org.apache.hadoop.registry.client.impl.zk

Class RegistrySecurity

java.lang.Object

org.apache.hadoop.service.AbstractService

org.apache.hadoop.registry.client.impl.zk.RegistrySecurity

All Implemented Interfaces:

Closeable, AutoCloseable, org.apache.hadoop.service.Service

public class RegistrySecurity
extends org.apache.hadoop.service.AbstractService

Implement the registry security ... a self contained service for testability.

This class contains:

1. The registry security policy implementation, configuration reading, ACL setup and management
2. Lots of static helper methods to aid security setup and debugging

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	RegistrySecurity.AclListInfo on-demand stringifier for a list of ACLs
static class	RegistrySecurity.JaasConfiguration Creates a programmatic version of a jaas.conf file.
static class	RegistrySecurity.UgiInfo On demand string-ifier for UGI with extra details

Nested classes/interfaces inherited from interface org.apache.hadoop.service.Service

org.apache.hadoop.service.Service.STATE

Field Summary

Fields

Modifier and Type	Field and Description
static org.apache.zookeeper.data.ACL	ALL_READ_ACCESS An ACL with read access for anyone
static org.apache.zookeeper.data.ACL	ALL_READWRITE_ACCESS An ACL with read-write access for anyone
static String	E_NO_KERBEROS Error raised when the registry is tagged as secure but this process doesn't have hadoop security enabled.
static String	E_NO_USER_DETERMINED_FOR_ACLS there's no default user to add with permissions, so it would be impossible to create nodes with unrestricted user access
static String	E_UNKNOWN_AUTHENTICATION_MECHANISM
static List<org.apache.zookeeper.data.ACL>	WorldReadWriteACL An ACL list containing the ALL_READWRITE_ACCESS entry.

Constructor Summary

Constructors

Constructor and Description
RegistrySecurity(String name) Create an instance

Method Summary

Modifier and Type	Method and Description
static String	aclsToString(List<org.apache.zookeeper.data.ACL> acls) Stringify a list of ACLs for logging.
static String	aclToString(org.apache.zookeeper.data.ACL acl) Convert an ACL to a string, with any obfuscation needed
boolean	addDigestACL(org.apache.zookeeper.data.ACL acl) Add a digest ACL
void	addSystemACL(org.apache.zookeeper.data.ACL acl) Add another system ACL
void	applySecurityEnvironment(org.apache.curator.framework.CuratorFrameworkFactory.Builder builder) Apply the security environment to this curator instance.
static void	bindJVMtoJAASFile(File jaasFile) Bind the JVM JAS setting to the specified JAAS file.
static void	bindZKToServerJAASContext(String contextName) Set the Zookeeper server property ZookeeperConfigOptions.PROP_ZK_SERVER_SASL_CONTEXT to the SASL context.
List<org.apache.zookeeper.data.ACL>	buildACLs(String principalList, String realm, int perms) Parse the IDs, adding a realm if needed, setting the permissions
String	buildSecurityDiagnostics() Build up low-level security diagnostics to aid debugging
static void	clearJaasSystemProperties() Reset any system properties related to JAAS
static void	clearZKSaslClientProperties() Clear all the ZK SASL Client properties Important:This is JVM-wide
org.apache.zookeeper.data.ACL	createACLForUser(org.apache.hadoop.security.UserGroupInformation ugi, int perms) Create an ACL For a user.
org.apache.zookeeper.data.ACL	createACLfromUsername(String username, int perms) Given a user name (short or long), create a SASL ACL
String	createJAASEntry(String context, String principal, File keytab) Create a JAAS entry for insertion
org.apache.zookeeper.data.ACL	createSaslACL(org.apache.hadoop.security.UserGroupInformation ugi, int perms) Given a UGI, create a SASL ACL from it
org.apache.zookeeper.data.ACL	createSaslACLFromCurrentUser(int perms) Create a SASL ACL for the user
String	digest(String idPasswordPair) Generate a base-64 encoded digest of the idPasswordPair pair
String	digest(String id, String password) Generate a base-64 encoded digest of the idPasswordPair pair
static void	disableZookeeperClientSASL() Force disable ZK SASL bindings.
protected static void	enableZookeeperClientSASL() Turn ZK SASL on Important:This is JVM-wide
List<org.apache.zookeeper.data.ACL>	getClientACLs() Get all ACLs needed for a client to use when writing to the repo.
static String	getDefaultRealmInJVM() Get the default kerberos realm —returning "" if there is no realm or other problem
static String	getKerberosAuthModuleForJVM() Get the appropriate Kerberos Auth module for JAAS entries for this JVM.
String	getKerberosRealm() Get the derived kerberos realm.
List<org.apache.zookeeper.data.ACL>	getSystemACLs() Get the system principals
static String	idToString(org.apache.zookeeper.data.Id id) Convert an ID to a string, stripping out all but the first few characters of any digest auth hash for security reasons
static boolean	isClientSASLEnabled() Is the system property enabling the SASL client set?
boolean	isSecureRegistry() Flag to indicate the cluster is secure
boolean	isValid(String idPasswordPair) Check for an id:password tuple being valid.
void	logCurrentHadoopUser() Log details about the current Hadoop user at INFO.
org.apache.zookeeper.data.Id	parse(String idPair, String realm) Parse a string down to an ID, adding a realm if needed
List<org.apache.zookeeper.data.ACL>	parseACLs(String zkAclConf) Parse an ACL list.
void	resetDigestACLs() Reset the digest ACL list
protected void	serviceInit(org.apache.hadoop.conf.Configuration conf) Init the service: this sets up security based on the configuration
void	setKerberosPrincipalAndKeytab(String principal, String keytab)
static void	setZKSaslClientProperties(String username, String context) Set the client properties.
List<String>	splitAclPairs(String aclString, String realm) Split up a list of the form sasl:mapred@,digest:5f55d66, sasl@yarn@EXAMPLE.COM into a list of possible ACL values, trimming as needed The supplied realm is added to entries where the string begins "sasl:" the string ends with "@" No attempt is made to validate any of the acl patterns.
org.apache.zookeeper.data.Id	toDigestId(String digest) Given a digest, create an ID from it
org.apache.zookeeper.data.Id	toDigestId(String id, String password) Create a Digest ID from an id:pass pair
static AppConfigurationEntry[]	validateContext(String context) Resolve the context of an entry.

Methods inherited from class org.apache.hadoop.service.AbstractService

close, getBlockers, getConfig, getFailureCause, getFailureState, getLifecycleHistory, getName, getServiceState, getStartTime, init, isInState, noteFailure, putBlocker, registerGlobalListener, registerServiceListener, removeBlocker, serviceStart, serviceStop, setConfig, start, stop, toString, unregisterGlobalListener, unregisterServiceListener, waitForServiceToStop

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

E_UNKNOWN_AUTHENTICATION_MECHANISM

public static final String E_UNKNOWN_AUTHENTICATION_MECHANISM

See Also:

Constant Field Values

E_NO_USER_DETERMINED_FOR_ACLS

public static final String E_NO_USER_DETERMINED_FOR_ACLS

there's no default user to add with permissions, so it would be impossible to create nodes with unrestricted user access

See Also:

Constant Field Values

E_NO_KERBEROS

public static final String E_NO_KERBEROS

Error raised when the registry is tagged as secure but this process doesn't have hadoop security enabled.

See Also:

Constant Field Values

ALL_READWRITE_ACCESS

public static final org.apache.zookeeper.data.ACL ALL_READWRITE_ACCESS

An ACL with read-write access for anyone

ALL_READ_ACCESS

public static final org.apache.zookeeper.data.ACL ALL_READ_ACCESS

An ACL with read access for anyone

WorldReadWriteACL

public static final List<org.apache.zookeeper.data.ACL> WorldReadWriteACL

An ACL list containing the ALL_READWRITE_ACCESS entry. It is copy on write so can be shared without worry

Constructor Detail

RegistrySecurity

public RegistrySecurity(String name)

Create an instance

Parameters:

name - service name

Method Detail

serviceInit

protected void serviceInit(org.apache.hadoop.conf.Configuration conf)
                    throws Exception

Init the service: this sets up security based on the configuration

Overrides:

serviceInit in class org.apache.hadoop.service.AbstractService

Parameters:

conf - configuration

Throws:

Exception

addSystemACL

public void addSystemACL(org.apache.zookeeper.data.ACL acl)

Add another system ACL

Parameters:

acl - add ACL

addDigestACL

public boolean addDigestACL(org.apache.zookeeper.data.ACL acl)

Add a digest ACL

Parameters:

acl - add ACL

resetDigestACLs

public void resetDigestACLs()

Reset the digest ACL list

isSecureRegistry

public boolean isSecureRegistry()

Flag to indicate the cluster is secure

Returns:

true if the config enabled security

getSystemACLs

public List<org.apache.zookeeper.data.ACL> getSystemACLs()

Get the system principals

Returns:

the system principals

getClientACLs

public List<org.apache.zookeeper.data.ACL> getClientACLs()

Get all ACLs needed for a client to use when writing to the repo. That is: system ACLs, its own ACL, any digest ACLs

Returns:

the client ACLs

createSaslACLFromCurrentUser

public org.apache.zookeeper.data.ACL createSaslACLFromCurrentUser(int perms)
                                                           throws IOException

Create a SASL ACL for the user

Parameters:

perms - permissions

Returns:

an ACL for the current user or null if they aren't a kerberos user

Throws:

IOException

createSaslACL

public org.apache.zookeeper.data.ACL createSaslACL(org.apache.hadoop.security.UserGroupInformation ugi,
                                                   int perms)

Given a UGI, create a SASL ACL from it

Parameters:

ugi - UGI

perms - permissions

Returns:

a new ACL

isValid

public boolean isValid(String idPasswordPair)

Check for an id:password tuple being valid. This test is stricter than that in DigestAuthenticationProvider, which splits the string, but doesn't check the contents of each half for being non-"".

Parameters:

idPasswordPair - id:pass pair

Returns:

true if the pass is considered valid.

getKerberosRealm

public String getKerberosRealm()

Get the derived kerberos realm.

Returns:

this is built from the JVM realm, or the configuration if it overrides it. If "", it means "don't know".

digest

public String digest(String idPasswordPair)
              throws IOException

Generate a base-64 encoded digest of the idPasswordPair pair

Parameters:

idPasswordPair - id:password

Returns:

a string that can be used for authentication

Throws:

IOException

digest

public String digest(String id,
                     String password)
              throws IOException

Generate a base-64 encoded digest of the idPasswordPair pair

Parameters:

id - ID

password - pass

Returns:

a string that can be used for authentication

Throws:

IOException

toDigestId

public org.apache.zookeeper.data.Id toDigestId(String digest)

Given a digest, create an ID from it

Parameters:

digest - digest

Returns:

ID

toDigestId

public org.apache.zookeeper.data.Id toDigestId(String id,
                                               String password)
                                        throws IOException

Create a Digest ID from an id:pass pair

Parameters:

id - ID

password - password

Returns:

an ID

Throws:

IOException

splitAclPairs

public List<String> splitAclPairs(String aclString,
                                  String realm)

Split up a list of the form sasl:mapred@,digest:5f55d66, sasl@yarn@EXAMPLE.COM into a list of possible ACL values, trimming as needed The supplied realm is added to entries where

1. the string begins "sasl:"
2. the string ends with "@"

No attempt is made to validate any of the acl patterns.

Parameters:

aclString - list of 0 or more ACLs

realm - realm to add

Returns:

a list of split and potentially patched ACL pairs.

parse

public org.apache.zookeeper.data.Id parse(String idPair,
                                          String realm)

Parse a string down to an ID, adding a realm if needed

Parameters:

idPair - id:data tuple

realm - realm to add

Returns:

the ID.

Throws:

IllegalArgumentException - if the idPair is invalid

buildACLs

public List<org.apache.zookeeper.data.ACL> buildACLs(String principalList,
                                                     String realm,
                                                     int perms)
                                              throws IOException

Parse the IDs, adding a realm if needed, setting the permissions

Parameters:

principalList - id string

realm - realm to add

perms - permissions

Returns:

the relevant ACLs

Throws:

IOException

parseACLs

public List<org.apache.zookeeper.data.ACL> parseACLs(String zkAclConf)
                                              throws IOException

Parse an ACL list. This includes configuration indirection ZKUtil.resolveConfIndirection(String)

Parameters:

zkAclConf - configuration string

Returns:

an ACL list

Throws:

IOException - on a bad ACL parse

getKerberosAuthModuleForJVM

public static String getKerberosAuthModuleForJVM()

Get the appropriate Kerberos Auth module for JAAS entries for this JVM.

Returns:

a JVM-specific kerberos login module classname.

createJAASEntry

public String createJAASEntry(String context,
                              String principal,
                              File keytab)

Create a JAAS entry for insertion

Parameters:

context - context of the entry

principal - kerberos principal

keytab - keytab

Returns:

a context

bindJVMtoJAASFile

public static void bindJVMtoJAASFile(File jaasFile)

Bind the JVM JAS setting to the specified JAAS file. Important: once a file has been loaded the JVM doesn't pick up changes

Parameters:

jaasFile - the JAAS file

bindZKToServerJAASContext

public static void bindZKToServerJAASContext(String contextName)

Set the Zookeeper server property ZookeeperConfigOptions.PROP_ZK_SERVER_SASL_CONTEXT to the SASL context. When the ZK server starts, this is the context which it will read in

Parameters:

contextName - the name of the context

clearJaasSystemProperties

public static void clearJaasSystemProperties()

Reset any system properties related to JAAS

validateContext

public static AppConfigurationEntry[] validateContext(String context)

Resolve the context of an entry. This is an effective test of JAAS setup, because it will relay detected problems up

Parameters:

context - context name

Returns:

the entry

Throws:

RuntimeException - if there is no context entry found

applySecurityEnvironment

public void applySecurityEnvironment(org.apache.curator.framework.CuratorFrameworkFactory.Builder builder)
                              throws IOException

Apply the security environment to this curator instance. This may include setting up the ZK system properties for SASL

Parameters:

builder - curator builder

Throws:

IOException - if jaas configuration can't be generated or found

setKerberosPrincipalAndKeytab

public void setKerberosPrincipalAndKeytab(String principal,
                                          String keytab)

setZKSaslClientProperties

public static void setZKSaslClientProperties(String username,
                                             String context)

Set the client properties. This forces the ZK client into failing if it can't auth. Important:This is JVM-wide.

Parameters:

username - username

context - login context

Throws:

RuntimeException - if the context cannot be found in the current JAAS context

clearZKSaslClientProperties

public static void clearZKSaslClientProperties()

Clear all the ZK SASL Client properties Important:This is JVM-wide

enableZookeeperClientSASL

protected static void enableZookeeperClientSASL()

Turn ZK SASL on Important:This is JVM-wide

disableZookeeperClientSASL

public static void disableZookeeperClientSASL()

Force disable ZK SASL bindings. Important:This is JVM-wide

isClientSASLEnabled

public static boolean isClientSASLEnabled()

Is the system property enabling the SASL client set?

Returns:

true if the SASL client system property is set.

logCurrentHadoopUser

public void logCurrentHadoopUser()

Log details about the current Hadoop user at INFO. Robust against IOEs when trying to get the current user

aclsToString

public static String aclsToString(List<org.apache.zookeeper.data.ACL> acls)

Stringify a list of ACLs for logging. Digest ACLs have their digest values stripped for security.

Parameters:

acls - ACL list

Returns:

a string for logs, exceptions, ...

aclToString

public static String aclToString(org.apache.zookeeper.data.ACL acl)

Convert an ACL to a string, with any obfuscation needed

Parameters:

acl - ACL

Returns:

ACL string value

idToString

public static String idToString(org.apache.zookeeper.data.Id id)

Convert an ID to a string, stripping out all but the first few characters of any digest auth hash for security reasons

Parameters:

id - ID

Returns:

a string description of a Zookeeper ID

buildSecurityDiagnostics

public String buildSecurityDiagnostics()

Build up low-level security diagnostics to aid debugging

Returns:

a string to use in diagnostics

getDefaultRealmInJVM

public static String getDefaultRealmInJVM()

Get the default kerberos realm —returning "" if there is no realm or other problem

Returns:

the default realm of the system if it could be determined

createACLForUser

public org.apache.zookeeper.data.ACL createACLForUser(org.apache.hadoop.security.UserGroupInformation ugi,
                                                      int perms)

Create an ACL For a user.

Parameters:

ugi - User identity

Returns:

the ACL For the specified user. Ifthe username doesn't end in "@" then the realm is added

createACLfromUsername

public org.apache.zookeeper.data.ACL createACLfromUsername(String username,
                                                           int perms)

Given a user name (short or long), create a SASL ACL

Parameters:

username - user name; if it doesn't contain an "@" symbol, the service's kerberos realm is added

perms - permissions

Returns:

an ACL for the user