public class RegistrySecurity
extends org.apache.hadoop.service.AbstractService
This class contains:
| Modifier and Type | Class and Description | 
|---|---|
| static class  | RegistrySecurity.AclListInfoon-demand stringifier for a list of ACLs | 
| static class  | RegistrySecurity.UgiInfoOn demand string-ifier for UGI with extra details | 
| Modifier and Type | Field and Description | 
|---|---|
| static org.apache.zookeeper.data.ACL | ALL_READ_ACCESSAn ACL with read access for anyone | 
| static org.apache.zookeeper.data.ACL | ALL_READWRITE_ACCESSAn ACL with read-write access for anyone | 
| static String | E_NO_KERBEROSError raised when the registry is tagged as secure but this
 process doesn't have hadoop security enabled. | 
| static String | E_NO_USER_DETERMINED_FOR_ACLSthere's no default user to add with permissions, so it would be
 impossible to create nodes with unrestricted user access | 
| static String | E_UNKNOWN_AUTHENTICATION_MECHANISM | 
| static List<org.apache.zookeeper.data.ACL> | WorldReadWriteACLAn ACL list containing the  ALL_READWRITE_ACCESSentry. | 
| Constructor and Description | 
|---|
| RegistrySecurity(String name)Create an instance | 
| Modifier and Type | Method and Description | 
|---|---|
| static String | aclsToString(List<org.apache.zookeeper.data.ACL> acls)Stringify a list of ACLs for logging. | 
| static String | aclToString(org.apache.zookeeper.data.ACL acl)Convert an ACL to a string, with any obfuscation needed | 
| boolean | addDigestACL(org.apache.zookeeper.data.ACL acl)Add a digest ACL | 
| void | addSystemACL(org.apache.zookeeper.data.ACL acl)Add another system ACL | 
| void | applySecurityEnvironment(org.apache.curator.framework.CuratorFrameworkFactory.Builder builder)Apply the security environment to this curator instance. | 
| static void | bindJVMtoJAASFile(File jaasFile)Bind the JVM JAS setting to the specified JAAS file. | 
| static void | bindZKToServerJAASContext(String contextName)Set the Zookeeper server property
  ZookeeperConfigOptions.PROP_ZK_SERVER_SASL_CONTEXTto the SASL context. | 
| List<org.apache.zookeeper.data.ACL> | buildACLs(String principalList,
         String realm,
         int perms)Parse the IDs, adding a realm if needed, setting the permissions | 
| String | buildSecurityDiagnostics()Build up low-level security diagnostics to aid debugging | 
| static void | clearJaasSystemProperties()Reset any system properties related to JAAS | 
| static void | clearZKSaslClientProperties()Clear all the ZK SASL Client properties
 Important:This is JVM-wide | 
| org.apache.zookeeper.data.ACL | createACLForUser(org.apache.hadoop.security.UserGroupInformation ugi,
                int perms)Create an ACL For a user. | 
| org.apache.zookeeper.data.ACL | createACLfromUsername(String username,
                     int perms)Given a user name (short or long), create a SASL ACL | 
| String | createJAASEntry(String context,
               String principal,
               File keytab)Create a JAAS entry for insertion | 
| org.apache.zookeeper.data.ACL | createSaslACL(org.apache.hadoop.security.UserGroupInformation ugi,
             int perms)Given a UGI, create a SASL ACL from it | 
| org.apache.zookeeper.data.ACL | createSaslACLFromCurrentUser(int perms)Create a SASL ACL for the user | 
| String | digest(String idPasswordPair)Generate a base-64 encoded digest of the idPasswordPair pair | 
| String | digest(String id,
      String password)Generate a base-64 encoded digest of the idPasswordPair pair | 
| static void | disableZookeeperClientSASL()Force disable ZK SASL bindings. | 
| protected static void | enableZookeeperClientSASL()Turn ZK SASL on
 Important:This is JVM-wide | 
| List<org.apache.zookeeper.data.ACL> | getClientACLs()Get all ACLs needed for a client to use when writing to the repo. | 
| static String | getDefaultRealmInJVM()Get the default kerberos realm —returning "" if there
 is no realm or other problem | 
| static String | getKerberosAuthModuleForJVM()Get the appropriate Kerberos Auth module for JAAS entries
 for this JVM. | 
| String | getKerberosRealm()Get the derived kerberos realm. | 
| List<org.apache.zookeeper.data.ACL> | getSystemACLs()Get the system principals | 
| static String | idToString(org.apache.zookeeper.data.Id id)Convert an ID to a string, stripping out all but the first few characters
 of any digest auth hash for security reasons | 
| static boolean | isClientSASLEnabled()Is the system property enabling the SASL client set? | 
| boolean | isSecureRegistry()Flag to indicate the cluster is secure | 
| boolean | isValid(String idPasswordPair)Check for an id:password tuple being valid. | 
| void | logCurrentHadoopUser()Log details about the current Hadoop user at INFO. | 
| org.apache.zookeeper.data.Id | parse(String idPair,
     String realm)Parse a string down to an ID, adding a realm if needed | 
| List<org.apache.zookeeper.data.ACL> | parseACLs(String zkAclConf)Parse an ACL list. | 
| void | resetDigestACLs()Reset the digest ACL list | 
| protected void | serviceInit(org.apache.hadoop.conf.Configuration conf)Init the service: this sets up security based on the configuration | 
| static void | setZKSaslClientProperties(String username,
                         String context)Set the client properties. | 
| List<String> | splitAclPairs(String aclString,
             String realm)Split up a list of the form
  sasl:mapred@,digest:5f55d66, sasl@yarn@EXAMPLE.COMinto a list of possible ACL values, trimming as needed
 The supplied realm is added to entries where
 
   the string begins "sasl:"
   the string ends with "@"
 
 No attempt is made to validate any of the acl patterns. | 
| org.apache.zookeeper.data.Id | toDigestId(String digest)Given a digest, create an ID from it | 
| org.apache.zookeeper.data.Id | toDigestId(String id,
          String password)Create a Digest ID from an id:pass pair | 
| static AppConfigurationEntry[] | validateContext(String context)Resolve the context of an entry. | 
close, getBlockers, getConfig, getFailureCause, getFailureState, getLifecycleHistory, getName, getServiceState, getStartTime, init, isInState, noteFailure, putBlocker, registerGlobalListener, registerServiceListener, removeBlocker, serviceStart, serviceStop, setConfig, start, stop, toString, unregisterGlobalListener, unregisterServiceListener, waitForServiceToStoppublic static final String E_UNKNOWN_AUTHENTICATION_MECHANISM
public static final String E_NO_USER_DETERMINED_FOR_ACLS
public static final String E_NO_KERBEROS
public static final org.apache.zookeeper.data.ACL ALL_READWRITE_ACCESS
public static final org.apache.zookeeper.data.ACL ALL_READ_ACCESS
public static final List<org.apache.zookeeper.data.ACL> WorldReadWriteACL
ALL_READWRITE_ACCESS entry.
 It is copy on write so can be shared without worrypublic RegistrySecurity(String name)
name - service nameprotected void serviceInit(org.apache.hadoop.conf.Configuration conf)
                    throws Exception
serviceInit in class org.apache.hadoop.service.AbstractServiceconf - configurationExceptionpublic void addSystemACL(org.apache.zookeeper.data.ACL acl)
acl - add ACLpublic boolean addDigestACL(org.apache.zookeeper.data.ACL acl)
acl - add ACLpublic void resetDigestACLs()
public boolean isSecureRegistry()
public List<org.apache.zookeeper.data.ACL> getSystemACLs()
public List<org.apache.zookeeper.data.ACL> getClientACLs()
public org.apache.zookeeper.data.ACL createSaslACLFromCurrentUser(int perms)
                                                           throws IOException
perms - permissionsIOExceptionpublic org.apache.zookeeper.data.ACL createSaslACL(org.apache.hadoop.security.UserGroupInformation ugi,
                                          int perms)
ugi - UGIperms - permissionspublic boolean isValid(String idPasswordPair)
DigestAuthenticationProvider,
 which splits the string, but doesn't check the contents of each
 half for being non-"".idPasswordPair - id:pass pairpublic String getKerberosRealm()
public String digest(String idPasswordPair) throws IOException
idPasswordPair - id:passwordIOExceptionpublic String digest(String id, String password) throws IOException
id - IDpassword - passIOExceptionpublic org.apache.zookeeper.data.Id toDigestId(String digest)
digest - digestpublic org.apache.zookeeper.data.Id toDigestId(String id, String password) throws IOException
id - IDpassword - passwordIOExceptionpublic List<String> splitAclPairs(String aclString, String realm)
sasl:mapred@,digest:5f55d66, sasl@yarn@EXAMPLE.COM
 into a list of possible ACL values, trimming as needed
 The supplied realm is added to entries where
 aclString - list of 0 or more ACLsrealm - realm to addpublic org.apache.zookeeper.data.Id parse(String idPair, String realm)
idPair - id:data tuplerealm - realm to addIllegalArgumentException - if the idPair is invalidpublic List<org.apache.zookeeper.data.ACL> buildACLs(String principalList, String realm, int perms) throws IOException
principalList - id stringrealm - realm to addperms - permissionsIOExceptionpublic List<org.apache.zookeeper.data.ACL> parseACLs(String zkAclConf) throws IOException
ZKUtil.resolveConfIndirection(String)zkAclConf - configuration stringIOException - on a bad ACL parsepublic static String getKerberosAuthModuleForJVM()
public String createJAASEntry(String context, String principal, File keytab)
context - context of the entryprincipal - kerberos principalkeytab - keytabpublic static void bindJVMtoJAASFile(File jaasFile)
jaasFile - the JAAS filepublic static void bindZKToServerJAASContext(String contextName)
ZookeeperConfigOptions.PROP_ZK_SERVER_SASL_CONTEXT
 to the SASL context. When the ZK server starts, this is the context
 which it will read incontextName - the name of the contextpublic static void clearJaasSystemProperties()
public static AppConfigurationEntry[] validateContext(String context)
context - context nameRuntimeException - if there is no context entry foundpublic void applySecurityEnvironment(org.apache.curator.framework.CuratorFrameworkFactory.Builder builder)
builder - curator builderpublic static void setZKSaslClientProperties(String username, String context)
username - usernamecontext - login contextRuntimeException - if the context cannot be found in the current
 JAAS contextpublic static void clearZKSaslClientProperties()
protected static void enableZookeeperClientSASL()
public static void disableZookeeperClientSASL()
public static boolean isClientSASLEnabled()
public void logCurrentHadoopUser()
public static String aclsToString(List<org.apache.zookeeper.data.ACL> acls)
acls - ACL listpublic static String aclToString(org.apache.zookeeper.data.ACL acl)
acl - ACLpublic static String idToString(org.apache.zookeeper.data.Id id)
id - IDpublic String buildSecurityDiagnostics()
public static String getDefaultRealmInJVM()
public org.apache.zookeeper.data.ACL createACLForUser(org.apache.hadoop.security.UserGroupInformation ugi,
                                             int perms)
ugi - User identitypublic org.apache.zookeeper.data.ACL createACLfromUsername(String username, int perms)
username - user name; if it doesn't contain an "@" symbol, the
 service's kerberos realm is addedperms - permissionsCopyright © 2017 Apache Software Foundation. All Rights Reserved.