Java Code Examples for org.apache.zookeeper.server.auth.DigestAuthenticationProvider#generateDigest()
The following examples show how to use
org.apache.zookeeper.server.auth.DigestAuthenticationProvider#generateDigest() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: ZKRMStateStore.java From hadoop with Apache License 2.0 | 6 votes |
|
/**
* Given the {@link Configuration} and {@link ACL}s used (zkAcl) for
* ZooKeeper access, construct the {@link ACL}s for the store's root node.
* In the constructed {@link ACL}, all the users allowed by zkAcl are given
* rwa access, while the current RM has exclude create-delete access.
*
* To be called only when HA is enabled and the configuration doesn't set ACL
* for the root node.
*/
@VisibleForTesting
@Private
@Unstable
protected List<ACL> constructZkRootNodeACL(
Configuration conf, List<ACL> sourceACLs) throws NoSuchAlgorithmException {
List<ACL> zkRootNodeAcl = new ArrayList<ACL>();
for (ACL acl : sourceACLs) {
zkRootNodeAcl.add(new ACL(
ZKUtil.removeSpecificPerms(acl.getPerms(), CREATE_DELETE_PERMS),
acl.getId()));
}
zkRootNodeUsername = HAUtil.getConfValueForRMInstance(
YarnConfiguration.RM_ADDRESS,
YarnConfiguration.DEFAULT_RM_ADDRESS, conf);
Id rmId = new Id(zkRootNodeAuthScheme,
DigestAuthenticationProvider.generateDigest(
zkRootNodeUsername + ":" + zkRootNodePassword));
zkRootNodeAcl.add(new ACL(CREATE_DELETE_PERMS, rmId));
return zkRootNodeAcl;
}
Example 2
| Source File: ZookeeperUtil.java From javabase with Apache License 2.0 | 6 votes |
|
/**
*
* @return
*/
public List<ACL> getCreateNodeAcls() {
List<ACL> listAcls = new ArrayList<ACL>(3);
try {
Id id = new Id(PropertiesDynLoading.authScheme,
DigestAuthenticationProvider.generateDigest(PropertiesDynLoading.accessKey));
ACL acl = new ACL(Perms.CREATE, id);
listAcls.add(acl);
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
return Ids.OPEN_ACL_UNSAFE;
}
return listAcls;
}
Example 3
| Source File: ZKRMStateStore.java From big-c with Apache License 2.0 | 6 votes |
|
/**
* Given the {@link Configuration} and {@link ACL}s used (zkAcl) for
* ZooKeeper access, construct the {@link ACL}s for the store's root node.
* In the constructed {@link ACL}, all the users allowed by zkAcl are given
* rwa access, while the current RM has exclude create-delete access.
*
* To be called only when HA is enabled and the configuration doesn't set ACL
* for the root node.
*/
@VisibleForTesting
@Private
@Unstable
protected List<ACL> constructZkRootNodeACL(
Configuration conf, List<ACL> sourceACLs) throws NoSuchAlgorithmException {
List<ACL> zkRootNodeAcl = new ArrayList<ACL>();
for (ACL acl : sourceACLs) {
zkRootNodeAcl.add(new ACL(
ZKUtil.removeSpecificPerms(acl.getPerms(), CREATE_DELETE_PERMS),
acl.getId()));
}
zkRootNodeUsername = HAUtil.getConfValueForRMInstance(
YarnConfiguration.RM_ADDRESS,
YarnConfiguration.DEFAULT_RM_ADDRESS, conf);
Id rmId = new Id(zkRootNodeAuthScheme,
DigestAuthenticationProvider.generateDigest(
zkRootNodeUsername + ":" + zkRootNodePassword));
zkRootNodeAcl.add(new ACL(CREATE_DELETE_PERMS, rmId));
return zkRootNodeAcl;
}
Example 4
| Source File: RegistrySecurity.java From hadoop with Apache License 2.0 | 5 votes |
|
/**
* Generate a base-64 encoded digest of the idPasswordPair pair
* @param idPasswordPair id:password
* @return a string that can be used for authentication
*/
public String digest(String idPasswordPair) throws IOException {
if (StringUtils.isEmpty(idPasswordPair) || !isValid(idPasswordPair)) {
throw new IOException("Invalid id:password: " + idPasswordPair);
}
try {
return DigestAuthenticationProvider.generateDigest(idPasswordPair);
} catch (NoSuchAlgorithmException e) {
// unlikely since it is standard to the JVM, but maybe JCE restrictions
// could trigger it
throw new IOException(e.toString(), e);
}
}
Example 5
| Source File: ZookeeperUtil.java From javabase with Apache License 2.0 | 5 votes |
|
public List<ACL> getAdminAcls() {
List<ACL> listAcls = new ArrayList<ACL>(3);
try {
Id id = new Id(PropertiesDynLoading.authScheme,
DigestAuthenticationProvider.generateDigest(PropertiesDynLoading.accessKey));
ACL acl = new ACL(Perms.ALL, id);
listAcls.add(acl);
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
return Ids.OPEN_ACL_UNSAFE;
}
return listAcls;
}
Example 6
| Source File: SafeZclient.java From javabase with Apache License 2.0 | 5 votes |
|
/**
* 授权访问
* Zookeeper对权限的控制是节点级别的,而且不继承,即对父节点设置权限,其子节点不继承父节点的权限
* Zookeeper提供了几种认证方式
* world:有个单一的ID,anyone,表示任何人。
* auth:不使用任何ID,表示任何通过验证的用户(是通过ZK验证的用户?连接到此ZK服务器的用户?)。
* digest:使用 用户名:密码 字符串生成MD5哈希值作为ACL标识符ID。权限的验证通过直接发送用户名密码字符串的方式完成,
* ip:使用客户端主机ip地址作为一个ACL标识符,ACL表达式是以 addr/bits 这种格式表示的。ZK服务器会将addr的前bits位与客户端地址的前bits位来进行匹配验证权限。
* @param zooKeeper
*/
private static List<ACL> getACL(ZkClient zooKeeper) throws Exception {
// 配置两个用户admin有读写权限,gao有读的权限
String userOne = "admin:admin";
String userTwo = "gao:gao";
// zooKeeper.addAuthInfo("digest",userOne.getBytes("UTF-8"));
Id idOne = new Id("digest", DigestAuthenticationProvider.generateDigest(userOne));
Id idTwo = new Id("digest", DigestAuthenticationProvider.generateDigest(userTwo));
// 读
ACL acl = new ACL(ZooDefs.Perms.ALL, idOne);
// 写
ACL aclRead = new ACL(ZooDefs.Perms.READ, idTwo);
List<ACL> acls = Arrays.asList(acl, aclRead);
return acls;
}
Example 7
| Source File: RegistrySecurity.java From big-c with Apache License 2.0 | 5 votes |
|
/**
* Generate a base-64 encoded digest of the idPasswordPair pair
* @param idPasswordPair id:password
* @return a string that can be used for authentication
*/
public String digest(String idPasswordPair) throws IOException {
if (StringUtils.isEmpty(idPasswordPair) || !isValid(idPasswordPair)) {
throw new IOException("Invalid id:password: " + idPasswordPair);
}
try {
return DigestAuthenticationProvider.generateDigest(idPasswordPair);
} catch (NoSuchAlgorithmException e) {
// unlikely since it is standard to the JVM, but maybe JCE restrictions
// could trigger it
throw new IOException(e.toString(), e);
}
}
Example 8
| Source File: TestZkAclsWithHadoopAuth.java From lucene-solr with Apache License 2.0 | 5 votes |
|
private static String digest (String userName, String passwd) {
try {
return DigestAuthenticationProvider.generateDigest(userName+":"+passwd);
} catch (NoSuchAlgorithmException ex) {
throw new RuntimeException(ex);
}
}
Example 9
| Source File: ZookeeperDataSourceTest.java From Sentinel-Dashboard-Nacos with Apache License 2.0 | 4 votes |
|
@Test
public void testZooKeeperDataSourceAuthorization() throws Exception {
TestingServer server = new TestingServer(21812);
server.start();
final String remoteAddress = server.getConnectString();
final String groupId = "sentinel-zk-ds-demo";
final String dataId = "flow-HK";
final String path = "/" + groupId + "/" + dataId;
final String scheme = "digest";
final String auth = "root:123456";
AuthInfo authInfo = new AuthInfo(scheme, auth.getBytes());
List<AuthInfo> authInfoList = Collections.singletonList(authInfo);
CuratorFramework zkClient = CuratorFrameworkFactory.builder().
connectString(remoteAddress).
retryPolicy(new ExponentialBackoffRetry(3, 100)).
authorization(authInfoList).
build();
zkClient.start();
Stat stat = zkClient.checkExists().forPath(path);
if (stat == null) {
ACL acl = new ACL(ZooDefs.Perms.ALL, new Id(scheme, DigestAuthenticationProvider.generateDigest(auth)));
zkClient.create().creatingParentContainersIfNeeded().withACL(Collections.singletonList(acl)).forPath(path, null);
}
ReadableDataSource<String, List<FlowRule>> flowRuleDataSource = new ZookeeperDataSource<List<FlowRule>>(remoteAddress,
authInfoList, groupId, dataId,
new Converter<String, List<FlowRule>>() {
@Override
public List<FlowRule> convert(String source) {
return JSON.parseObject(source, new TypeReference<List<FlowRule>>() {
});
}
});
FlowRuleManager.register2Property(flowRuleDataSource.getProperty());
final String resourceName = "HK";
publishThenTestFor(zkClient, path, resourceName, 10);
publishThenTestFor(zkClient, path, resourceName, 15);
zkClient.close();
server.stop();
}
Example 10
| Source File: ZookeeperDataSourceTest.java From Sentinel with Apache License 2.0 | 4 votes |
|
@Test
public void testZooKeeperDataSourceAuthorization() throws Exception {
TestingServer server = new TestingServer(21812);
server.start();
final String remoteAddress = server.getConnectString();
final String groupId = "sentinel-zk-ds-demo";
final String dataId = "flow-HK";
final String path = "/" + groupId + "/" + dataId;
final String scheme = "digest";
final String auth = "root:123456";
AuthInfo authInfo = new AuthInfo(scheme, auth.getBytes());
List<AuthInfo> authInfoList = Collections.singletonList(authInfo);
CuratorFramework zkClient = CuratorFrameworkFactory.builder().
connectString(remoteAddress).
retryPolicy(new ExponentialBackoffRetry(3, 100)).
authorization(authInfoList).
build();
zkClient.start();
Stat stat = zkClient.checkExists().forPath(path);
if (stat == null) {
ACL acl = new ACL(ZooDefs.Perms.ALL, new Id(scheme, DigestAuthenticationProvider.generateDigest(auth)));
zkClient.create().creatingParentContainersIfNeeded().withACL(Collections.singletonList(acl)).forPath(path, null);
}
ReadableDataSource<String, List<FlowRule>> flowRuleDataSource = new ZookeeperDataSource<List<FlowRule>>(remoteAddress,
authInfoList, groupId, dataId,
new Converter<String, List<FlowRule>>() {
@Override
public List<FlowRule> convert(String source) {
return JSON.parseObject(source, new TypeReference<List<FlowRule>>() {
});
}
});
FlowRuleManager.register2Property(flowRuleDataSource.getProperty());
final String resourceName = "HK";
publishThenTestFor(zkClient, path, resourceName, 10);
publishThenTestFor(zkClient, path, resourceName, 15);
zkClient.close();
server.stop();
}
Example 11
| Source File: TestZKDelegationTokenSecretManager.java From hadoop with Apache License 2.0 | 4 votes |
|
@Test
public void testACLs() throws Exception {
DelegationTokenManager tm1;
String connectString = zkServer.getConnectString();
Configuration conf = getSecretConf(connectString);
RetryPolicy retryPolicy = new ExponentialBackoffRetry(1000, 3);
String userPass = "myuser:mypass";
final ACL digestACL = new ACL(ZooDefs.Perms.ALL, new Id("digest",
DigestAuthenticationProvider.generateDigest(userPass)));
ACLProvider digestAclProvider = new ACLProvider() {
@Override
public List<ACL> getAclForPath(String path) { return getDefaultAcl(); }
@Override
public List<ACL> getDefaultAcl() {
List<ACL> ret = new ArrayList<ACL>();
ret.add(digestACL);
return ret;
}
};
CuratorFramework curatorFramework =
CuratorFrameworkFactory.builder()
.connectString(connectString)
.retryPolicy(retryPolicy)
.aclProvider(digestAclProvider)
.authorization("digest", userPass.getBytes("UTF-8"))
.build();
curatorFramework.start();
ZKDelegationTokenSecretManager.setCurator(curatorFramework);
tm1 = new DelegationTokenManager(conf, new Text("bla"));
tm1.init();
// check ACL
String workingPath = conf.get(ZKDelegationTokenSecretManager.ZK_DTSM_ZNODE_WORKING_PATH);
verifyACL(curatorFramework, "/" + workingPath, digestACL);
tm1.destroy();
ZKDelegationTokenSecretManager.setCurator(null);
curatorFramework.close();
}
Example 12
| Source File: ZKClientTest.java From twill with Apache License 2.0 | 4 votes |
|
@Test
public void testACL() throws IOException, ExecutionException, InterruptedException, NoSuchAlgorithmException {
InMemoryZKServer zkServer = InMemoryZKServer.builder().setDataDir(tmpFolder.newFolder()).setTickTime(1000).build();
zkServer.startAndWait();
try {
String userPass = "user:pass";
String digest = DigestAuthenticationProvider.generateDigest(userPass);
// Creates two zkclients
ZKClientService zkClient = ZKClientService.Builder
.of(zkServer.getConnectionStr())
.addAuthInfo("digest", userPass.getBytes())
.build();
zkClient.startAndWait();
ZKClientService noAuthClient = ZKClientService.Builder.of(zkServer.getConnectionStr()).build();
noAuthClient.startAndWait();
// Create a node that is readable by all client, but admin for the creator
String path = "/testacl";
zkClient.create(path, "test".getBytes(), CreateMode.PERSISTENT,
ImmutableList.of(
new ACL(ZooDefs.Perms.READ, ZooDefs.Ids.ANYONE_ID_UNSAFE),
new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.AUTH_IDS)
)).get();
// Verify the ACL
ACLData aclData = zkClient.getACL(path).get();
Assert.assertEquals(2, aclData.getACL().size());
ACL acl = aclData.getACL().get(1);
Assert.assertEquals(ZooDefs.Perms.ALL, acl.getPerms());
Assert.assertEquals("digest", acl.getId().getScheme());
Assert.assertEquals(digest, acl.getId().getId());
Assert.assertArrayEquals("test".getBytes(), noAuthClient.getData(path).get().getData());
// When tries to write using the no-auth zk client, it should fail.
try {
noAuthClient.setData(path, "test2".getBytes()).get();
Assert.fail();
} catch (ExecutionException e) {
Assert.assertTrue(e.getCause() instanceof KeeperException.NoAuthException);
}
// Change ACL to make it open for all
zkClient.setACL(path, ImmutableList.of(new ACL(ZooDefs.Perms.WRITE, ZooDefs.Ids.ANYONE_ID_UNSAFE))).get();
// Write again with the non-auth client, now should succeed.
noAuthClient.setData(path, "test2".getBytes()).get();
noAuthClient.stopAndWait();
zkClient.stopAndWait();
} finally {
zkServer.stopAndWait();
}
}
Example 13
| Source File: TestZKDelegationTokenSecretManager.java From big-c with Apache License 2.0 | 4 votes |
|
@Test
public void testACLs() throws Exception {
DelegationTokenManager tm1;
String connectString = zkServer.getConnectString();
Configuration conf = getSecretConf(connectString);
RetryPolicy retryPolicy = new ExponentialBackoffRetry(1000, 3);
String userPass = "myuser:mypass";
final ACL digestACL = new ACL(ZooDefs.Perms.ALL, new Id("digest",
DigestAuthenticationProvider.generateDigest(userPass)));
ACLProvider digestAclProvider = new ACLProvider() {
@Override
public List<ACL> getAclForPath(String path) { return getDefaultAcl(); }
@Override
public List<ACL> getDefaultAcl() {
List<ACL> ret = new ArrayList<ACL>();
ret.add(digestACL);
return ret;
}
};
CuratorFramework curatorFramework =
CuratorFrameworkFactory.builder()
.connectString(connectString)
.retryPolicy(retryPolicy)
.aclProvider(digestAclProvider)
.authorization("digest", userPass.getBytes("UTF-8"))
.build();
curatorFramework.start();
ZKDelegationTokenSecretManager.setCurator(curatorFramework);
tm1 = new DelegationTokenManager(conf, new Text("bla"));
tm1.init();
// check ACL
String workingPath = conf.get(ZKDelegationTokenSecretManager.ZK_DTSM_ZNODE_WORKING_PATH);
verifyACL(curatorFramework, "/" + workingPath, digestACL);
tm1.destroy();
ZKDelegationTokenSecretManager.setCurator(null);
curatorFramework.close();
}
Example 14
| Source File: SolrZkClientTest.java From lucene-solr with Apache License 2.0 | 4 votes |
|
@Override
public void setUp() throws Exception {
super.setUp();
configureCluster(1)
.addConfig("_default", new File(ExternalPaths.DEFAULT_CONFIGSET).toPath())
.configure();
solrClient = getCloudSolrClient(cluster.getZkServer().getZkAddress());
final String SCHEME = "digest";
final String AUTH = "user:pass";
Path zkDir = createTempDir();
log.info("ZooKeeper dataDir:{}", zkDir);
zkServer = new ZkTestServer(zkDir);
zkServer.run();
try (SolrZkClient client = new SolrZkClient(zkServer.getZkHost(), AbstractZkTestCase.TIMEOUT)) {
// Set up chroot
client.makePath("/solr", false, true);
}
defaultClient = new SolrZkClient(zkServer.getZkAddress(), AbstractZkTestCase.TIMEOUT);
defaultClient.makePath(PATH, true);
aclClient = new SolrZkClient(zkServer.getZkAddress(), AbstractZkTestCase.TIMEOUT) {
@Override
protected ZkACLProvider createZkACLProvider() {
return new DefaultZkACLProvider() {
@Override
protected List<ACL> createGlobalACLsToAdd() {
try {
Id id = new Id(SCHEME, DigestAuthenticationProvider.generateDigest(AUTH));
return Collections.singletonList(new ACL(ZooDefs.Perms.ALL, id));
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
};
}
};
credentialsClient = new SolrZkClient(zkServer.getZkAddress(), AbstractZkTestCase.TIMEOUT) {
@Override
protected ZkCredentialsProvider createZkCredentialsToAddAutomatically() {
return new DefaultZkCredentialsProvider() {
@Override
protected Collection<ZkCredentials> createCredentials() {
return Collections.singleton(new ZkCredentials(SCHEME, AUTH.getBytes(StandardCharsets.UTF_8)));
}
};
}
};
}
