org.apache.zookeeper.ZooDefs.Perms Java Examples

The following examples show how to use org.apache.zookeeper.ZooDefs.Perms. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: ZookeeperUtil.java    From javabase with Apache License 2.0 6 votes vote down vote up
/**
 *
 * @return
 */
public List<ACL> getCreateNodeAcls() {
    List<ACL> listAcls = new ArrayList<ACL>(3);
    try {
        Id id = new Id(PropertiesDynLoading.authScheme,
                DigestAuthenticationProvider.generateDigest(PropertiesDynLoading.accessKey));
        ACL acl = new ACL(Perms.CREATE, id);
        listAcls.add(acl);

    } catch (NoSuchAlgorithmException e) {

        e.printStackTrace();
        return Ids.OPEN_ACL_UNSAFE;
    }
    return listAcls;
}
 
Example #2
Source File: ZKWatcher.java    From hbase with Apache License 2.0 6 votes vote down vote up
private boolean checkACLForSuperUsers(String[] superUsers, List<ACL> acls) {
  for (String user : superUsers) {
    boolean hasAccess = false;
    // TODO: Validate super group members also when ZK supports setting node ACL for groups.
    if (!AuthUtil.isGroupPrincipal(user)) {
      for (ACL acl : acls) {
        if (user.equals(acl.getId().getId())) {
          if (acl.getPerms() == Perms.ALL) {
            hasAccess = true;
          } else {
            if (LOG.isDebugEnabled()) {
              LOG.debug(String.format(
                "superuser '%s' does not have correct permissions: have 0x%x, want 0x%x",
                acl.getId().getId(), acl.getPerms(), Perms.ALL));
            }
          }
          break;
        }
      }
      if (!hasAccess) {
        return false;
      }
    }
  }
  return true;
}
 
Example #3
Source File: TestZKUtil.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testGoodACLs() {
  List<ACL> result = ZKUtil.parseACLs(
      "sasl:hdfs/[email protected]:cdrwa, sasl:hdfs/[email protected]:ca");
  ACL acl0 = result.get(0);
  assertEquals(Perms.CREATE | Perms.DELETE | Perms.READ |
      Perms.WRITE | Perms.ADMIN, acl0.getPerms());
  assertEquals("sasl", acl0.getId().getScheme());
  assertEquals("hdfs/[email protected]", acl0.getId().getId());
  
  ACL acl1 = result.get(1);
  assertEquals(Perms.CREATE | Perms.ADMIN, acl1.getPerms());
  assertEquals("sasl", acl1.getId().getScheme());
  assertEquals("hdfs/[email protected]", acl1.getId().getId());
}
 
Example #4
Source File: TestZKUtilNoServer.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Test
public void testCreateACLWithSameUser() throws IOException {
  Configuration conf = HBaseConfiguration.create();
  conf.set(Superusers.SUPERUSER_CONF_KEY, "user4,@group1,user5,user6");
  UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser("user4"));
  String node = "/hbase/testCreateACL";
  ZKWatcher watcher = new ZKWatcher(conf, node, null, false);
  List<ACL> aclList = ZKUtil.createACL(watcher, node, true);
  assertEquals(3, aclList.size()); // 3, since service user the same as one of superuser
  assertFalse(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "@group1"))));
  assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("auth", ""))));
  assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user5"))));
  assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user6"))));
}
 
Example #5
Source File: TestZKUtilNoServer.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Test
public void testCreateACL() throws IOException {
  Configuration conf = HBaseConfiguration.create();
  conf.set(Superusers.SUPERUSER_CONF_KEY, "user1,@group1,user2,@group2,user3");
  String node = "/hbase/testCreateACL";
  ZKWatcher watcher = new ZKWatcher(conf, node, null, false);
  List<ACL> aclList = ZKUtil.createACL(watcher, node, true);
  assertEquals(4, aclList.size()); // 3+1, since ACL will be set for the creator by default
  assertFalse(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "@group1"))));
  assertFalse(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "@group2"))));
  assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user1"))));
  assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user2"))));
  assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user3"))));
}
 
Example #6
Source File: TestZKUtilNoServer.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Test
public void testSecuritySingleSuperuser() throws IOException {
  Configuration conf = HBaseConfiguration.create();
  conf.set(Superusers.SUPERUSER_CONF_KEY, "user1");
  String node = "/hbase/testSecuritySingleSuperuser";
  ZKWatcher watcher = new ZKWatcher(conf, node, null, false);
  List<ACL> aclList = ZKUtil.createACL(watcher, node, true);
  assertEquals(2, aclList.size()); // 1+1, since ACL will be set for the creator by default
  assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user1"))));
  assertTrue(aclList.contains(Ids.CREATOR_ALL_ACL.iterator().next()));
}
 
Example #7
Source File: IntegrationTestZKAndFSPermissions.java    From hbase with Apache License 2.0 5 votes vote down vote up
private void assertZnodePerms(RecoverableZooKeeper zk, String znode,
    boolean expectedWorldReadable) throws KeeperException, InterruptedException {
  Stat stat = new Stat();
  List<ACL> acls;
  try {
    acls = zk.getZooKeeper().getACL(znode, stat);
  } catch (NoNodeException ex) {
    LOG.debug("Caught exception for missing znode", ex);
    // the znode is deleted. Probably it was a temporary znode (like RIT).
    return;
  }
  String[] superUsers = superUser == null ? null : superUser.split(",");

  LOG.info("Checking ACLs for znode znode:" + znode + " acls:" + acls);

  for (ACL acl : acls) {
    int perms = acl.getPerms();
    Id id = acl.getId();
    // We should only set at most 3 possible ACL for 3 Ids. One for everyone, one for superuser
    // and one for the hbase user
    if (Ids.ANYONE_ID_UNSAFE.equals(id)) {
      // everyone should be set only if we are expecting this znode to be world readable
      assertTrue(expectedWorldReadable);
      // assert that anyone can only read
      assertEquals(perms, Perms.READ);
    } else if (superUsers != null && ZKWatcher.isSuperUserId(superUsers, id)) {
      // assert that super user has all the permissions
      assertEquals(perms, Perms.ALL);
    } else if (new Id("sasl", masterPrincipal).equals(id)) {
      // hbase.master.kerberos.principal?
      assertEquals(perms, Perms.ALL);
    } else {
      fail("An ACL is found which is not expected for the znode:" + znode + " , ACL:" + acl);
    }
  }
}
 
Example #8
Source File: TestZKUtil.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testRemoveSpecificPerms() {
  int perms = Perms.ALL;
  int remove = Perms.CREATE;
  int newPerms = ZKUtil.removeSpecificPerms(perms, remove);
  assertEquals("Removal failed", 0, newPerms & Perms.CREATE);
}
 
Example #9
Source File: ZookeeperUtil.java    From javabase with Apache License 2.0 5 votes vote down vote up
public List<ACL> getAdminAcls() {
    List<ACL> listAcls = new ArrayList<ACL>(3);
    try {
        Id id = new Id(PropertiesDynLoading.authScheme,
                DigestAuthenticationProvider.generateDigest(PropertiesDynLoading.accessKey));
        ACL acl = new ACL(Perms.ALL, id);
        listAcls.add(acl);

    } catch (NoSuchAlgorithmException e) {

        e.printStackTrace();
        return Ids.OPEN_ACL_UNSAFE;
    }
    return listAcls;
}
 
Example #10
Source File: TestZKUtil.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testGoodACLs() {
  List<ACL> result = ZKUtil.parseACLs(
      "sasl:hdfs/[email protected]:cdrwa, sasl:hdfs/[email protected]:ca");
  ACL acl0 = result.get(0);
  assertEquals(Perms.CREATE | Perms.DELETE | Perms.READ |
      Perms.WRITE | Perms.ADMIN, acl0.getPerms());
  assertEquals("sasl", acl0.getId().getScheme());
  assertEquals("hdfs/[email protected]", acl0.getId().getId());
  
  ACL acl1 = result.get(1);
  assertEquals(Perms.CREATE | Perms.ADMIN, acl1.getPerms());
  assertEquals("sasl", acl1.getId().getScheme());
  assertEquals("hdfs/[email protected]", acl1.getId().getId());
}
 
Example #11
Source File: TestZKUtil.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testRemoveSpecificPerms() {
  int perms = Perms.ALL;
  int remove = Perms.CREATE;
  int newPerms = ZKUtil.removeSpecificPerms(perms, remove);
  assertEquals("Removal failed", 0, newPerms & Perms.CREATE);
}
 
Example #12
Source File: ZKDelegationTokenSecretManager.java    From hadoop with Apache License 2.0 4 votes vote down vote up
private SASLOwnerACLProvider(String principal) {
  this.saslACL = Collections.singletonList(
      new ACL(Perms.ALL, new Id("sasl", principal)));
}
 
Example #13
Source File: ZKSignerSecretProvider.java    From big-c with Apache License 2.0 4 votes vote down vote up
private SASLOwnerACLProvider(String principal) {
  this.saslACL = Collections.singletonList(
          new ACL(Perms.ALL, new Id("sasl", principal)));
}
 
Example #14
Source File: ZKDelegationTokenSecretManager.java    From big-c with Apache License 2.0 4 votes vote down vote up
private SASLOwnerACLProvider(String principal) {
  this.saslACL = Collections.singletonList(
      new ACL(Perms.ALL, new Id("sasl", principal)));
}
 
Example #15
Source File: ZKWatcher.java    From hbase with Apache License 2.0 4 votes vote down vote up
/**
 * Checks whether the ACLs returned from the base znode (/hbase) is set for secure setup.
 * @param acls acls from zookeeper
 * @return whether ACLs are set for the base znode
 * @throws IOException if getting the current user fails
 */
private boolean isBaseZnodeAclSetup(List<ACL> acls) throws IOException {
  if (LOG.isDebugEnabled()) {
    LOG.debug("Checking znode ACLs");
  }
  String[] superUsers = conf.getStrings(Superusers.SUPERUSER_CONF_KEY);
  // Check whether ACL set for all superusers
  if (superUsers != null && !checkACLForSuperUsers(superUsers, acls)) {
    return false;
  }

  // this assumes that current authenticated user is the same as zookeeper client user
  // configured via JAAS
  String hbaseUser = UserGroupInformation.getCurrentUser().getShortUserName();

  if (acls.isEmpty()) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("ACL is empty");
    }
    return false;
  }

  for (ACL acl : acls) {
    int perms = acl.getPerms();
    Id id = acl.getId();
    // We should only set at most 3 possible ACLs for 3 Ids. One for everyone, one for superuser
    // and one for the hbase user
    if (Ids.ANYONE_ID_UNSAFE.equals(id)) {
      if (perms != Perms.READ) {
        if (LOG.isDebugEnabled()) {
          LOG.debug(String.format("permissions for '%s' are not correct: have 0x%x, want 0x%x",
            id, perms, Perms.READ));
        }
        return false;
      }
    } else if (superUsers != null && isSuperUserId(superUsers, id)) {
      if (perms != Perms.ALL) {
        if (LOG.isDebugEnabled()) {
          LOG.debug(String.format("permissions for '%s' are not correct: have 0x%x, want 0x%x",
            id, perms, Perms.ALL));
        }
        return false;
      }
    } else if ("sasl".equals(id.getScheme())) {
      String name = id.getId();
      // If ZooKeeper recorded the Kerberos full name in the ACL, use only the shortname
      Matcher match = NAME_PATTERN.matcher(name);
      if (match.matches()) {
        name = match.group(1);
      }
      if (name.equals(hbaseUser)) {
        if (perms != Perms.ALL) {
          if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("permissions for '%s' are not correct: have 0x%x, want 0x%x",
              id, perms, Perms.ALL));
          }
          return false;
        }
      } else {
        if (LOG.isDebugEnabled()) {
          LOG.debug("Unexpected shortname in SASL ACL: {}", id);
        }
        return false;
      }
    } else {
      if (LOG.isDebugEnabled()) {
        LOG.debug("unexpected ACL id '{}'", id);
      }
      return false;
    }
  }
  return true;
}
 
Example #16
Source File: ZKUtil.java    From hbase with Apache License 2.0 4 votes vote down vote up
public static ArrayList<ACL> createACL(ZKWatcher zkw, String node,
                                       boolean isSecureZooKeeper) {
  if (!node.startsWith(zkw.getZNodePaths().baseZNode)) {
    return Ids.OPEN_ACL_UNSAFE;
  }
  if (isSecureZooKeeper) {
    ArrayList<ACL> acls = new ArrayList<>();
    // add permission to hbase supper user
    String[] superUsers = zkw.getConfiguration().getStrings(Superusers.SUPERUSER_CONF_KEY);
    String hbaseUser = null;
    try {
      hbaseUser = UserGroupInformation.getCurrentUser().getShortUserName();
    } catch (IOException e) {
      LOG.debug("Could not acquire current User.", e);
    }
    if (superUsers != null) {
      List<String> groups = new ArrayList<>();
      for (String user : superUsers) {
        if (AuthUtil.isGroupPrincipal(user)) {
          // TODO: Set node ACL for groups when ZK supports this feature
          groups.add(user);
        } else {
          if(!user.equals(hbaseUser)) {
            acls.add(new ACL(Perms.ALL, new Id("sasl", user)));
          }
        }
      }
      if (!groups.isEmpty()) {
        LOG.warn("Znode ACL setting for group {} is skipped, ZooKeeper doesn't support this " +
          "feature presently.", groups);
      }
    }
    // Certain znodes are accessed directly by the client,
    // so they must be readable by non-authenticated clients
    if (zkw.getZNodePaths().isClientReadable(node)) {
      acls.addAll(Ids.CREATOR_ALL_ACL);
      acls.addAll(Ids.READ_ACL_UNSAFE);
    } else {
      acls.addAll(Ids.CREATOR_ALL_ACL);
    }
    return acls;
  } else {
    return Ids.OPEN_ACL_UNSAFE;
  }
}
 
Example #17
Source File: ZKSignerSecretProvider.java    From hadoop with Apache License 2.0 4 votes vote down vote up
private SASLOwnerACLProvider(String principal) {
  this.saslACL = Collections.singletonList(
          new ACL(Perms.ALL, new Id("sasl", principal)));
}