private SASLOwnerACLProvider(String principal) { this.saslACL = Collections.singletonList( new ACL(Perms.ALL, new Id("sasl", principal))); }
public static List<ACL> getWorkerACL(Map conf) { // This is a work around to an issue with ZK where a sasl super user is not super unless there is an open SASL ACL // so we are trying to give the correct perms if (!isZkAuthenticationConfiguredTopology(conf)) { return null; } String stormZKUser = (String) conf.get(Config.STORM_ZOOKEEPER_SUPERACL); if (stormZKUser == null) { throw new IllegalArgumentException("Authentication is enabled but " + Config.STORM_ZOOKEEPER_SUPERACL + " is not set"); } String[] split = stormZKUser.split(":", 2); if (split.length != 2) { throw new IllegalArgumentException(Config.STORM_ZOOKEEPER_SUPERACL + " does not appear to be in the form scheme:acl, i.e. sasl:storm-user"); } ArrayList<ACL> ret = new ArrayList<>(ZooDefs.Ids.CREATOR_ALL_ACL); ret.add(new ACL(ZooDefs.Perms.ALL, new Id(split[0], split[1]))); return ret; }
public NIOServerCnxn(ZooKeeperServer zk, SocketChannel sock, SelectionKey sk, NIOServerCnxnFactory factory, SelectorThread selectorThread) throws IOException { super(zk); this.sock = sock; this.sk = sk; this.factory = factory; this.selectorThread = selectorThread; if (this.factory.login != null) { this.zooKeeperSaslServer = new ZooKeeperSaslServer(factory.login); } sock.socket().setTcpNoDelay(true); /* set socket linger to false, so that socket close does not block */ sock.socket().setSoLinger(false, -1); InetAddress addr = ((InetSocketAddress) sock.socket() .getRemoteSocketAddress()).getAddress(); addAuthInfo(new Id("ip", addr.getHostAddress())); this.sessionTimeout = factory.sessionlessCnxnTimeout; }
public KeeperException.Code handleAuthentication(ServerCnxn cnxn, byte[] authData) { String id = new String(authData); try { String digest = generateDigest(id); if (digest.equals(superDigest)) { cnxn.addAuthInfo(new Id("super", "")); } cnxn.addAuthInfo(new Id(getScheme(), digest)); return KeeperException.Code.OK; } catch (NoSuchAlgorithmException e) { LOG.error("Missing algorithm",e); } return KeeperException.Code.AUTHFAILED; }
public KeeperException.Code handleAuthentication(ServerCnxn cnxn, byte[] authData) { String id = cnxn.getRemoteSocketAddress().getAddress().getHostAddress(); cnxn.addAuthInfo(new Id(getScheme(), id)); return KeeperException.Code.OK; }
private List<ACL> createACL(String id) { List<ACL> acl1 = new ArrayList<ACL>(); acl1.add(new ACL(ZooDefs.Perms.ADMIN, new Id("scheme", id))); return acl1; } }
public static boolean isSuperUserId(String[] superUsers, Id id) { for (String user : superUsers) { // TODO: Validate super group members also when ZK supports setting node ACL for groups. if (!AuthUtil.isGroupPrincipal(user) && new Id("sasl", user).equals(id)) { return true; } } return false; }
public KeeperException.Code handleAuthentication(ServerCnxn cnxn, byte[] authData) { String id = cnxn.getRemoteSocketAddress().getAddress().getHostAddress(); cnxn.addAuthInfo(new Id(getScheme(), id)); return KeeperException.Code.OK; }
@Test public void testWhetherOrderingMatters() { List<ACL> testACL = new ArrayList<ACL>(); testACL.add(new ACL(ZooDefs.Perms.READ, new Id("scheme", "ro"))); testACL.add(new ACL(ZooDefs.Perms.WRITE, new Id("scheme", "rw"))); ReferenceCountedACLCache cache = new ReferenceCountedACLCache(); Long aclId = cache.convertAcls(testACL); List<ACL> testACL2 = new ArrayList<ACL>(); testACL2.add(new ACL(ZooDefs.Perms.WRITE, new Id("scheme", "rw"))); testACL2.add(new ACL(ZooDefs.Perms.READ, new Id("scheme", "ro"))); assertFalse(aclId.equals(cache.convertAcls(testACL2))); }
public void deserialize(InputArchive a_, String tag) throws java.io.IOException { a_.startRecord(tag); perms=a_.readInt("perms"); id= new org.apache.zookeeper.data.Id(); a_.readRecord(id,"id"); a_.endRecord(tag); } public String toString() {
@Test public void testValidSaslIds() throws Exception { ZooKeeper zk = createClient(); List<String> validIds = new ArrayList<String>(); validIds.add("user"); validIds.add("service/host.name.com"); validIds.add("user@KERB.REALM"); validIds.add("service/host.name.com@KERB.REALM"); int i = 0; for(String validId: validIds) { List<ACL> aclList = new ArrayList<ACL>(); ACL acl = new ACL(0,new Id("sasl",validId)); aclList.add(acl); zk.create("/valid"+i,null,aclList,CreateMode.PERSISTENT); i++; } }
@Test public void testCreateACL() throws ZooKeeperConnectionException, IOException { Configuration conf = HBaseConfiguration.create(); conf.set(Superusers.SUPERUSER_CONF_KEY, "user1,@group1,user2,@group2,user3"); String node = "/hbase/testCreateACL"; ZKWatcher watcher = new ZKWatcher(conf, node, null, false); List<ACL> aclList = ZKUtil.createACL(watcher, node, true); assertEquals(4, aclList.size()); // 3+1, since ACL will be set for the creator by default assertFalse(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "@group1")))); assertFalse(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "@group2")))); assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user1")))); assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user2")))); assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user3")))); }
@BeforeClass public static void setupStatic() throws Exception { oldAuthProvider = System.setProperty("zookeeper.authProvider.1","org.apache.zookeeper.server.auth.SASLAuthenticationProvider"); File tmpDir = createTmpDir(); File saslConfFile = new File(tmpDir, "jaas.conf"); FileWriter fwriter = new FileWriter(saslConfFile); fwriter.write("" + "Server {\n" + " org.apache.zookeeper.server.auth.DigestLoginModule required\n" + " user_super_duper=\"test\";\n" + "};\n" + "Client {\n" + " org.apache.zookeeper.server.auth.DigestLoginModule required\n" + " username=\"super_duper\"\n" + " password=\"test\";\n" + "};" + "\n"); fwriter.close(); oldLoginConfig = System.setProperty("java.security.auth.login.config",saslConfFile.getAbsolutePath()); oldSuperUser = System.setProperty("zookeeper.superUser","super_duper"); otherDigestUser = new Id ("digest", DigestAuthenticationProvider.generateDigest("jack:jack")); }
@Test public void testInvalidSaslIds() throws Exception { ZooKeeper zk = createClient(); List<String> invalidIds = new ArrayList<String>(); invalidIds.add("user@KERB.REALM/server.com"); invalidIds.add("user@KERB.REALM1@KERB.REALM2"); int i = 0; for(String invalidId: invalidIds) { List<ACL> aclList = new ArrayList<ACL>(); try { ACL acl = new ACL(0,new Id("sasl",invalidId)); aclList.add(acl); zk.create("/invalid"+i,null,aclList,CreateMode.PERSISTENT); Assert.fail("SASLAuthenticationProvider.isValid() failed to catch invalid Id."); } catch (KeeperException.InvalidACLException e) { // ok. } finally { i++; } } }
@Test public void testCreateACLWithSameUser() throws ZooKeeperConnectionException, IOException { Configuration conf = HBaseConfiguration.create(); conf.set(Superusers.SUPERUSER_CONF_KEY, "user4,@group1,user5,user6"); UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser("user4")); String node = "/hbase/testCreateACL"; ZKWatcher watcher = new ZKWatcher(conf, node, null, false); List<ACL> aclList = ZKUtil.createACL(watcher, node, true); assertEquals(3, aclList.size()); // 3, since service user the same as one of superuser assertFalse(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "@group1")))); assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("auth", "")))); assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user5")))); assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user6")))); }
public void deserialize(InputArchive a_, String tag) throws java.io.IOException { a_.startRecord(tag); perms=a_.readInt("perms"); id= new org.apache.zookeeper.data.Id(); a_.readRecord(id,"id"); a_.endRecord(tag); } public String toString() {
@Test public void testSecuritySingleSuperuser() throws ZooKeeperConnectionException, IOException { Configuration conf = HBaseConfiguration.create(); conf.set(Superusers.SUPERUSER_CONF_KEY, "user1"); String node = "/hbase/testSecuritySingleSuperuser"; ZKWatcher watcher = new ZKWatcher(conf, node, null, false); List<ACL> aclList = ZKUtil.createACL(watcher, node, true); assertEquals(2, aclList.size()); // 1+1, since ACL will be set for the creator by default assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user1")))); assertTrue(aclList.contains(Ids.CREATOR_ALL_ACL.iterator().next())); }
public void deserialize(InputArchive a_, String tag) throws java.io.IOException { a_.startRecord(tag); type=a_.readInt("type"); zxid=a_.readLong("zxid"); data=a_.readBuffer("data"); { Index vidx1 = a_.startVector("authinfo"); if (vidx1!= null) { authinfo=new java.util.ArrayList<org.apache.zookeeper.data.Id>(); for (; !vidx1.done(); vidx1.incr()) { org.apache.zookeeper.data.Id e1; e1= new org.apache.zookeeper.data.Id(); a_.readRecord(e1,"e1"); authinfo.add(e1); } } a_.endVector("authinfo"); } a_.endRecord(tag); } public String toString() {
@Test(timeout = 10000) public void testReconfigEnabledWithAuthAndACL() throws InterruptedException { resetZKAdmin(); try { zkAdmin.addAuthInfo("digest", "super:test".getBytes()); ArrayList<ACL> acls = new ArrayList<ACL>( Collections.singletonList( new ACL(ZooDefs.Perms.WRITE, new Id("digest", "user:tl+z3z0vO6PfPfEENfLF96E6pM0="/* password is test */)))); zkAdmin.setACL(ZooDefs.CONFIG_NODE, acls, -1); resetZKAdmin(); zkAdmin.addAuthInfo("digest", "user:test".getBytes()); Assert.assertTrue(reconfigPort()); } catch (KeeperException e) { Assert.fail("Reconfig should not fail, but failed with exception : " + e.getMessage()); } }
@Test(timeout = 10000) public void testReconfigEnabledWithAuthAndWrongACL() throws InterruptedException { resetZKAdmin(); try { zkAdmin.addAuthInfo("digest", "super:test".getBytes()); // There is ACL however the permission is wrong - need WRITE permission at leaste. ArrayList<ACL> acls = new ArrayList<ACL>( Collections.singletonList( new ACL(ZooDefs.Perms.READ, new Id("digest", "user:tl+z3z0vO6PfPfEENfLF96E6pM0="/* password is test */)))); zkAdmin.setACL(ZooDefs.CONFIG_NODE, acls, -1); resetZKAdmin(); zkAdmin.addAuthInfo("digest", "user:test".getBytes()); reconfigPort(); Assert.fail("Reconfig should fail with an ACL that is read only!"); } catch (KeeperException e) { Assert.assertTrue(e.code() == KeeperException.Code.NOAUTH); } }