You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@accumulo.apache.org by ed...@apache.org on 2022/09/27 15:30:22 UTC

[accumulo] branch main updated: fix #2955 - upgrade zk authorization check (#2964)

This is an automated email from the ASF dual-hosted git repository.

edcoleman pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/accumulo.git


The following commit(s) were added to refs/heads/main by this push:
     new 0649ade26b fix #2955 - upgrade zk authorization check (#2964)
0649ade26b is described below

commit 0649ade26b26b7846b78b38a41ca6490243b94fc
Author: EdColeman <de...@etcoleman.com>
AuthorDate: Tue Sep 27 15:30:15 2022 +0000

    fix #2955 - upgrade zk authorization check (#2964)
    
    * fix upgrade zk authorization check using zk digest
---
 .../org/apache/accumulo/fate/zookeeper/ZooUtil.java    | 18 ++++++++++++++++++
 .../apache/accumulo/manager/upgrade/Upgrader9to10.java | 11 ++++++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/org/apache/accumulo/fate/zookeeper/ZooUtil.java b/core/src/main/java/org/apache/accumulo/fate/zookeeper/ZooUtil.java
index d02db58998..a77e87517d 100644
--- a/core/src/main/java/org/apache/accumulo/fate/zookeeper/ZooUtil.java
+++ b/core/src/main/java/org/apache/accumulo/fate/zookeeper/ZooUtil.java
@@ -21,6 +21,7 @@ package org.apache.accumulo.fate.zookeeper;
 import static java.nio.charset.StandardCharsets.UTF_8;
 
 import java.math.BigInteger;
+import java.security.NoSuchAlgorithmException;
 import java.time.Instant;
 import java.time.OffsetDateTime;
 import java.time.ZoneOffset;
@@ -36,7 +37,9 @@ import org.apache.zookeeper.ZooDefs.Ids;
 import org.apache.zookeeper.ZooDefs.Perms;
 import org.apache.zookeeper.ZooKeeper;
 import org.apache.zookeeper.data.ACL;
+import org.apache.zookeeper.data.Id;
 import org.apache.zookeeper.data.Stat;
+import org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
 
 public class ZooUtil {
 
@@ -162,6 +165,21 @@ public class ZooUtil {
     return fmt.format(timestamp);
   }
 
+  /**
+   * Get the ZooKeeper digest based on the instance secret that is used within ZooKeeper for
+   * authentication. This method is primary intended to be used to validate ZooKeeper ACLs. Use
+   * {@link #digestAuth(ZooKeeper, String)} to add authorizations to ZooKeeper.
+   */
+  public static Id getZkDigestAuthId(final String secret) {
+    try {
+      final String scheme = "digest";
+      String auth = DigestAuthenticationProvider.generateDigest("accumulo:" + secret);
+      return new Id(scheme, auth);
+    } catch (NoSuchAlgorithmException ex) {
+      throw new IllegalArgumentException("Could not generate ZooKeeper digest string", ex);
+    }
+  }
+
   public static void digestAuth(ZooKeeper zoo, String secret) {
     auth(zoo, "digest", ("accumulo:" + secret).getBytes(UTF_8));
   }
diff --git a/server/manager/src/main/java/org/apache/accumulo/manager/upgrade/Upgrader9to10.java b/server/manager/src/main/java/org/apache/accumulo/manager/upgrade/Upgrader9to10.java
index fc99d90037..b296d1e5ba 100644
--- a/server/manager/src/main/java/org/apache/accumulo/manager/upgrade/Upgrader9to10.java
+++ b/server/manager/src/main/java/org/apache/accumulo/manager/upgrade/Upgrader9to10.java
@@ -94,6 +94,7 @@ import org.apache.zookeeper.ZKUtil;
 import org.apache.zookeeper.ZooDefs;
 import org.apache.zookeeper.ZooKeeper;
 import org.apache.zookeeper.data.ACL;
+import org.apache.zookeeper.data.Id;
 import org.apache.zookeeper.data.Stat;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -148,6 +149,14 @@ public class Upgrader9to10 implements Upgrader {
     final ZooReaderWriter zrw = context.getZooReaderWriter();
     final ZooKeeper zk = zrw.getZooKeeper();
     final String rootPath = context.getZooKeeperRoot();
+
+    final Id zkDigest =
+        ZooUtil.getZkDigestAuthId(context.getConfiguration().get(Property.INSTANCE_SECRET));
+    final List<ACL> privateWithAuth = new ArrayList<>();
+    privateWithAuth.add(new ACL(ZooDefs.Perms.ALL, zkDigest));
+    final List<ACL> publicWithAuth = new ArrayList<>(privateWithAuth);
+    publicWithAuth.add(new ACL(ZooDefs.Perms.READ, ZooDefs.Ids.ANYONE_ID_UNSAFE));
+
     try {
       ZKUtil.visitSubTreeDFS(zk, rootPath, false, (rc, path, ctx, name) -> {
         try {
@@ -156,7 +165,7 @@ public class Upgrader9to10 implements Upgrader {
 
           if (((path.equals(Constants.ZROOT) || path.equals(Constants.ZROOT + Constants.ZINSTANCES))
               && !acls.equals(ZooDefs.Ids.OPEN_ACL_UNSAFE))
-              || (!ZooUtil.PRIVATE.equals(acls) && !ZooUtil.PUBLIC.equals(acls))) {
+              || (!privateWithAuth.equals(acls) && !publicWithAuth.equals(acls))) {
             log.error("ZNode at {} has unexpected ACL: {}", path, acls);
             aclErrorOccurred.set(true);
           } else {