org.apache.zookeeper.data.ACL Java Examples

/**
 * Get ACLs from a property (get the value then parse and transform it as ACL objects)
 * @param properties key/value pairs that needs to be parsed as ACLs
 * @return list of ACLs
 */
public static List<ACL> getAcls(Map<String, String> properties) {
  String aclStr = properties.get(ZK_ACLS_PROPERTY);
  if (StringUtils.isBlank(aclStr)) {
    return ZooDefs.Ids.OPEN_ACL_UNSAFE;
  }

  List<ACL> acls = new ArrayList<>();
  List<String> aclStrList = Splitter.on(",").omitEmptyStrings().trimResults().splitToList(aclStr);
  for (String unparcedAcl : aclStrList) {
    String[] parts = unparcedAcl.split(":");
    if (parts.length == 3) {
      acls.add(new ACL(parsePermission(parts[2]), new Id(parts[0], parts[1])));
    }
  }
  return acls;
}
 

/**
 * 创建节点
 *
 * @param instanceId 实例id
 * @param host       zk ip
 * @param port       zk port
 * @param path       路径
 * @param data       新数据
 * @param acl        节点acl
 * @param createMode 节点模式
 */
public void createNode(int instanceId, String host, int port, String path, byte[] data, List<ACL> acl, CreateMode createMode) {
    CuratorFramework zkClient = getZookeeper(instanceId, host, port);
    if (zkClient == null) {
        return;
    }
    try {
        zkClient.create().
                creatingParentsIfNeeded().
                withMode(createMode).
                withACL(acl).
                forPath(path, data);
    } catch (Exception e) {
        LOGGER.warn("Create node in zk {}:{} error, path is {}.", host, port, path, e);
    }
}
 

/**
 * Given the {@link Configuration} and {@link ACL}s used (zkAcl) for
 * ZooKeeper access, construct the {@link ACL}s for the store's root node.
 * In the constructed {@link ACL}, all the users allowed by zkAcl are given
 * rwa access, while the current RM has exclude create-delete access.
 *
 * To be called only when HA is enabled and the configuration doesn't set ACL
 * for the root node.
 */
@VisibleForTesting
@Private
@Unstable
protected List<ACL> constructZkRootNodeACL(
    Configuration conf, List<ACL> sourceACLs) throws NoSuchAlgorithmException {
  List<ACL> zkRootNodeAcl = new ArrayList<ACL>();
  for (ACL acl : sourceACLs) {
    zkRootNodeAcl.add(new ACL(
        ZKUtil.removeSpecificPerms(acl.getPerms(), CREATE_DELETE_PERMS),
        acl.getId()));
  }

  zkRootNodeUsername = HAUtil.getConfValueForRMInstance(
      YarnConfiguration.RM_ADDRESS,
      YarnConfiguration.DEFAULT_RM_ADDRESS, conf);
  Id rmId = new Id(zkRootNodeAuthScheme,
      DigestAuthenticationProvider.generateDigest(
          zkRootNodeUsername + ":" + zkRootNodePassword));
  zkRootNodeAcl.add(new ACL(CREATE_DELETE_PERMS, rmId));
  return zkRootNodeAcl;
}
 

/**
 * Create a node with ACL.
 *
 * @param path
 * @param data
 * @param acl
 * @param mode
 * @return create node's path
 * @throws ZkInterruptedException
 *             if operation was interrupted, or a required reconnection got interrupted
 * @throws IllegalArgumentException
 *             if called from anything except the ZooKeeper event thread
 * @throws ZkException
 *             if any ZooKeeper exception occurred
 * @throws RuntimeException
 *             if any other exception occurs
 */
public String create(final String path, Object data, final List<ACL> acl, final CreateMode mode) {
    if (path == null) {
        throw new NullPointerException("Missing value for path");
    }
    if (acl == null || acl.size() == 0) {
        throw new NullPointerException("Missing value for ACL");
    }
    final byte[] bytes = data == null ? null : serialize(data);

    return retryUntilConnected(new Callable<String>() {
        @Override
        public String call() throws Exception {
            return _connection.create(path, bytes, acl, mode);
        }
    });

}
 

/**
 * Get the ACLs of a path
 * @param path path of operation
 * @return a possibly empty list of ACLs
 * @throws IOException
 */
public List<ACL> zkGetACLS(String path) throws IOException {
  checkServiceLive();
  String fullpath = createFullPath(path);
  List<ACL> acls;
  try {
    if (LOG.isDebugEnabled()) {
      LOG.debug("GetACLS {}", fullpath);
    }
    acls = curator.getACL().forPath(fullpath);
  } catch (Exception e) {
    throw operationFailure(fullpath, "read()", e);
  }
  if (acls == null) {
    throw new PathNotFoundException(path);
  }
  return acls;
}
 

protected void assertOpenACLUnsafeAllover(SolrZkClient zkClient, String path, List<String> verifiedList) throws Exception {
  List<ACL> acls = zkClient.getSolrZooKeeper().getACL(path, new Stat());
  if (log.isInfoEnabled()) {
    log.info("Verifying {}", path);
  }
  if (ZooDefs.CONFIG_NODE.equals(path)) {
    // Treat this node specially, from the ZK docs:
    // The dynamic configuration is stored in a special znode ZooDefs.CONFIG_NODE = /zookeeper/config.
    // This node by default is read only for all users, except super user and
    // users that's explicitly configured for write access.
    assertEquals("Path " + path + " does not have READ_ACL_UNSAFE", ZooDefs.Ids.READ_ACL_UNSAFE, acls);
  } else {
    assertEquals("Path " + path + " does not have OPEN_ACL_UNSAFE", ZooDefs.Ids.OPEN_ACL_UNSAFE, acls);
  }
  verifiedList.add(path);
  List<String> children = zkClient.getChildren(path, null, false);
  for (String child : children) {
    assertOpenACLUnsafeAllover(zkClient, path + ((path.endsWith("/")) ? "" : "/") + child, verifiedList);
  }
}
 

@Override
public Stat forPath(String path) throws Exception
{
    String fixedPath = client.fixForNamespace(path);
    List<ACL> aclList = acling.getAclList(fixedPath);
    client.getSchemaSet().getSchema(path).validateGeneral(path, null, aclList);

    Stat        resultStat = null;
    if ( backgrounding.inBackground()  )
    {
        client.processBackgroundOperation(new OperationAndData<String>(this, fixedPath, backgrounding.getCallback(), null, backgrounding.getContext(), null), null);
    }
    else
    {
        resultStat = pathInForeground(fixedPath, aclList);
    }
    return resultStat;
}
 

/**
 * Synchronously create zookeeper path recursively and optimistically.
 *
 * @see #zkAsyncCreateFullPathOptimistic(ZooKeeperClient, String, byte[], List, CreateMode)
 * @param zkc Zookeeper client
 * @param path Zookeeper full path
 * @param data Zookeeper data
 * @param acl Acl of the zk path
 * @param createMode Create mode of zk path
 * @throws ZooKeeperClient.ZooKeeperConnectionException
 * @throws KeeperException
 * @throws InterruptedException
 */
public static void zkCreateFullPathOptimistic(
    ZooKeeperClient zkc,
    String path,
    byte[] data,
    final List<ACL> acl,
    final CreateMode createMode) throws IOException, KeeperException {
    try {
        FutureUtils.result(zkAsyncCreateFullPathOptimistic(zkc, path, data, acl, createMode));
    } catch (ZooKeeperClient.ZooKeeperConnectionException zkce) {
        throw zkce;
    } catch (KeeperException ke) {
        throw ke;
    } catch (InterruptedException ie) {
        throw new DLInterruptedException("Interrupted on create zookeeper path " + path, ie);
    } catch (RuntimeException rte) {
        throw rte;
    } catch (Exception exc) {
        throw new RuntimeException("Unexpected Exception", exc);
    }
}
 

public static List<ACL> getWorkerACL(Map conf) {
    // This is a work around to an issue with ZK where a sasl super user is not super unless there is an open SASL ACL
    // so we are trying to give the correct perms
    if (!isZkAuthenticationConfiguredTopology(conf)) {
        return null;
    }
    String stormZKUser = (String) conf.get(Config.STORM_ZOOKEEPER_SUPERACL);
    if (stormZKUser == null) {
        throw new IllegalArgumentException("Authentication is enabled but " + Config.STORM_ZOOKEEPER_SUPERACL + " is not set");
    }
    String[] split = stormZKUser.split(":", 2);
    if (split.length != 2) {
        throw new IllegalArgumentException(Config.STORM_ZOOKEEPER_SUPERACL +
                " does not appear to be in the form scheme:acl, i.e. sasl:storm-user");
    }
    ArrayList<ACL> ret = new ArrayList<>(ZooDefs.Ids.CREATOR_ALL_ACL);
    ret.add(new ACL(ZooDefs.Perms.ALL, new Id(split[0], split[1])));
    return ret;
}
 

/**
 *
 * @return
 */
public List<ACL> getCreateNodeAcls() {
    List<ACL> listAcls = new ArrayList<ACL>(3);
    try {
        Id id = new Id(PropertiesDynLoading.authScheme,
                DigestAuthenticationProvider.generateDigest(PropertiesDynLoading.accessKey));
        ACL acl = new ACL(Perms.CREATE, id);
        listAcls.add(acl);

    } catch (NoSuchAlgorithmException e) {

        e.printStackTrace();
        return Ids.OPEN_ACL_UNSAFE;
    }
    return listAcls;
}
 

private void connect() throws Exception {
    RetryPolicy retryPolicy = new RetryUntilElapsed(Integer.MAX_VALUE, 10);
    String userName = properties.getProperty(keys.userName.toString());
    String zkConnectString = properties.getProperty(keys.zkConnectString.toString());
    int zkSessionTimeout = Integer.parseInt(properties.getProperty(keys.zkSessionTimeout.toString()));
    int zkConnectionTimeout = Integer.parseInt(properties.getProperty(keys.zkConnectionTimeout.toString()));
    boolean isCheckParentPath = Boolean.parseBoolean(properties.getProperty(keys.isCheckParentPath.toString(), "true"));
    String authString = userName + ":" + properties.getProperty(keys.password.toString());
    acl.clear();
    acl.add(new ACL(ZooDefs.Perms.ALL, new Id("digest", DigestAuthenticationProvider.generateDigest(authString))));
    acl.add(new ACL(ZooDefs.Perms.READ, Ids.ANYONE_ID_UNSAFE));
    log.info("----------------------------开始创建ZK连接----------------------------");
    log.info("zkConnectString:{}", zkConnectString);
    log.info("zkSessionTimeout:{}", zkSessionTimeout);
    log.info("zkConnectionTimeout:{}", zkConnectionTimeout);
    log.info("isCheckParentPath:{}", isCheckParentPath);
    log.info("userName:{}", userName);

    curator = CuratorFrameworkFactory.builder().connectString(zkConnectString)
            .sessionTimeoutMs(zkSessionTimeout)
            .connectionTimeoutMs(zkConnectionTimeout)
            .retryPolicy(retryPolicy).authorization("digest", authString.getBytes())
            .aclProvider(new ACLProvider() {
                @Override
                public List<ACL> getDefaultAcl() {
                    return ZooDefs.Ids.CREATOR_ALL_ACL;
                }

                @Override
                public List<ACL> getAclForPath(String path) {
                    return ZooDefs.Ids.CREATOR_ALL_ACL;
                }
            }).build();
    curator.start();
    log.info("----------------------------创建ZK连接成功----------------------------");
    this.isCheckParentPath = isCheckParentPath;
}
 

public static List<ACL> getZKAcls() throws Exception {
    // Parse ACLs from configuration.
    String zkAclConf = KylinConfig.getInstanceFromEnv().getZKAcls();
    try {
        zkAclConf = ZKUtil.resolveConfIndirection(zkAclConf);
        return ZKUtil.parseACLs(zkAclConf);
    } catch (Exception e) {
        logger.error("Couldn't read ACLs based on 'kylin.env.zookeeper.zk-acl' in kylin.properties");
        throw e;
    }
}
 

/**
 * Returns path of created node
 */
public String create(final String path, final byte[] data,
    final CreateMode createMode, boolean retryOnConnLoss) throws KeeperException,
    InterruptedException {
  if (retryOnConnLoss) {
    return zkCmdExecutor.retryOperation(() -> keeper.create(path, data, zkACLProvider.getACLsToAdd(path),
        createMode));
  } else {
    List<ACL> acls = zkACLProvider.getACLsToAdd(path);
    return keeper.create(path, data, acls, createMode);
  }
}
 

private String protectedPathInForeground(String adjustedPath, byte[] data, List<ACL> aclList) throws Exception
{
    try
    {
        return pathInForeground(adjustedPath, data, aclList);
    }
    catch ( Exception e)
    {
        ThreadUtils.checkInterrupted(e);
        if ( ( e instanceof KeeperException.ConnectionLossException ||
            !( e instanceof KeeperException )) && protectedMode.doProtected() )
        {
            /*
             * CURATOR-45 + CURATOR-79: we don't know if the create operation was successful or not,
             * register the znode to be sure it is deleted later.
             */
            new FindAndDeleteProtectedNodeInBackground(client, ZKPaths.getPathAndNode(adjustedPath).getPath(), protectedMode.protectedId()).execute();
            /*
             * The current UUID is scheduled to be deleted, it is not safe to use it again.
             * If this builder is used again later create a new UUID
             */
            protectedMode.resetProtectedId();
        }

        throw e;
    }
}
 

@Override
public Zk create(String path, byte[] data, List<ACL> acls, CreateMode createMode, Handler<AsyncResult<Void>> handler) {
    workerPool().executeBlocking(
        future -> {
            try {
                zookeeper.create(path, data == null ? new byte[0] : data, acls, createMode);
                future.complete();
            } catch (Throwable t) {
                future.fail(t);
            }
        },
        handler);
    return this;
}
 

@Test
public void testCreateClusterPaths() throws Exception {
  when(zk.create(anyString(), any(byte[].class), anyListOf(ACL.class), any(CreateMode.class)))
      .thenReturn("");
  ArgumentCaptor<String> pathCaptor = ArgumentCaptor.forClass(String.class);
  zkManager.createClusterPaths();

  verify(zk, times(3)).create(pathCaptor.capture(), any(byte[].class), anyListOf(ACL.class),
      any(CreateMode.class));
  Set<String> allPaths = Sets.newHashSet(pathCaptor.getAllValues());
  assertTrue(allPaths.contains(FILE_SET_DIR));
  assertTrue(allPaths.contains(VIEWS_DIR));
  assertTrue(allPaths.contains(LOCKS_DIR));
}
 

/**
 * Recursively make a path
 * @param path path to create
 * @param acl ACL for path
 * @throws IOException any problem
 */
public void zkMkParentPath(String path,
    List<ACL> acl) throws
    IOException {
  // split path into elements

  zkMkPath(RegistryPathUtils.parentOf(path),
      CreateMode.PERSISTENT, true, acl);
}
 

/**
 * Test that ACLs work on a NamespaceFacade. See CURATOR-132
 * @throws Exception
 */
@Test
public void testACL() throws Exception
{
    CuratorFramework    client = CuratorFrameworkFactory.newClient(server.getConnectString(), new RetryOneTime(1));
    client.start();
    client.getZookeeperClient().blockUntilConnectedOrTimedOut();

    client.create().creatingParentsIfNeeded().forPath("/parent/child", "A string".getBytes());
    CuratorFramework client2 = client.usingNamespace("parent");

    Assert.assertNotNull(client2.getData().forPath("/child"));  
    client.setACL().withACL(Collections.singletonList(
        new ACL(ZooDefs.Perms.WRITE, ZooDefs.Ids.ANYONE_ID_UNSAFE))).
            forPath("/parent/child");
    // This will attempt to setACL on /parent/child, Previously this failed because /child
    // isn't present. Using "child" would case a failure because the path didn't start with
    // a slash
    try
    {
        List<ACL> acls = client2.getACL().forPath("/child");
        Assert.assertNotNull(acls);
        Assert.assertEquals(acls.size(), 1);
        Assert.assertEquals(acls.get(0).getId(), ZooDefs.Ids.ANYONE_ID_UNSAFE);
        Assert.assertEquals(acls.get(0).getPerms(), ZooDefs.Perms.WRITE);
        client2.setACL().withACL(Collections.singletonList(
            new ACL(ZooDefs.Perms.DELETE, ZooDefs.Ids.ANYONE_ID_UNSAFE))).
                forPath("/child");
        Assert.fail("Expected auth exception was not thrown");
    }
    catch(NoAuthException e)
    {
        //Expected
    }
}
 

/**
 * Parse comma separated list of ACL entries to secure generated nodes, e.g.
 * <code>sasl:hdfs/[email protected]:cdrwa,sasl:hdfs/[email protected]:cdrwa</code>
 *
 * @return ACL list
 * @throws {@link BadAclFormatException} if an ACL is invalid
 */
public static List<ACL> parseACLs(String aclString) throws
    BadAclFormatException {
  List<ACL> acl = Lists.newArrayList();
  if (aclString == null) {
    return acl;
  }
  
  List<String> aclComps = Lists.newArrayList(
      Splitter.on(',').omitEmptyStrings().trimResults()
      .split(aclString));
  for (String a : aclComps) {
    // from ZooKeeperMain private method
    int firstColon = a.indexOf(':');
    int lastColon = a.lastIndexOf(':');
    if (firstColon == -1 || lastColon == -1 || firstColon == lastColon) {
      throw new BadAclFormatException(
          "ACL '" + a + "' not of expected form scheme:id:perm");
    }

    ACL newAcl = new ACL();
    newAcl.setId(new Id(a.substring(0, firstColon), a.substring(
        firstColon + 1, lastColon)));
    newAcl.setPerms(getPermFromString(a.substring(lastColon + 1)));
    acl.add(newAcl);
  }
  
  return acl;
}
 

@VisibleForTesting
@Private
@Unstable
public void createWithRetries(
    final String path, final byte[] data, final List<ACL> acl,
    final CreateMode mode) throws Exception {
  doStoreMultiWithRetries(Op.create(path, data, acl, mode));
}
 

@Test
public void testWriteRemoveDeprecated() throws InterruptedException, KeeperException {
    when(mockZK.getChildren(eq("/destination/path"), anyBoolean())).thenReturn(Arrays.asList("a", "b"));
    
    Writer writer = new Writer(mockZK, "/destination", mockNode, true, true, -1, 10);
    writer.write();
    verify(mockZK, times(1)).transaction();
    verify(mockTransaction, times(1)).create(eq("/destination/path"), eq(THEDATA), anyListOf(ACL.class), any(CreateMode.class));
    verify(mockTransaction, times(1)).create(eq("/destination/path/child"), eq(THEDATA), anyListOf(ACL.class), any(CreateMode.class));
    verify(mockTransaction, times(1)).commit();
    verify(mockTransaction, times(1)).delete(eq("/destination/path/a"), anyInt());
    verify(mockTransaction, times(1)).delete(eq("/destination/path/b"), anyInt());
}
 

protected List<ACL> createACLsToAdd(boolean includeReadOnly) {
  String digestAllUsername = System.getProperty(zkDigestAllUsernameVMParamName);
  String digestAllPassword = System.getProperty(zkDigestAllPasswordVMParamName);
  String digestReadonlyUsername = System.getProperty(zkDigestReadonlyUsernameVMParamName);
  String digestReadonlyPassword = System.getProperty(zkDigestReadonlyPasswordVMParamName);

  return createACLsToAdd(includeReadOnly,
      digestAllUsername, digestAllPassword,
      digestReadonlyUsername, digestReadonlyPassword);
}
 

@Override
public AsyncPathAndBytesable<AsyncStage<String>> withOptions(Set<CreateOption> options, CreateMode createMode, List<ACL> aclList, Stat stat, long ttl)
{
    this.options = Objects.requireNonNull(options, "options cannot be null");
    this.aclList = aclList;
    this.createMode = Objects.requireNonNull(createMode, "createMode cannot be null");
    this.stat = stat;
    this.ttl = ttl;
    return this;
}
 

private static MockZooKeeper createMockZooKeeper() throws Exception {
    MockZooKeeper zk = MockZooKeeper.newInstance(MoreExecutors.newDirectExecutorService());
    List<ACL> dummyAclList = new ArrayList<ACL>(0);

    ZkUtils.createFullPathOptimistic(zk, "/ledgers/available/192.168.1.1:" + 5000,
            "".getBytes(UTF_8), dummyAclList, CreateMode.PERSISTENT);

    zk.create("/ledgers/LAYOUT", "1\nflat:1".getBytes(UTF_8), dummyAclList,
            CreateMode.PERSISTENT);
    return zk;
}
 

private boolean isRefreshAclsNeeded(List<ACL> acls, List<ACL> newAcls) {
  boolean result = false;
  if (acls != null) {
    if (acls.size() != newAcls.size()) {
      return true;
    }
    result = aclDiffers(acls, newAcls);
    if (!result) {
      result = aclDiffers(newAcls, acls);
    }
  }
  return result;
}
 

/**
 * Init operation sets up the system ACLs.
 * @param conf configuration of the service
 * @throws Exception
 */
@Override
protected void serviceInit(Configuration conf) throws Exception {
  super.serviceInit(conf);
  RegistrySecurity registrySecurity = getRegistrySecurity();
  if (registrySecurity.isSecureRegistry()) {
    ACL sasl = registrySecurity.createSaslACLFromCurrentUser(ZooDefs.Perms.ALL);
    registrySecurity.addSystemACL(sasl);
    LOG.info("Registry System ACLs:",
        RegistrySecurity.aclsToString(
        registrySecurity.getSystemACLs()));
  }
}
 

public SolrZkClient getSolrZkClient(String zkServerAddress, int zkClientTimeout) {
  return new SolrZkClient(zkServerAddress, zkClientTimeout) {
    
    @Override
    protected ZkCredentialsProvider createZkCredentialsToAddAutomatically() {
      return new DefaultZkCredentialsProvider() {
        @Override
        protected Collection<ZkCredentials> createCredentials() {
          List<ZkCredentials> result = new ArrayList<>();
          if (!StringUtils.isEmpty(digestUsername) && !StringUtils.isEmpty(digestPassword)) {
            result.add(new ZkCredentials("digest",
                (digestUsername + ":" + digestPassword).getBytes(StandardCharsets.UTF_8)));
          }
          return result;
        }

      };
    }

    @Override
    public ZkACLProvider createZkACLProvider() {
      return new VMParamsAllAndReadonlyDigestZkACLProvider() {
        @Override
        protected List<ACL> createNonSecurityACLsToAdd() {
          return createACLsToAdd(true, digestUsername, digestPassword, digestReadonlyUsername, digestReadonlyPassword);
        }

        /**
         * @return Set of ACLs to return security-related znodes
         */
        @Override
        protected List<ACL> createSecurityACLsToAdd() {
          return createACLsToAdd(false, digestUsername, digestPassword, digestReadonlyUsername, digestReadonlyPassword);
        }
      };
    }
    
  };
}
 

private boolean aclDiffers(List<ACL> aclList1, List<ACL> aclList2) {
  for (ACL acl : aclList1) {
    for (ACL newAcl : aclList2) {
      if (acl.getId() != null && acl.getId().getId().equals(newAcl.getId().getId())
        && acl.getPerms() != newAcl.getPerms()) {
        logger.info("ACL for '{}' differs: '{}' on znode, should be '{}'",
          acl.getId().getId(), acl.getPerms(), newAcl.getPerms());
        return true;
      }
    }
  }
  return false;
}
 

@Test
public void testACL() throws Exception {
    ZooKeeper zk = new ZooKeeper("localhost:2181", 3000, new ScheduleWatcher(null));
    List<ACL> acls = new ArrayList<ACL>();
    zk.addAuthInfo("digest", "TestUser:password".getBytes());
    acls.add(new ACL(ZooDefs.Perms.ALL,
            new Id("digest", DigestAuthenticationProvider.generateDigest("TestUser:password"))));
    acls.add(new ACL(ZooDefs.Perms.READ, Ids.ANYONE_ID_UNSAFE));
    zk.create("/abc", new byte[0], acls, CreateMode.PERSISTENT);
    zk.getData("/abc", false, null);
}
 

public List<ACL> getDefaultACL() {
    if (Credentials.NONE == credentials) {
        return ZooDefs.Ids.OPEN_ACL_UNSAFE;
    } else {
        return DistributedLogConstants.EVERYONE_READ_CREATOR_ALL;
    }
}