public boolean equals(Object peer_) { if (!(peer_ instanceof ACL)) { return false; } if (peer_ == this) { return true; } ACL peer = (ACL) peer_; boolean ret = false; ret = (perms==peer.perms); if (!ret) return ret; ret = id.equals(peer.id); if (!ret) return ret; return ret; } public int hashCode() {
public boolean equals(Object peer_) { if (!(peer_ instanceof ACL)) { return false; } if (peer_ == this) { return true; } ACL peer = (ACL) peer_; boolean ret = false; ret = (perms==peer.perms); if (!ret) return ret; ret = id.equals(peer.id); if (!ret) return ret; return ret; } public int hashCode() {
public static boolean isSuperUserId(String[] superUsers, Id id) { for (String user : superUsers) { // TODO: Validate super group members also when ZK supports setting node ACL for groups. if (!AuthUtil.isGroupPrincipal(user) && new Id("sasl", user).equals(id)) { return true; } } return false; }
private static void checkAcls(CuratorFramework zkClient, Id user, String path) { List<ACL> acls = null; try { acls = zkClient.getACL().forPath(path); } catch (Exception ex) { throw new RuntimeException("Error during the ACL check. " + DISABLE_MESSAGE, ex); } if (acls == null || acls.isEmpty()) { // There's some access (to get ACLs), so assume it means free for all. throw new SecurityException("No ACLs on " + path + ". " + DISABLE_MESSAGE); } for (ACL acl : acls) { if (!user.equals(acl.getId())) { throw new SecurityException("The ACL " + acl + " is unnacceptable for " + path + "; only " + user + " is allowed. " + DISABLE_MESSAGE); } } }
if (Ids.ANYONE_ID_UNSAFE.equals(id)) { if (perms != Perms.READ) { if (LOG.isDebugEnabled()) {
private void checkAndSetAcls() throws Exception { if (!UserGroupInformation.isSecurityEnabled()) return; // We are trying to check ACLs on the "workers" directory, which noone except us should be // able to write to. Higher-level directories shouldn't matter - we don't read them. String pathToCheck = workersPath; List<ACL> acls = zooKeeperClient.getACL().forPath(pathToCheck); if (acls == null || acls.isEmpty()) { // Can there be no ACLs? There's some access (to get ACLs), so assume it means free for all. LOG.warn("No ACLs on " + pathToCheck + "; setting up ACLs. " + disableMessage); setUpAcls(pathToCheck); return; } // This could be brittle. assert userNameFromPrincipal != null; Id currentUser = new Id("sasl", userNameFromPrincipal); for (ACL acl : acls) { if ((acl.getPerms() & ~ZooDefs.Perms.READ) == 0 || currentUser.equals(acl.getId())) { continue; // Read permission/no permissions, or the expected user. } LOG.warn("The ACL " + acl + " is unnacceptable for " + pathToCheck + "; setting up ACLs. " + disableMessage); setUpAcls(pathToCheck); return; } }
public boolean equals(Object peer_) { if (!(peer_ instanceof ACL)) { return false; } if (peer_ == this) { return true; } ACL peer = (ACL) peer_; boolean ret = false; ret = (perms==peer.perms); if (!ret) return ret; ret = id.equals(peer.id); if (!ret) return ret; return ret; } public int hashCode() {
public static boolean isSuperUserId(String[] superUsers, Id id) { for (String user : superUsers) { // TODO: Validate super group members also when ZK supports setting node ACL for groups. if (!user.startsWith(AuthUtil.GROUP_PREFIX) && new Id("sasl", user).equals(id)) { return true; } } return false; }
public static boolean isSuperUserId(String[] superUsers, Id id) { for (String user : superUsers) { // TODO: Validate super group members also when ZK supports setting node ACL for groups. if (!AuthUtil.isGroupPrincipal(user) && new Id("sasl", user).equals(id)) { return true; } } return false; }
if (Ids.ANYONE_ID_UNSAFE.equals(id)) { if (perms != Perms.READ) { if (LOG.isDebugEnabled()) {
if (Ids.ANYONE_ID_UNSAFE.equals(id)) { if (perms != Perms.READ) { if (LOG.isDebugEnabled()) {
private void checkAndSetAcls() throws Exception { if (!UserGroupInformation.isSecurityEnabled()) return; // We are trying to check ACLs on the "workers" directory, which noone except us should be // able to write to. Higher-level directories shouldn't matter - we don't read them. String pathToCheck = workersPath; List<ACL> acls = zooKeeperClient.getACL().forPath(pathToCheck); if (acls == null || acls.isEmpty()) { // Can there be no ACLs? There's some access (to get ACLs), so assume it means free for all. LOG.warn("No ACLs on " + pathToCheck + "; setting up ACLs. " + disableMessage); setUpAcls(pathToCheck); return; } // This could be brittle. assert userNameFromPrincipal != null; Id currentUser = new Id("sasl", userNameFromPrincipal); for (ACL acl : acls) { if ((acl.getPerms() & ~ZooDefs.Perms.READ) == 0 || currentUser.equals(acl.getId())) { continue; // Read permission/no permissions, or the expected user. } LOG.warn("The ACL " + acl + " is unnacceptable for " + pathToCheck + "; setting up ACLs. " + disableMessage); setUpAcls(pathToCheck); return; } }
if (Ids.ANYONE_ID_UNSAFE.equals(id)) { if (perms != Perms.READ) { if (LOG.isDebugEnabled()) {