private boolean checkACLForSuperUsers(String[] superUsers, List<ACL> acls) { for (String user : superUsers) { boolean hasAccess = false; // TODO: Validate super group members also when ZK supports setting node ACL for groups. if (!AuthUtil.isGroupPrincipal(user)) { for (ACL acl : acls) { if (user.equals(acl.getId().getId())) { if (acl.getPerms() == Perms.ALL) { hasAccess = true; } else { if (LOG.isDebugEnabled()) { LOG.debug(String.format( "superuser '%s' does not have correct permissions: have 0x%x, want 0x%x", acl.getId().getId(), acl.getPerms(), Perms.ALL)); } } break; } } if (!hasAccess) { return false; } } } return true; }
String name = id.getId();
authInfo.getId(), authInfo.getScheme()); return KeeperException.Code.OK;
if ((a.getPerms() & perm) != 0) { if (id.getScheme().equals("world") && id.getId().equals("anyone")) { return; if (authId.getScheme().equals(id.getScheme()) && ap.matches(new ServerAuthenticationProvider.ServerObjs(zks, cnxn), new ServerAuthenticationProvider.MatchValues(path, authId.getId(), id.getId(), perm, setAcls))) { return;
/** * Finally, we check the ACLs of a node outside of the /hbase hierarchy and * verify that its ACL is simply 'hbase:Perms.ALL'. */ @Test public void testOutsideHBaseNodeACL() throws Exception { if (!secureZKAvailable) { return; } ZKUtil.createWithParents(zkw, "/testACLNode"); List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper() .getACL("/testACLNode", new Stat()); assertEquals(1, acls.size()); assertEquals("sasl", acls.get(0).getId().getScheme()); assertEquals("hbase", acls.get(0).getId().getId()); assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); }
/** * Create a node and check its ACL. When authentication is enabled on * ZooKeeper, all nodes (except /hbase/root-region-server, /hbase/master * and /hbase/hbaseid) should be created so that only the hbase server user * (master or region server user) that created them can access them, and * this user should have all permissions on this node. For * /hbase/root-region-server, /hbase/master, and /hbase/hbaseid the * permissions should be as above, but should also be world-readable. First * we check the general case of /hbase nodes in the following test, and * then check the subset of world-readable nodes in the three tests after * that. */ @Test public void testHBaseRootZNodeACL() throws Exception { if (!secureZKAvailable) { return; } List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper() .getACL("/hbase", new Stat()); assertEquals(1, acls.size()); assertEquals("sasl", acls.get(0).getId().getScheme()); assertEquals("hbase", acls.get(0).getId().getId()); assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); }
for(int i = 0; i < 2; i++) { if (acls.get(i).getId().getScheme().equals("world") == true) { assertEquals("anyone", acls.get(0).getId().getId()); assertEquals(ZooDefs.Perms.READ, acls.get(0).getPerms()); foundWorldReadableAcl = true; } else { if (acls.get(i).getId().getScheme().equals("sasl") == true) { assertEquals("hbase", acls.get(1).getId().getId()); assertEquals("sasl", acls.get(1).getId().getScheme()); foundHBaseOwnerAcl = true;
for(int i = 0; i < 2; i++) { if (acls.get(i).getId().getScheme().equals("world") == true) { assertEquals("anyone", acls.get(0).getId().getId()); assertEquals(ZooDefs.Perms.READ, acls.get(0).getPerms()); foundWorldReadableAcl = true; } else { if (acls.get(i).getId().getScheme().equals("sasl") == true) { assertEquals("hbase", acls.get(1).getId().getId()); assertEquals("sasl", acls.get(1).getId().getScheme()); foundHBaseOwnerAcl = true;
for(int i = 0; i < 2; i++) { if (acls.get(i).getId().getScheme().equals("world") == true) { assertEquals("anyone", acls.get(0).getId().getId()); assertEquals(ZooDefs.Perms.READ, acls.get(0).getPerms()); foundWorldReadableAcl = true; assertEquals("hbase", acls.get(1).getId().getId()); assertEquals("sasl", acls.get(1).getId().getScheme()); foundHBaseOwnerAcl = true;
&& actualId.getId().startsWith("accumulo:")) { initialized.set(true); return;
ZooKeeperACLAdapter(ACL acl) { this.permissions = acl.getPerms(); this.type = acl.getId().getScheme(); this.id = acl.getId().getId(); }
@Test public void testBuildAclsRealmed() throws Throwable { List<ACL> acls = registrySecurity.buildACLs( SASL_YARN_EXAMPLE_COM + ", " + SASL_MAPRED_EXAMPLE_COM, "", ZooDefs.Perms.ALL); assertEquals(YARN_EXAMPLE_COM, acls.get(0).getId().getId()); assertEquals(MAPRED_EXAMPLE_COM, acls.get(1).getId().getId()); }
private static boolean verifyZKACL(String id, String scheme, int perm, List<ACL> acls) { for (ACL acl : acls) { if (acl.getId().getScheme().equals(scheme) && acl.getId().getId().startsWith(id) && acl.getPerms() == perm) { return true; } } return false; }
@Test public void testBuildAclsDefaultRealm() throws Throwable { List<ACL> acls = registrySecurity.buildACLs( SASL_YARN_SHORT + ", " + SASL_MAPRED_SHORT, REALM_EXAMPLE_COM, ZooDefs.Perms.ALL); assertEquals(YARN_EXAMPLE_COM, acls.get(0).getId().getId()); assertEquals(MAPRED_EXAMPLE_COM, acls.get(1).getId().getId()); }
@Test public void testBuildAclsRealmed() throws Throwable { List<ACL> acls = registrySecurity.buildACLs( SASL_YARN_EXAMPLE_COM + ", " + SASL_MAPRED_EXAMPLE_COM, "", ZooDefs.Perms.ALL); assertEquals(YARN_EXAMPLE_COM, acls.get(0).getId().getId()); assertEquals(MAPRED_EXAMPLE_COM, acls.get(1).getId().getId()); }
@Test public void testBuildAclsDefaultRealm() throws Throwable { List<ACL> acls = registrySecurity.buildACLs( SASL_YARN_SHORT + ", " + SASL_MAPRED_SHORT, REALM_EXAMPLE_COM, ZooDefs.Perms.ALL); assertEquals(YARN_EXAMPLE_COM, acls.get(0).getId().getId()); assertEquals(MAPRED_EXAMPLE_COM, acls.get(1).getId().getId()); }
private static boolean verifyZKACL(String id, String scheme, int perm, List<ACL> acls) { for (ACL acl : acls) { if (acl.getId().getScheme().equals(scheme) && acl.getId().getId().startsWith(id) && acl.getPerms() == perm) { return true; } } return false; }