Refine search
if (authId.getScheme().equals("super")) { return; Id id = a.getId(); if ((a.getPerms() & perm) != 0) { if (id.getScheme().equals("world") && id.getId().equals("anyone")) { return; .getScheme()); if (ap != null) { for (Id authId : ids) { if (authId.getScheme().equals(id.getScheme()) && ap.matches(new ServerAuthenticationProvider.ServerObjs(zks, cnxn), new ServerAuthenticationProvider.MatchValues(path, authId.getId(), id.getId(), perm, setAcls))) { return;
private void checkAndSetAcls() throws Exception { if (!UserGroupInformation.isSecurityEnabled()) return; // We are trying to check ACLs on the "workers" directory, which noone except us should be // able to write to. Higher-level directories shouldn't matter - we don't read them. String pathToCheck = workersPath; List<ACL> acls = zooKeeperClient.getACL().forPath(pathToCheck); if (acls == null || acls.isEmpty()) { // Can there be no ACLs? There's some access (to get ACLs), so assume it means free for all. LOG.warn("No ACLs on " + pathToCheck + "; setting up ACLs. " + disableMessage); setUpAcls(pathToCheck); return; } // This could be brittle. assert userNameFromPrincipal != null; Id currentUser = new Id("sasl", userNameFromPrincipal); for (ACL acl : acls) { if ((acl.getPerms() & ~ZooDefs.Perms.READ) == 0 || currentUser.equals(acl.getId())) { continue; // Read permission/no permissions, or the expected user. } LOG.warn("The ACL " + acl + " is unnacceptable for " + pathToCheck + "; setting up ACLs. " + disableMessage); setUpAcls(pathToCheck); return; } }
/** * parse string into list of ACL * @param aclString * @return */ public static List<ACL> parse(String aclString) { List<ACL> acl; String acls[] = aclString.split(","); acl = new ArrayList<ACL>(); for (String a : acls) { int firstColon = a.indexOf(':'); int lastColon = a.lastIndexOf(':'); if (firstColon == -1 || lastColon == -1 || firstColon == lastColon) { System.err.println(a + " does not have the form scheme:id:perm"); continue; } ACL newAcl = new ACL(); newAcl.setId(new Id(a.substring(0, firstColon), a.substring( firstColon + 1, lastColon))); newAcl.setPerms(getPermFromString(a.substring(lastColon + 1))); acl.add(newAcl); } return acl; }
public NIOServerCnxn(ZooKeeperServer zk, SocketChannel sock, SelectionKey sk, NIOServerCnxnFactory factory, SelectorThread selectorThread) throws IOException { super(zk); this.sock = sock; this.sk = sk; this.factory = factory; this.selectorThread = selectorThread; if (this.factory.login != null) { this.zooKeeperSaslServer = new ZooKeeperSaslServer(factory.login); } sock.socket().setTcpNoDelay(true); /* set socket linger to false, so that socket close does not block */ sock.socket().setSoLinger(false, -1); InetAddress addr = ((InetSocketAddress) sock.socket() .getRemoteSocketAddress()).getAddress(); addAuthInfo(new Id("ip", addr.getHostAddress())); this.sessionTimeout = factory.sessionlessCnxnTimeout; }
for (int j = 100; j < 200; j++) { path = "/" + j; ACL acl = new ACL(); acl.setPerms(0); Id id = new Id(); id.setId("1.1.1."+j); id.setScheme("ip"); acl.setId(id); List<ACL> list = new ArrayList<ACL>(); list.add(acl); ACL acl = new ACL(); acl.setPerms(0); Id id = new Id(); id.setId("1.1.1."+j); id.setScheme("ip"); acl.setId(id); ArrayList<ACL> list = new ArrayList<ACL>();
private boolean checkACLForSuperUsers(String[] superUsers, List<ACL> acls) { for (String user : superUsers) { boolean hasAccess = false; // TODO: Validate super group members also when ZK supports setting node ACL for groups. if (!AuthUtil.isGroupPrincipal(user)) { for (ACL acl : acls) { if (user.equals(acl.getId().getId())) { if (acl.getPerms() == Perms.ALL) { hasAccess = true; } else { if (LOG.isDebugEnabled()) { LOG.debug(String.format( "superuser '%s' does not have correct permissions: have 0x%x, want 0x%x", acl.getId().getId(), acl.getPerms(), Perms.ALL)); } } break; } } if (!hasAccess) { return false; } } } return true; }
public AclBuilder(List<ACL> acls) { for (ACL acl: acls) { String scheme = acl.getId().getScheme(); switch (scheme) { case "world": world = acl; break; case "auth": auth = acl; break; case "digest": String[] username = acl.getId().getId().split(":", 2); getDigests().put(username[0], acl); break; case "host": getHosts().put(acl.getId().getId(), acl); break; case "ip": getIps().put(acl.getId().getId(), acl); break; default: throw new IllegalArgumentException("Unsupported scheme " + scheme); } } }
private void checkAndSetACLs() throws Exception { if (zkSecure && aclUnChecked) { // If znodes were previously created without security enabled, and now it is, we need to go // through all existing znodes and set the ACLs for them. This is done just once at the startup // We can't get the namespace znode through curator; have to go through zk client String newNamespace = "/" + curatorFramework.getNamespace(); if (curatorFramework.getZookeeperClient().getZooKeeper().exists(newNamespace, null) != null) { List<ACL> acls = curatorFramework.getZookeeperClient().getZooKeeper().getACL(newNamespace, new Stat()); if (acls.isEmpty() || !acls.get(0).getId().getScheme().equals("sasl")) { LOGGER.info("'sasl' ACLs not set; setting..."); List<String> children = curatorFramework.getZookeeperClient().getZooKeeper().getChildren(newNamespace, null); for (String child : children) { this.checkAndSetACLs("/" + child); } curatorFramework.getZookeeperClient().getZooKeeper().setACL(newNamespace, saslACL, -1); } } aclUnChecked = false; } }
@Test public void testBuildAclsRealmed() throws Throwable { List<ACL> acls = registrySecurity.buildACLs( SASL_YARN_EXAMPLE_COM + ", " + SASL_MAPRED_EXAMPLE_COM, "", ZooDefs.Perms.ALL); assertEquals(YARN_EXAMPLE_COM, acls.get(0).getId().getId()); assertEquals(MAPRED_EXAMPLE_COM, acls.get(1).getId().getId()); }
/** * Convert an ID to a string, stripping out all but the first few characters * of any digest auth hash for security reasons * @param id ID * @return a string description of a Zookeeper ID */ public static String idToString(Id id) { String s; if (id.getScheme().equals(SCHEME_DIGEST)) { String ids = id.getId(); int colon = ids.indexOf(':'); if (colon > 0) { ids = ids.substring(colon + 3); } s = SCHEME_DIGEST + ": " + ids; } else { s = id.toString(); } return s; }
private static void checkAcls(CuratorFramework zkClient, Id user, String path) { List<ACL> acls = null; try { acls = zkClient.getACL().forPath(path); } catch (Exception ex) { throw new RuntimeException("Error during the ACL check. " + DISABLE_MESSAGE, ex); } if (acls == null || acls.isEmpty()) { // There's some access (to get ACLs), so assume it means free for all. throw new SecurityException("No ACLs on " + path + ". " + DISABLE_MESSAGE); } for (ACL acl : acls) { if (!user.equals(acl.getId())) { throw new SecurityException("The ACL " + acl + " is unnacceptable for " + path + "; only " + user + " is allowed. " + DISABLE_MESSAGE); } } }
@Test public void testSuperAuth() { X509AuthenticationProvider provider = createProvider(superCert); MockServerCnxn cnxn = new MockServerCnxn(); cnxn.clientChain = new X509Certificate[] { superCert }; Assert.assertEquals(KeeperException.Code.OK, provider.handleAuthentication(cnxn, null)); Assert.assertEquals("super", cnxn.getAuthInfo().get(0).getScheme()); }
public boolean equals(Object peer_) { if (!(peer_ instanceof ACL)) { return false; } if (peer_ == this) { return true; } ACL peer = (ACL) peer_; boolean ret = false; ret = (perms==peer.perms); if (!ret) return ret; ret = id.equals(peer.id); if (!ret) return ret; return ret; } public int hashCode() {
private static List<ACL> parseACLs(String aclString) { List<ACL> acl; String acls[] = aclString.split(","); acl = new ArrayList<ACL>(); for (String a : acls) { int firstColon = a.indexOf(':'); int lastColon = a.lastIndexOf(':'); if (firstColon == -1 || lastColon == -1 || firstColon == lastColon) { System.err .println(a + " does not have the form scheme:id:perm"); continue; } ACL newAcl = new ACL(); newAcl.setId(new Id(a.substring(0, firstColon), a.substring( firstColon + 1, lastColon))); newAcl.setPerms(getPermFromString(a.substring(lastColon + 1))); acl.add(newAcl); } return acl; } }
public KeeperException.Code handleAuthentication(ServerCnxn cnxn, byte[] authData) { String id = new String(authData); try { String digest = generateDigest(id); if (digest.equals(superDigest)) { cnxn.addAuthInfo(new Id("super", "")); } cnxn.addAuthInfo(new Id(getScheme(), digest)); return KeeperException.Code.OK; } catch (NoSuchAlgorithmException e) { LOG.error("Missing algorithm",e); } return KeeperException.Code.AUTHFAILED; }
private boolean checkACLForSuperUsers(String[] superUsers, List<ACL> acls) { for (String user : superUsers) { boolean hasAccess = false; // TODO: Validate super group members also when ZK supports setting node ACL for groups. if (!user.startsWith("@")) { for (ACL acl : acls) { if (user.equals(acl.getId().getId())) { if (acl.getPerms() == Perms.ALL) { hasAccess = true; } else { if (LOG.isDebugEnabled()) { LOG.debug(String.format( "superuser '%s' does not have correct permissions: have 0x%x, want 0x%x", acl.getId().getId(), acl.getPerms(), Perms.ALL)); } } break; } } if (!hasAccess) { return false; } } } return true; }