You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@accumulo.apache.org by ed...@apache.org on 2022/09/27 15:30:22 UTC
[accumulo] branch main updated: fix #2955 - upgrade zk authorization check (#2964)
This is an automated email from the ASF dual-hosted git repository.
edcoleman pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/accumulo.git
The following commit(s) were added to refs/heads/main by this push:
new 0649ade26b fix #2955 - upgrade zk authorization check (#2964)
0649ade26b is described below
commit 0649ade26b26b7846b78b38a41ca6490243b94fc
Author: EdColeman <de...@etcoleman.com>
AuthorDate: Tue Sep 27 15:30:15 2022 +0000
fix #2955 - upgrade zk authorization check (#2964)
* fix upgrade zk authorization check using zk digest
---
.../org/apache/accumulo/fate/zookeeper/ZooUtil.java | 18 ++++++++++++++++++
.../apache/accumulo/manager/upgrade/Upgrader9to10.java | 11 ++++++++++-
2 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/core/src/main/java/org/apache/accumulo/fate/zookeeper/ZooUtil.java b/core/src/main/java/org/apache/accumulo/fate/zookeeper/ZooUtil.java
index d02db58998..a77e87517d 100644
--- a/core/src/main/java/org/apache/accumulo/fate/zookeeper/ZooUtil.java
+++ b/core/src/main/java/org/apache/accumulo/fate/zookeeper/ZooUtil.java
@@ -21,6 +21,7 @@ package org.apache.accumulo.fate.zookeeper;
import static java.nio.charset.StandardCharsets.UTF_8;
import java.math.BigInteger;
+import java.security.NoSuchAlgorithmException;
import java.time.Instant;
import java.time.OffsetDateTime;
import java.time.ZoneOffset;
@@ -36,7 +37,9 @@ import org.apache.zookeeper.ZooDefs.Ids;
import org.apache.zookeeper.ZooDefs.Perms;
import org.apache.zookeeper.ZooKeeper;
import org.apache.zookeeper.data.ACL;
+import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.data.Stat;
+import org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
public class ZooUtil {
@@ -162,6 +165,21 @@ public class ZooUtil {
return fmt.format(timestamp);
}
+ /**
+ * Get the ZooKeeper digest based on the instance secret that is used within ZooKeeper for
+ * authentication. This method is primary intended to be used to validate ZooKeeper ACLs. Use
+ * {@link #digestAuth(ZooKeeper, String)} to add authorizations to ZooKeeper.
+ */
+ public static Id getZkDigestAuthId(final String secret) {
+ try {
+ final String scheme = "digest";
+ String auth = DigestAuthenticationProvider.generateDigest("accumulo:" + secret);
+ return new Id(scheme, auth);
+ } catch (NoSuchAlgorithmException ex) {
+ throw new IllegalArgumentException("Could not generate ZooKeeper digest string", ex);
+ }
+ }
+
public static void digestAuth(ZooKeeper zoo, String secret) {
auth(zoo, "digest", ("accumulo:" + secret).getBytes(UTF_8));
}
diff --git a/server/manager/src/main/java/org/apache/accumulo/manager/upgrade/Upgrader9to10.java b/server/manager/src/main/java/org/apache/accumulo/manager/upgrade/Upgrader9to10.java
index fc99d90037..b296d1e5ba 100644
--- a/server/manager/src/main/java/org/apache/accumulo/manager/upgrade/Upgrader9to10.java
+++ b/server/manager/src/main/java/org/apache/accumulo/manager/upgrade/Upgrader9to10.java
@@ -94,6 +94,7 @@ import org.apache.zookeeper.ZKUtil;
import org.apache.zookeeper.ZooDefs;
import org.apache.zookeeper.ZooKeeper;
import org.apache.zookeeper.data.ACL;
+import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.data.Stat;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -148,6 +149,14 @@ public class Upgrader9to10 implements Upgrader {
final ZooReaderWriter zrw = context.getZooReaderWriter();
final ZooKeeper zk = zrw.getZooKeeper();
final String rootPath = context.getZooKeeperRoot();
+
+ final Id zkDigest =
+ ZooUtil.getZkDigestAuthId(context.getConfiguration().get(Property.INSTANCE_SECRET));
+ final List<ACL> privateWithAuth = new ArrayList<>();
+ privateWithAuth.add(new ACL(ZooDefs.Perms.ALL, zkDigest));
+ final List<ACL> publicWithAuth = new ArrayList<>(privateWithAuth);
+ publicWithAuth.add(new ACL(ZooDefs.Perms.READ, ZooDefs.Ids.ANYONE_ID_UNSAFE));
+
try {
ZKUtil.visitSubTreeDFS(zk, rootPath, false, (rc, path, ctx, name) -> {
try {
@@ -156,7 +165,7 @@ public class Upgrader9to10 implements Upgrader {
if (((path.equals(Constants.ZROOT) || path.equals(Constants.ZROOT + Constants.ZINSTANCES))
&& !acls.equals(ZooDefs.Ids.OPEN_ACL_UNSAFE))
- || (!ZooUtil.PRIVATE.equals(acls) && !ZooUtil.PUBLIC.equals(acls))) {
+ || (!privateWithAuth.equals(acls) && !publicWithAuth.equals(acls))) {
log.error("ZNode at {} has unexpected ACL: {}", path, acls);
aclErrorOccurred.set(true);
} else {