org.apache.curator.framework.AuthInfo Java Examples

@VisibleForTesting
void enhanceBuilderWithSecurityParameters(HAConfiguration.ZookeeperProperties zookeeperProperties,
                                          CuratorFrameworkFactory.Builder builder) {

    ACLProvider aclProvider = getAclProvider(zookeeperProperties);

    AuthInfo authInfo = null;
    if (zookeeperProperties.hasAuth()) {
        authInfo = AtlasZookeeperSecurityProperties.parseAuth(zookeeperProperties.getAuth());
    }

    if (aclProvider != null) {
        LOG.info("Setting up acl provider.");
        builder.aclProvider(aclProvider);
        if (authInfo != null) {
            byte[] auth = authInfo.getAuth();
            LOG.info("Setting up auth provider with scheme: {} and id: {}", authInfo.getScheme(),
                    getIdForLogging(authInfo.getScheme(), new String(auth, Charsets.UTF_8)));
            builder.authorization(authInfo.getScheme(), auth);
        }
    }
}
 

@VisibleForTesting
void enhanceBuilderWithSecurityParameters(HAConfiguration.ZookeeperProperties zookeeperProperties,
                                          CuratorFrameworkFactory.Builder builder) {

    ACLProvider aclProvider = getAclProvider(zookeeperProperties);

    AuthInfo authInfo = null;
    if (zookeeperProperties.hasAuth()) {
        authInfo = AtlasZookeeperSecurityProperties.parseAuth(zookeeperProperties.getAuth());
    }

    if (aclProvider != null) {
        LOG.info("Setting up acl provider.");
        builder.aclProvider(aclProvider);
        if (authInfo != null) {
            byte[] auth = authInfo.getAuth();
            LOG.info("Setting up auth provider with scheme: {} and id: {}", authInfo.getScheme(),
                    getIdForLogging(authInfo.getScheme(), new String(auth, Charsets.UTF_8)));
            builder.authorization(authInfo.getScheme(), auth);
        }
    }
}
 

@Override
public CuratorFramework newClient(String connectString,
                                  int sessionTimeoutMs,
                                  int connectionTimeoutMs,
                                  RetryPolicy retryPolicy,
                                  final ACLProvider aclProvider,
                                  final List<AuthInfo> authorization) {
  final Builder builder = CuratorFrameworkFactory.builder()
      .connectString(connectString)
      .sessionTimeoutMs(sessionTimeoutMs)
      .connectionTimeoutMs(connectionTimeoutMs)
      .retryPolicy(retryPolicy);

  if (aclProvider != null) {
    builder.aclProvider(aclProvider);
  }

  if (authorization != null && !authorization.isEmpty()) {
    builder.authorization(authorization);
  }

  return builder.build();
}
 

/**
 * build auth info
 *
 * @return
 */
private List<AuthInfo> buildAuthInfo(RegistryConfig registryConfig) {
    List<AuthInfo> info = new ArrayList<AuthInfo>();

    String scheme = registryConfig.getParameter("scheme");

    //addAuth=user1:password1,user2:password2
    String addAuth = registryConfig.getParameter("addAuth");

    if (!StringUtils.isEmpty(addAuth)) {
        String[] authList = addAuth.split(",");
        for (String singleAuthInfo : authList) {
            info.add(new AuthInfo(scheme, singleAuthInfo.getBytes()));
        }
    }
    return info;
}
 

private ZookeeperFactory makeZookeeperFactory(final ZookeeperFactory actualZookeeperFactory)
{
    return new ZookeeperFactory()
    {
        @Override
        public ZooKeeper newZooKeeper(String connectString, int sessionTimeout, Watcher watcher, boolean canBeReadOnly) throws Exception
        {
            ZooKeeper zooKeeper = actualZookeeperFactory.newZooKeeper(connectString, sessionTimeout, watcher, canBeReadOnly);
            for ( AuthInfo auth : authInfos )
            {
                zooKeeper.addAuthInfo(auth.getScheme(), auth.getAuth());
            }

            return zooKeeper;
        }
    };
}
 

/**
 * 创建认证信息
 *
 * @return
 */
private List<AuthInfo> buildAuthInfo(Map<String, String> authMap) {
    List<AuthInfo> info = new ArrayList<AuthInfo>();

    String scheme = authMap.get("scheme");

    //如果存在多个认证信息，则在参数形式为为addAuth=user1:paasswd1,user2:passwd2
    String addAuth = authMap.get("addAuth");

    if (StringUtils.isNotEmpty(addAuth)) {
        String[] addAuths = addAuth.split(",");
        for (String singleAuthInfo : addAuths) {
            info.add(new AuthInfo(scheme, singleAuthInfo.getBytes()));
        }
    }

    return info;
}
 

/**
 * 创建认证信息
 * @return
 */
private List<AuthInfo> buildAuthInfo() {
    List<AuthInfo> info = new ArrayList<AuthInfo>();

    String scheme = registryConfig.getParameter("scheme");

    //如果存在多个认证信息，则在参数形式为为addAuth=user1:paasswd1,user2:passwd2
    String addAuth = registryConfig.getParameter("addAuth");

    if (StringUtils.isNotEmpty(addAuth)) {
        String[] addAuths = addAuth.split(",");
        for (String singleAuthInfo : addAuths) {
            info.add(new AuthInfo(scheme, singleAuthInfo.getBytes()));
        }
    }

    return info;
}
 

private ZookeeperFactory makeZookeeperFactory(final ZookeeperFactory actualZookeeperFactory)
{
    return new ZookeeperFactory()
    {
        @Override
        public ZooKeeper newZooKeeper(String connectString, int sessionTimeout, Watcher watcher, boolean canBeReadOnly) throws Exception
        {
            ZooKeeper zooKeeper = actualZookeeperFactory.newZooKeeper(connectString, sessionTimeout, watcher, canBeReadOnly);
            for ( AuthInfo auth : authInfos )
            {
                zooKeeper.addAuthInfo(auth.getScheme(), auth.getAuth());
            }

            return zooKeeper;
        }
    };
}
 

private String getAuthInfosKey(List<AuthInfo> authInfos) {
    StringBuilder builder = new StringBuilder(32);
    for (AuthInfo authInfo : authInfos) {
        if (authInfo == null) {
            builder.append("{}");
        } else {
            builder.append("{" + "sc=" + authInfo.getScheme() + ",au=" + Arrays.toString(authInfo.getAuth()) + "}");
        }
    }
    return builder.toString();
}
 

private List<AuthInfo> createAuthInfo(SolrZkClient zkClient) {
  List<AuthInfo> ret = new LinkedList<AuthInfo>();

  // In theory the credentials to add could change here if zookeeper hasn't been initialized
  ZkCredentialsProvider credentialsProvider =
    zkClient.getZkClientConnectionStrategy().getZkCredentialsToAddAutomatically();
  for (ZkCredentialsProvider.ZkCredentials zkCredentials : credentialsProvider.getCredentials()) {
    ret.add(new AuthInfo(zkCredentials.getScheme(), zkCredentials.getAuth()));
  }
  return ret;
}
 

private List<AuthInfo> createAuthInfo(SolrZkClient zkClient) {
  List<AuthInfo> ret = new LinkedList<AuthInfo>();

  // In theory the credentials to add could change here if zookeeper hasn't been initialized
  ZkCredentialsProvider credentialsProvider =
    zkClient.getZkClientConnectionStrategy().getZkCredentialsToAddAutomatically();
  for (ZkCredentialsProvider.ZkCredentials zkCredentials : credentialsProvider.getCredentials()) {
    ret.add(new AuthInfo(zkCredentials.getScheme(), zkCredentials.getAuth()));
  }
  return ret;
}
 

@Override
protected CuratorFramework createInstance() throws Exception {
    String connectionString = resolveConnectionString();
    if(connectionString==null) {
        throw new IllegalArgumentException("Cannot resolve zookeeper connection string");
    }

    RetryPolicy retryPolicy = new ExponentialBackoffRetry(baseSleepTime, maxRetries);
    Builder curatorFrameworkBuilder = CuratorFrameworkFactory.builder()
        .connectString(connectionString)
        .retryPolicy(retryPolicy)
        .canBeReadOnly(canReadOnly);        
    
    String credentialString = resolveCredentialString();
    if(credentialString!=null) {
          String[] credentials = StringUtils.tokenizeToStringArray(credentialString, STRING_ARRAY_SEPARATOR);
          
          List<AuthInfo> authList = new ArrayList<AuthInfo>();
          for(String cred : credentials){
              String[] aclId = cred.split(":");
              String passwd = new String(Base64.decodeBase64(aclId[1].trim()),"UTF-8");
              authList.add(new AuthInfo(
                  SCHEME_DIGEST, 
                  String.format("%s:%s", aclId[0].trim(), passwd).getBytes()));    
          }
          
          if(!authList.isEmpty()) {
              curatorFrameworkBuilder.authorization(authList);
          }
    }
    
    CuratorFramework client = curatorFrameworkBuilder.build();
    client.start();
    
    return client;
}
 

@Bean
public List<AuthInfo> authInfo() {
    String username = env.getProperty("rpc.client.zookeeper.username");
    String password = env.getProperty("rpc.client.zookeeper.password");
    List<AuthInfo> info = new ArrayList<AuthInfo>();
    info.add(new DigestAuthInfo(username, password));
    return info;
}
 

public List<AuthInfo> authInfo() {
	String username = env.getProperty("rpc.server.zookeeper.username");
	String password = env.getProperty("rpc.server.zookeeper.password");
	List<AuthInfo> info = new ArrayList<AuthInfo>();
	info.add(new DigestAuthInfo(username, password));
	return info;
}
 

public List<AuthInfo> authInfo() {
    String username = env.getProperty("rpc.client.zookeeper.username");
    String password = env.getProperty("rpc.client.zookeeper.password");
    List<AuthInfo> info = new ArrayList<AuthInfo>();
    info.add(new DigestAuthInfo(username, password));
    return info;
}
 

protected void createPathWithAuth() {
    RetryPolicy retryPolicy = new ExponentialBackoffRetry(1000, 3);
    CuratorFrameworkFactory.Builder zkClientuilder = CuratorFrameworkFactory.builder()
        .connectString("127.0.0.1:2181")
        .sessionTimeoutMs(20000 * 3)
        .connectionTimeoutMs(20000)
        .canBeReadOnly(false)
        .retryPolicy(retryPolicy)
        .defaultData(null);

    //是否需要添加zk的认证信息
    Map authMap = new HashMap<String, String>();
    authMap.put("scheme", "digest");
    //如果存在多个认证信息，则在参数形式为为user1:passwd1,user2:passwd2
    authMap.put("addAuth", "sofazk:rpc1");

    List<AuthInfo> authInfos = buildAuthInfo(authMap);
    if (CommonUtils.isNotEmpty(authInfos)) {
        zkClientuilder = zkClientuilder.aclProvider(getDefaultAclProvider())
            .authorization(authInfos);
    }

    try {
        zkClient = zkClientuilder.build();
        zkClient.start();
        zkClient.create().withMode(CreateMode.PERSISTENT).forPath("/authtest");
    } catch (Exception e) {
        Assert.fail(e.getMessage());
    }
}
 

private List<AuthInfo> buildAuths(CuratorFrameworkFactory.Builder builder)
{
    ImmutableList.Builder<AuthInfo> builder1 = ImmutableList.builder();
    if ( builder.getAuthInfos() != null )
    {
        builder1.addAll(builder.getAuthInfos());
    }
    return builder1.build();
}
 

private String getZkKey(final String serverAddr, final List<AuthInfo> authInfos) {
    if (authInfos == null || authInfos.size() == 0) {
        return serverAddr;
    }
    StringBuilder builder = new StringBuilder(64);
    builder.append(serverAddr).append(getAuthInfosKey(authInfos));
    return builder.toString();
}
 

@Override
public CuratorFramework newClient(final String connectString, final int sessionTimeoutMs,
                                  final int connectionTimeoutMs, final RetryPolicy retryPolicy,
                                  final ACLProvider aclProvider,
                                  final List<AuthInfo> authorization) {
  final CuratorFramework curator = mock(CuratorFramework.class);

  final RetryLoop retryLoop = mock(RetryLoop.class);
  when(retryLoop.shouldContinue()).thenReturn(false);

  final CuratorZookeeperClient czkClient = mock(CuratorZookeeperClient.class);
  when(czkClient.newRetryLoop()).thenReturn(retryLoop);

  when(curator.getZookeeperClient()).thenReturn(czkClient);

  @SuppressWarnings("unchecked") final Listenable<ConnectionStateListener> mockListener =
      (Listenable<ConnectionStateListener>) mock(Listenable.class);

  when(curator.getConnectionStateListenable()).thenReturn(mockListener);

  final GetChildrenBuilder builder = mock(GetChildrenBuilder.class);
  when(curator.getChildren()).thenReturn(builder);

  try {
    when(builder.forPath(anyString())).thenThrow(
        new KeeperException.ConnectionLossException());
  } catch (Exception ignored) {
    // never throws
  }
  when(curator.newNamespaceAwareEnsurePath(anyString())).thenReturn(mock(EnsurePath.class));

  return curator;
}
 

static void initializeAcl(final String zooKeeperConnectionString,
                          final String zooKeeperClusterId,
                          final String masterUser,
                          final String masterPassword,
                          final String agentUser,
                          final String agentPassword)
    throws KeeperException {
  final ACLProvider aclProvider = heliosAclProvider(
      masterUser, digest(masterUser, masterPassword),
      agentUser, digest(agentUser, agentPassword));
  final List<AuthInfo> authorization = Lists.newArrayList(new AuthInfo(
      "digest", String.format("%s:%s", masterUser, masterPassword).getBytes()));

  final RetryPolicy zooKeeperRetryPolicy = new ExponentialBackoffRetry(1000, 3);
  final CuratorFramework curator = new CuratorClientFactoryImpl().newClient(
      zooKeeperConnectionString,
      (int) TimeUnit.SECONDS.toMillis(60),
      (int) TimeUnit.SECONDS.toMillis(15),
      zooKeeperRetryPolicy,
      aclProvider,
      authorization);

  final ZooKeeperClient client = new DefaultZooKeeperClient(curator, zooKeeperClusterId);
  try {
    client.start();
    initializeAclRecursive(client, "/", aclProvider);
  } finally {
    client.close();
  }
}
 

/**
 * This constructor adds authentication information.
 */
public ZookeeperDataSource(final String serverAddr, final List<AuthInfo> authInfos, final String groupId, final String dataId,
                           Converter<String, T> parser) {
    super(parser);
    if (StringUtil.isBlank(serverAddr) || StringUtil.isBlank(groupId) || StringUtil.isBlank(dataId)) {
        throw new IllegalArgumentException(String.format("Bad argument: serverAddr=[%s], authInfos=[%s], groupId=[%s], dataId=[%s]", serverAddr, authInfos, groupId, dataId));
    }
    this.path = getPath(groupId, dataId);

    init(serverAddr, authInfos);
}
 

private List<AuthInfo> buildAuths(CuratorFrameworkFactory.Builder builder)
{
    ImmutableList.Builder<AuthInfo> builder1 = ImmutableList.builder();
    if ( builder.getAuthInfos() != null )
    {
        builder1.addAll(builder.getAuthInfos());
    }
    return builder1.build();
}
 

private String getAuthInfosKey(List<AuthInfo> authInfos) {
    StringBuilder builder = new StringBuilder(32);
    for (AuthInfo authInfo : authInfos) {
        if (authInfo == null) {
            builder.append("{}");
        } else {
            builder.append("{" + "sc=" + authInfo.getScheme() + ",au=" + Arrays.toString(authInfo.getAuth()) + "}");
        }
    }
    return builder.toString();
}
 

private String getZkKey(final String serverAddr, final List<AuthInfo> authInfos) {
    if (authInfos == null || authInfos.size() == 0) {
        return serverAddr;
    }
    StringBuilder builder = new StringBuilder(64);
    builder.append(serverAddr).append(getAuthInfosKey(authInfos));
    return builder.toString();
}
 

/**
 * This constructor adds authentication information.
 */
public ZookeeperDataSource(final String serverAddr, final List<AuthInfo> authInfos, final String groupId, final String dataId,
                           Converter<String, T> parser) {
    super(parser);
    if (StringUtil.isBlank(serverAddr) || StringUtil.isBlank(groupId) || StringUtil.isBlank(dataId)) {
        throw new IllegalArgumentException(String.format("Bad argument: serverAddr=[%s], authInfos=[%s], groupId=[%s], dataId=[%s]", serverAddr, authInfos, groupId, dataId));
    }
    this.path = getPath(groupId, dataId);

    init(serverAddr, authInfos);
}
 

/**
 * Create a Zookeeper client and create the control and state nodes if needed.
 *
 * @param config The service configuration.
 *
 * @return A zookeeper client.
 */
private ZooKeeperClient setupZookeeperClient(final MasterConfig config) {
  ACLProvider aclProvider = null;
  List<AuthInfo> authorization = null;

  final String masterUser = config.getZookeeperAclMasterUser();
  final String masterPassword = config.getZooKeeperAclMasterPassword();
  final String agentUser = config.getZookeeperAclAgentUser();
  final String agentDigest = config.getZooKeeperAclAgentDigest();

  if (!isNullOrEmpty(masterPassword)) {
    if (isNullOrEmpty(masterUser)) {
      throw new HeliosRuntimeException(
          "Master username must be set if a password is set");
    }

    authorization = Lists.newArrayList(new AuthInfo(
        "digest", String.format("%s:%s", masterUser, masterPassword).getBytes()));
  }

  if (config.isZooKeeperEnableAcls()) {
    if (isNullOrEmpty(masterUser) || isNullOrEmpty(masterPassword)) {
      throw new HeliosRuntimeException(
          "ZooKeeper ACLs enabled but master username and/or password not set");
    }

    if (isNullOrEmpty(agentUser) || isNullOrEmpty(agentDigest)) {
      throw new HeliosRuntimeException(
          "ZooKeeper ACLs enabled but agent username and/or digest not set");
    }

    aclProvider = heliosAclProvider(
        masterUser, digest(masterUser, masterPassword),
        agentUser, agentDigest);
  }

  final RetryPolicy zooKeeperRetryPolicy = new ExponentialBackoffRetry(1000, 3);
  final CuratorFramework curator = curatorClientFactory.newClient(
      config.getZooKeeperConnectionString(),
      config.getZooKeeperSessionTimeoutMillis(),
      config.getZooKeeperConnectionTimeoutMillis(),
      zooKeeperRetryPolicy,
      aclProvider,
      authorization);
  final ZooKeeperClient client =
      new DefaultZooKeeperClient(curator, config.getZooKeeperClusterId());
  client.start();
  zkRegistrar = ZooKeeperRegistrarService.newBuilder()
      .setZooKeeperClient(client)
      .setZooKeeperRegistrar(new MasterZooKeeperRegistrar(config.getName()))
      .build();

  // TODO: This is perhaps not the correct place to do this - but at present it's the only
  // place where we have access to the ACL provider.
  if (aclProvider != null) {
    // Set ACLs on the ZK root, if they aren't already set correctly.
    // This is handy since it avoids having to manually do this operation when setting up
    // a new ZK cluster.
    // Note that this is slightly racey -- if two masters start at the same time both might
    // attempt to update the ACLs but only one will succeed. That said, it's unlikely and the
    // effects are limited to a spurious log line.
    try {
      final List<ACL> curAcls = client.getAcl("/");
      final List<ACL> wantedAcls = aclProvider.getAclForPath("/");
      if (!Sets.newHashSet(curAcls).equals(Sets.newHashSet(wantedAcls))) {
        log.info(
            "Current ACL's on the zookeeper root node differ from desired, updating: {} -> {}",
            curAcls, wantedAcls);
        client.getCuratorFramework().setACL().withACL(wantedAcls).forPath("/");
      }
    } catch (Exception e) {
      log.error("Failed to get/set ACLs on the zookeeper root node", e);
    }
  }

  return client;
}
 

@Test
public void shouldGetAuth() {
    AuthInfo authInfo = AtlasZookeeperSecurityProperties.parseAuth("digest:user:password");
    assertEquals(authInfo.getScheme(), "digest");
    assertEquals(authInfo.getAuth(), "user:password".getBytes(Charsets.UTF_8));
}
 

public CuratorFramework newClient(String connectString,
int sessionTimeoutMs,
int connectionTimeoutMs,
RetryPolicy retryPolicy,
ACLProvider aclProvider,
List<AuthInfo> authorization);
 

/**
 * Create a Zookeeper client and create the control and state nodes if needed.
 *
 * @param config The service configuration.
 *
 * @return A zookeeper client.
 */
private ZooKeeperClient setupZookeeperClient(final AgentConfig config, final String id,
                                             final CountDownLatch zkRegistrationSignal) {
  ACLProvider aclProvider = null;
  List<AuthInfo> authorization = null;

  final String agentUser = config.getZookeeperAclAgentUser();
  final String agentPassword = config.getZooKeeperAclAgentPassword();
  final String masterUser = config.getZookeeperAclMasterUser();
  final String masterDigest = config.getZooKeeperAclMasterDigest();

  if (!isNullOrEmpty(agentPassword)) {
    if (isNullOrEmpty(agentUser)) {
      throw new HeliosRuntimeException(
          "Agent username must be set if a password is set");
    }

    authorization = Lists.newArrayList(new AuthInfo(
        "digest", String.format("%s:%s", agentUser, agentPassword).getBytes()));
  }

  if (config.isZooKeeperEnableAcls()) {
    if (isNullOrEmpty(agentUser) || isNullOrEmpty(agentPassword)) {
      throw new HeliosRuntimeException(
          "ZooKeeper ACLs enabled but agent username and/or password not set");
    }

    if (isNullOrEmpty(masterUser) || isNullOrEmpty(masterDigest)) {
      throw new HeliosRuntimeException(
          "ZooKeeper ACLs enabled but master username and/or digest not set");
    }

    aclProvider = heliosAclProvider(
        masterUser, masterDigest,
        agentUser, digest(agentUser, agentPassword));
  }

  final RetryPolicy zooKeeperRetryPolicy = new ExponentialBackoffRetry(1000, 3);
  final CuratorFramework curator = new CuratorClientFactoryImpl().newClient(
      config.getZooKeeperConnectionString(),
      config.getZooKeeperSessionTimeoutMillis(),
      config.getZooKeeperConnectionTimeoutMillis(),
      zooKeeperRetryPolicy,
      aclProvider,
      authorization);

  final ZooKeeperClient client = new DefaultZooKeeperClient(curator,
      config.getZooKeeperClusterId());
  client.start();

  // Register the agent
  final AgentZooKeeperRegistrar agentZooKeeperRegistrar = new AgentZooKeeperRegistrar(
      config.getName(), id, config.getZooKeeperRegistrationTtlMinutes(), new SystemClock());
  zkRegistrar = ZooKeeperRegistrarService.newBuilder()
      .setZooKeeperClient(client)
      .setZooKeeperRegistrar(agentZooKeeperRegistrar)
      .setZkRegistrationSignal(zkRegistrationSignal)
      .build();

  return client;
}
 

@Test
public void shouldGetAuth() {
    AuthInfo authInfo = AtlasZookeeperSecurityProperties.parseAuth("digest:user:password");
    assertEquals(authInfo.getScheme(), "digest");
    assertEquals(authInfo.getAuth(), "user:password".getBytes(Charsets.UTF_8));
}