthenticated()) { authIdValid = true; toAdd.add(new ACL(a.getPerms(), cid));
} else if (ap.isAuthenticated()) { authIdValid = true; rv.add(new ACL(a.getPerms(), cid));
for (ACL a : acl) { System.out.println(a.getId() + ": " + getPermString(a.getPerms()));
if ((a.getPerms() & perm) != 0) { if (id.getScheme().equals("world") && id.getId().equals("anyone")) {
/** * Finally, we check the ACLs of a node outside of the /hbase hierarchy and * verify that its ACL is simply 'hbase:Perms.ALL'. */ @Test public void testOutsideHBaseNodeACL() throws Exception { if (!secureZKAvailable) { return; } ZKUtil.createWithParents(zkw, "/testACLNode"); List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper() .getACL("/testACLNode", new Stat()); assertEquals(1, acls.size()); assertEquals("sasl", acls.get(0).getId().getScheme()); assertEquals("hbase", acls.get(0).getId().getId()); assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); }
/** * Create a node and check its ACL. When authentication is enabled on * ZooKeeper, all nodes (except /hbase/root-region-server, /hbase/master * and /hbase/hbaseid) should be created so that only the hbase server user * (master or region server user) that created them can access them, and * this user should have all permissions on this node. For * /hbase/root-region-server, /hbase/master, and /hbase/hbaseid the * permissions should be as above, but should also be world-readable. First * we check the general case of /hbase nodes in the following test, and * then check the subset of world-readable nodes in the three tests after * that. */ @Test public void testHBaseRootZNodeACL() throws Exception { if (!secureZKAvailable) { return; } List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper() .getACL("/hbase", new Stat()); assertEquals(1, acls.size()); assertEquals("sasl", acls.get(0).getId().getScheme()); assertEquals("hbase", acls.get(0).getId().getId()); assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); }
if (acls.get(i).getId().getScheme().equals("world") == true) { assertEquals("anyone", acls.get(0).getId().getId()); assertEquals(ZooDefs.Perms.READ, acls.get(0).getPerms()); foundWorldReadableAcl = true; } else {
if (acls.get(i).getId().getScheme().equals("world") == true) { assertEquals("anyone", acls.get(0).getId().getId()); assertEquals(ZooDefs.Perms.READ, acls.get(0).getPerms()); foundWorldReadableAcl = true; } else {
if (acls.get(i).getId().getScheme().equals("world") == true) { assertEquals("anyone", acls.get(0).getId().getId()); assertEquals(ZooDefs.Perms.READ, acls.get(0).getPerms()); foundWorldReadableAcl = true;
int perms = acl.getPerms(); Id id = acl.getId();
ZooKeeperACLAdapter(ACL acl) { this.permissions = acl.getPerms(); this.type = acl.getId().getScheme(); this.id = acl.getId().getId(); }
private static boolean verifyZKACL(String id, String scheme, int perm, List<ACL> acls) { for (ACL acl : acls) { if (acl.getId().getScheme().equals(scheme) && acl.getId().getId().startsWith(id) && acl.getPerms() == perm) { return true; } } return false; }
private static boolean verifyZKACL(String id, String scheme, int perm, List<ACL> acls) { for (ACL acl : acls) { if (acl.getId().getScheme().equals(scheme) && acl.getId().getId().startsWith(id) && acl.getPerms() == perm) { return true; } } return false; }