Java Code Examples for org.apache.zookeeper.server.auth.DigestAuthenticationProvider#generateDigest()

The following examples show how to use org.apache.zookeeper.server.auth.DigestAuthenticationProvider#generateDigest() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: ZKRMStateStore.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Given the {@link Configuration} and {@link ACL}s used (zkAcl) for
 * ZooKeeper access, construct the {@link ACL}s for the store's root node.
 * In the constructed {@link ACL}, all the users allowed by zkAcl are given
 * rwa access, while the current RM has exclude create-delete access.
 *
 * To be called only when HA is enabled and the configuration doesn't set ACL
 * for the root node.
 */
@VisibleForTesting
@Private
@Unstable
protected List<ACL> constructZkRootNodeACL(
    Configuration conf, List<ACL> sourceACLs) throws NoSuchAlgorithmException {
  List<ACL> zkRootNodeAcl = new ArrayList<ACL>();
  for (ACL acl : sourceACLs) {
    zkRootNodeAcl.add(new ACL(
        ZKUtil.removeSpecificPerms(acl.getPerms(), CREATE_DELETE_PERMS),
        acl.getId()));
  }

  zkRootNodeUsername = HAUtil.getConfValueForRMInstance(
      YarnConfiguration.RM_ADDRESS,
      YarnConfiguration.DEFAULT_RM_ADDRESS, conf);
  Id rmId = new Id(zkRootNodeAuthScheme,
      DigestAuthenticationProvider.generateDigest(
          zkRootNodeUsername + ":" + zkRootNodePassword));
  zkRootNodeAcl.add(new ACL(CREATE_DELETE_PERMS, rmId));
  return zkRootNodeAcl;
}
 
Example 2
Source File: ZookeeperUtil.java    From javabase with Apache License 2.0 6 votes vote down vote up
/**
 *
 * @return
 */
public List<ACL> getCreateNodeAcls() {
    List<ACL> listAcls = new ArrayList<ACL>(3);
    try {
        Id id = new Id(PropertiesDynLoading.authScheme,
                DigestAuthenticationProvider.generateDigest(PropertiesDynLoading.accessKey));
        ACL acl = new ACL(Perms.CREATE, id);
        listAcls.add(acl);

    } catch (NoSuchAlgorithmException e) {

        e.printStackTrace();
        return Ids.OPEN_ACL_UNSAFE;
    }
    return listAcls;
}
 
Example 3
Source File: ZKRMStateStore.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Given the {@link Configuration} and {@link ACL}s used (zkAcl) for
 * ZooKeeper access, construct the {@link ACL}s for the store's root node.
 * In the constructed {@link ACL}, all the users allowed by zkAcl are given
 * rwa access, while the current RM has exclude create-delete access.
 *
 * To be called only when HA is enabled and the configuration doesn't set ACL
 * for the root node.
 */
@VisibleForTesting
@Private
@Unstable
protected List<ACL> constructZkRootNodeACL(
    Configuration conf, List<ACL> sourceACLs) throws NoSuchAlgorithmException {
  List<ACL> zkRootNodeAcl = new ArrayList<ACL>();
  for (ACL acl : sourceACLs) {
    zkRootNodeAcl.add(new ACL(
        ZKUtil.removeSpecificPerms(acl.getPerms(), CREATE_DELETE_PERMS),
        acl.getId()));
  }

  zkRootNodeUsername = HAUtil.getConfValueForRMInstance(
      YarnConfiguration.RM_ADDRESS,
      YarnConfiguration.DEFAULT_RM_ADDRESS, conf);
  Id rmId = new Id(zkRootNodeAuthScheme,
      DigestAuthenticationProvider.generateDigest(
          zkRootNodeUsername + ":" + zkRootNodePassword));
  zkRootNodeAcl.add(new ACL(CREATE_DELETE_PERMS, rmId));
  return zkRootNodeAcl;
}
 
Example 4
Source File: RegistrySecurity.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/**
 * Generate a base-64 encoded digest of the idPasswordPair pair
 * @param idPasswordPair id:password
 * @return a string that can be used for authentication
 */
public String digest(String idPasswordPair) throws IOException {
  if (StringUtils.isEmpty(idPasswordPair) || !isValid(idPasswordPair)) {
    throw new IOException("Invalid id:password: " + idPasswordPair);
  }
  try {
    return DigestAuthenticationProvider.generateDigest(idPasswordPair);
  } catch (NoSuchAlgorithmException e) {
    // unlikely since it is standard to the JVM, but maybe JCE restrictions
    // could trigger it
    throw new IOException(e.toString(), e);
  }
}
 
Example 5
Source File: ZookeeperUtil.java    From javabase with Apache License 2.0 5 votes vote down vote up
public List<ACL> getAdminAcls() {
    List<ACL> listAcls = new ArrayList<ACL>(3);
    try {
        Id id = new Id(PropertiesDynLoading.authScheme,
                DigestAuthenticationProvider.generateDigest(PropertiesDynLoading.accessKey));
        ACL acl = new ACL(Perms.ALL, id);
        listAcls.add(acl);

    } catch (NoSuchAlgorithmException e) {

        e.printStackTrace();
        return Ids.OPEN_ACL_UNSAFE;
    }
    return listAcls;
}
 
Example 6
Source File: SafeZclient.java    From javabase with Apache License 2.0 5 votes vote down vote up
/**
 * 授权访问
 * Zookeeper对权限的控制是节点级别的,而且不继承,即对父节点设置权限,其子节点不继承父节点的权限
 * Zookeeper提供了几种认证方式
 * world:有个单一的ID,anyone,表示任何人。
 * auth:不使用任何ID,表示任何通过验证的用户(是通过ZK验证的用户?连接到此ZK服务器的用户?)。
 * digest:使用 用户名:密码 字符串生成MD5哈希值作为ACL标识符ID。权限的验证通过直接发送用户名密码字符串的方式完成,
 * ip:使用客户端主机ip地址作为一个ACL标识符,ACL表达式是以 addr/bits 这种格式表示的。ZK服务器会将addr的前bits位与客户端地址的前bits位来进行匹配验证权限。
 * @param zooKeeper
 */
private static List<ACL> getACL(ZkClient zooKeeper) throws Exception {
	// 配置两个用户admin有读写权限,gao有读的权限
	String userOne = "admin:admin";
	String userTwo = "gao:gao";
	// zooKeeper.addAuthInfo("digest",userOne.getBytes("UTF-8"));
	Id idOne = new Id("digest", DigestAuthenticationProvider.generateDigest(userOne));
	Id idTwo = new Id("digest", DigestAuthenticationProvider.generateDigest(userTwo));
	// 读
	ACL acl = new ACL(ZooDefs.Perms.ALL, idOne);
	// 写
	ACL aclRead = new ACL(ZooDefs.Perms.READ, idTwo);
	List<ACL> acls = Arrays.asList(acl, aclRead);
	return acls;
}
 
Example 7
Source File: RegistrySecurity.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * Generate a base-64 encoded digest of the idPasswordPair pair
 * @param idPasswordPair id:password
 * @return a string that can be used for authentication
 */
public String digest(String idPasswordPair) throws IOException {
  if (StringUtils.isEmpty(idPasswordPair) || !isValid(idPasswordPair)) {
    throw new IOException("Invalid id:password: " + idPasswordPair);
  }
  try {
    return DigestAuthenticationProvider.generateDigest(idPasswordPair);
  } catch (NoSuchAlgorithmException e) {
    // unlikely since it is standard to the JVM, but maybe JCE restrictions
    // could trigger it
    throw new IOException(e.toString(), e);
  }
}
 
Example 8
Source File: TestZkAclsWithHadoopAuth.java    From lucene-solr with Apache License 2.0 5 votes vote down vote up
private static String digest (String userName, String passwd) {
  try {
    return DigestAuthenticationProvider.generateDigest(userName+":"+passwd);
  } catch (NoSuchAlgorithmException ex) {
    throw new RuntimeException(ex);
  }
}
 
Example 9
Source File: ZookeeperDataSourceTest.java    From Sentinel-Dashboard-Nacos with Apache License 2.0 4 votes vote down vote up
@Test
public void testZooKeeperDataSourceAuthorization() throws Exception {
    TestingServer server = new TestingServer(21812);
    server.start();

    final String remoteAddress = server.getConnectString();
    final String groupId = "sentinel-zk-ds-demo";
    final String dataId = "flow-HK";
    final String path = "/" + groupId + "/" + dataId;
    final String scheme = "digest";
    final String auth = "root:123456";

    AuthInfo authInfo = new AuthInfo(scheme, auth.getBytes());
    List<AuthInfo> authInfoList = Collections.singletonList(authInfo);

    CuratorFramework zkClient = CuratorFrameworkFactory.builder().
            connectString(remoteAddress).
            retryPolicy(new ExponentialBackoffRetry(3, 100)).
            authorization(authInfoList).
            build();
    zkClient.start();
    Stat stat = zkClient.checkExists().forPath(path);
    if (stat == null) {
        ACL acl = new ACL(ZooDefs.Perms.ALL, new Id(scheme, DigestAuthenticationProvider.generateDigest(auth)));
        zkClient.create().creatingParentContainersIfNeeded().withACL(Collections.singletonList(acl)).forPath(path, null);
    }

    ReadableDataSource<String, List<FlowRule>> flowRuleDataSource = new ZookeeperDataSource<List<FlowRule>>(remoteAddress,
            authInfoList, groupId, dataId,
            new Converter<String, List<FlowRule>>() {
                @Override
                public List<FlowRule> convert(String source) {
                    return JSON.parseObject(source, new TypeReference<List<FlowRule>>() {
                    });
                }
            });
    FlowRuleManager.register2Property(flowRuleDataSource.getProperty());


    final String resourceName = "HK";
    publishThenTestFor(zkClient, path, resourceName, 10);
    publishThenTestFor(zkClient, path, resourceName, 15);

    zkClient.close();
    server.stop();
}
 
Example 10
Source File: ZookeeperDataSourceTest.java    From Sentinel with Apache License 2.0 4 votes vote down vote up
@Test
public void testZooKeeperDataSourceAuthorization() throws Exception {
    TestingServer server = new TestingServer(21812);
    server.start();

    final String remoteAddress = server.getConnectString();
    final String groupId = "sentinel-zk-ds-demo";
    final String dataId = "flow-HK";
    final String path = "/" + groupId + "/" + dataId;
    final String scheme = "digest";
    final String auth = "root:123456";

    AuthInfo authInfo = new AuthInfo(scheme, auth.getBytes());
    List<AuthInfo> authInfoList = Collections.singletonList(authInfo);

    CuratorFramework zkClient = CuratorFrameworkFactory.builder().
            connectString(remoteAddress).
            retryPolicy(new ExponentialBackoffRetry(3, 100)).
            authorization(authInfoList).
            build();
    zkClient.start();
    Stat stat = zkClient.checkExists().forPath(path);
    if (stat == null) {
        ACL acl = new ACL(ZooDefs.Perms.ALL, new Id(scheme, DigestAuthenticationProvider.generateDigest(auth)));
        zkClient.create().creatingParentContainersIfNeeded().withACL(Collections.singletonList(acl)).forPath(path, null);
    }

    ReadableDataSource<String, List<FlowRule>> flowRuleDataSource = new ZookeeperDataSource<List<FlowRule>>(remoteAddress,
            authInfoList, groupId, dataId,
            new Converter<String, List<FlowRule>>() {
                @Override
                public List<FlowRule> convert(String source) {
                    return JSON.parseObject(source, new TypeReference<List<FlowRule>>() {
                    });
                }
            });
    FlowRuleManager.register2Property(flowRuleDataSource.getProperty());


    final String resourceName = "HK";
    publishThenTestFor(zkClient, path, resourceName, 10);
    publishThenTestFor(zkClient, path, resourceName, 15);

    zkClient.close();
    server.stop();
}
 
Example 11
Source File: TestZKDelegationTokenSecretManager.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Test
public void testACLs() throws Exception {
  DelegationTokenManager tm1;
  String connectString = zkServer.getConnectString();
  Configuration conf = getSecretConf(connectString);
  RetryPolicy retryPolicy = new ExponentialBackoffRetry(1000, 3);
  String userPass = "myuser:mypass";
  final ACL digestACL = new ACL(ZooDefs.Perms.ALL, new Id("digest",
    DigestAuthenticationProvider.generateDigest(userPass)));
  ACLProvider digestAclProvider = new ACLProvider() {
    @Override
    public List<ACL> getAclForPath(String path) { return getDefaultAcl(); }

    @Override
    public List<ACL> getDefaultAcl() {
      List<ACL> ret = new ArrayList<ACL>();
      ret.add(digestACL);
      return ret;
    }
  };

  CuratorFramework curatorFramework =
    CuratorFrameworkFactory.builder()
      .connectString(connectString)
      .retryPolicy(retryPolicy)
      .aclProvider(digestAclProvider)
      .authorization("digest", userPass.getBytes("UTF-8"))
      .build();
  curatorFramework.start();
  ZKDelegationTokenSecretManager.setCurator(curatorFramework);
  tm1 = new DelegationTokenManager(conf, new Text("bla"));
  tm1.init();

  // check ACL
  String workingPath = conf.get(ZKDelegationTokenSecretManager.ZK_DTSM_ZNODE_WORKING_PATH);
  verifyACL(curatorFramework, "/" + workingPath, digestACL);

  tm1.destroy();
  ZKDelegationTokenSecretManager.setCurator(null);
  curatorFramework.close();
}
 
Example 12
Source File: ZKClientTest.java    From twill with Apache License 2.0 4 votes vote down vote up
@Test
public void testACL() throws IOException, ExecutionException, InterruptedException, NoSuchAlgorithmException {
  InMemoryZKServer zkServer = InMemoryZKServer.builder().setDataDir(tmpFolder.newFolder()).setTickTime(1000).build();
  zkServer.startAndWait();

  try {
    String userPass = "user:pass";
    String digest = DigestAuthenticationProvider.generateDigest(userPass);

    // Creates two zkclients
    ZKClientService zkClient = ZKClientService.Builder
                                              .of(zkServer.getConnectionStr())
                                              .addAuthInfo("digest", userPass.getBytes())
                                              .build();
    zkClient.startAndWait();

    ZKClientService noAuthClient = ZKClientService.Builder.of(zkServer.getConnectionStr()).build();
    noAuthClient.startAndWait();


    // Create a node that is readable by all client, but admin for the creator
    String path = "/testacl";
    zkClient.create(path, "test".getBytes(), CreateMode.PERSISTENT,
                    ImmutableList.of(
                      new ACL(ZooDefs.Perms.READ, ZooDefs.Ids.ANYONE_ID_UNSAFE),
                      new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.AUTH_IDS)
                    )).get();

    // Verify the ACL
    ACLData aclData = zkClient.getACL(path).get();
    Assert.assertEquals(2, aclData.getACL().size());
    ACL acl = aclData.getACL().get(1);
    Assert.assertEquals(ZooDefs.Perms.ALL, acl.getPerms());
    Assert.assertEquals("digest", acl.getId().getScheme());
    Assert.assertEquals(digest, acl.getId().getId());

    Assert.assertArrayEquals("test".getBytes(), noAuthClient.getData(path).get().getData());

    // When tries to write using the no-auth zk client, it should fail.
    try {
      noAuthClient.setData(path, "test2".getBytes()).get();
      Assert.fail();
    } catch (ExecutionException e) {
      Assert.assertTrue(e.getCause() instanceof KeeperException.NoAuthException);
    }

    // Change ACL to make it open for all
    zkClient.setACL(path, ImmutableList.of(new ACL(ZooDefs.Perms.WRITE, ZooDefs.Ids.ANYONE_ID_UNSAFE))).get();

    // Write again with the non-auth client, now should succeed.
    noAuthClient.setData(path, "test2".getBytes()).get();

    noAuthClient.stopAndWait();
    zkClient.stopAndWait();

  } finally {
    zkServer.stopAndWait();
  }
}
 
Example 13
Source File: TestZKDelegationTokenSecretManager.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Test
public void testACLs() throws Exception {
  DelegationTokenManager tm1;
  String connectString = zkServer.getConnectString();
  Configuration conf = getSecretConf(connectString);
  RetryPolicy retryPolicy = new ExponentialBackoffRetry(1000, 3);
  String userPass = "myuser:mypass";
  final ACL digestACL = new ACL(ZooDefs.Perms.ALL, new Id("digest",
    DigestAuthenticationProvider.generateDigest(userPass)));
  ACLProvider digestAclProvider = new ACLProvider() {
    @Override
    public List<ACL> getAclForPath(String path) { return getDefaultAcl(); }

    @Override
    public List<ACL> getDefaultAcl() {
      List<ACL> ret = new ArrayList<ACL>();
      ret.add(digestACL);
      return ret;
    }
  };

  CuratorFramework curatorFramework =
    CuratorFrameworkFactory.builder()
      .connectString(connectString)
      .retryPolicy(retryPolicy)
      .aclProvider(digestAclProvider)
      .authorization("digest", userPass.getBytes("UTF-8"))
      .build();
  curatorFramework.start();
  ZKDelegationTokenSecretManager.setCurator(curatorFramework);
  tm1 = new DelegationTokenManager(conf, new Text("bla"));
  tm1.init();

  // check ACL
  String workingPath = conf.get(ZKDelegationTokenSecretManager.ZK_DTSM_ZNODE_WORKING_PATH);
  verifyACL(curatorFramework, "/" + workingPath, digestACL);

  tm1.destroy();
  ZKDelegationTokenSecretManager.setCurator(null);
  curatorFramework.close();
}
 
Example 14
Source File: SolrZkClientTest.java    From lucene-solr with Apache License 2.0 4 votes vote down vote up
@Override
public void setUp() throws Exception {
  super.setUp();
  configureCluster(1)
      .addConfig("_default", new File(ExternalPaths.DEFAULT_CONFIGSET).toPath())
      .configure();
  solrClient = getCloudSolrClient(cluster.getZkServer().getZkAddress());

  final String SCHEME = "digest";
  final String AUTH = "user:pass";

  Path zkDir = createTempDir();
  log.info("ZooKeeper dataDir:{}", zkDir);
  zkServer = new ZkTestServer(zkDir);
  zkServer.run();

  try (SolrZkClient client = new SolrZkClient(zkServer.getZkHost(), AbstractZkTestCase.TIMEOUT)) {
    // Set up chroot
    client.makePath("/solr", false, true);
  }

  defaultClient = new SolrZkClient(zkServer.getZkAddress(), AbstractZkTestCase.TIMEOUT);
  defaultClient.makePath(PATH, true);

  aclClient = new SolrZkClient(zkServer.getZkAddress(), AbstractZkTestCase.TIMEOUT) {
    @Override
    protected ZkACLProvider createZkACLProvider() {
      return new DefaultZkACLProvider() {
        @Override
        protected List<ACL> createGlobalACLsToAdd() {
          try {
            Id id = new Id(SCHEME, DigestAuthenticationProvider.generateDigest(AUTH));
            return Collections.singletonList(new ACL(ZooDefs.Perms.ALL, id));
          } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
          }
        }
      };
    }
  };

  credentialsClient = new SolrZkClient(zkServer.getZkAddress(), AbstractZkTestCase.TIMEOUT) {
    @Override
    protected ZkCredentialsProvider createZkCredentialsToAddAutomatically() {
      return new DefaultZkCredentialsProvider() {
        @Override
        protected Collection<ZkCredentials> createCredentials() {
          return Collections.singleton(new ZkCredentials(SCHEME, AUTH.getBytes(StandardCharsets.UTF_8)));
        }
      };
    }
  };
}