You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@accumulo.apache.org by dl...@apache.org on 2022/09/09 16:13:37 UTC

[accumulo] branch main updated: Validate ZNode ACLs prior to upgrade, log unexpected values and fail (#2919)

This is an automated email from the ASF dual-hosted git repository.

dlmarion pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/accumulo.git


The following commit(s) were added to refs/heads/main by this push:
     new 049f19fb23 Validate ZNode ACLs prior to upgrade, log unexpected values and fail (#2919)
049f19fb23 is described below

commit 049f19fb23da125aab033ab8dd02dcb4575bf852
Author: Dave Marion <dl...@apache.org>
AuthorDate: Fri Sep 9 12:13:32 2022 -0400

    Validate ZNode ACLs prior to upgrade, log unexpected values and fail (#2919)
    
    Closes #2890
    
    
    Co-authored-by: Keith Turner <kt...@apache.org>
---
 .../accumulo/manager/upgrade/Upgrader9to10.java    | 43 ++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/server/manager/src/main/java/org/apache/accumulo/manager/upgrade/Upgrader9to10.java b/server/manager/src/main/java/org/apache/accumulo/manager/upgrade/Upgrader9to10.java
index fbbade1110..281fa261de 100644
--- a/server/manager/src/main/java/org/apache/accumulo/manager/upgrade/Upgrader9to10.java
+++ b/server/manager/src/main/java/org/apache/accumulo/manager/upgrade/Upgrader9to10.java
@@ -34,6 +34,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Objects;
+import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.function.BiConsumer;
 
 import org.apache.accumulo.core.Constants;
@@ -71,6 +72,7 @@ import org.apache.accumulo.core.spi.compaction.SimpleCompactionDispatcher;
 import org.apache.accumulo.core.tabletserver.log.LogEntry;
 import org.apache.accumulo.core.util.HostAndPort;
 import org.apache.accumulo.fate.zookeeper.ZooReaderWriter;
+import org.apache.accumulo.fate.zookeeper.ZooUtil;
 import org.apache.accumulo.fate.zookeeper.ZooUtil.NodeExistsPolicy;
 import org.apache.accumulo.fate.zookeeper.ZooUtil.NodeMissingPolicy;
 import org.apache.accumulo.server.ServerContext;
@@ -87,6 +89,11 @@ import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 import org.apache.zookeeper.KeeperException;
 import org.apache.zookeeper.KeeperException.NoNodeException;
+import org.apache.zookeeper.ZKUtil;
+import org.apache.zookeeper.ZooDefs;
+import org.apache.zookeeper.ZooKeeper;
+import org.apache.zookeeper.data.ACL;
+import org.apache.zookeeper.data.Stat;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -124,6 +131,7 @@ public class Upgrader9to10 implements Upgrader {
 
   @Override
   public void upgradeZookeeper(ServerContext context) {
+    validateACLs(context);
     upgradePropertyStorage(context);
     setMetaTableProps(context);
     upgradeRootTabletMetadata(context);
@@ -133,6 +141,41 @@ public class Upgrader9to10 implements Upgrader {
     createScanServerNodes(context);
   }
 
+  private void validateACLs(ServerContext context) {
+
+    final AtomicBoolean aclErrorOccurred = new AtomicBoolean(false);
+    final ZooReaderWriter zrw = context.getZooReaderWriter();
+    final ZooKeeper zk = zrw.getZooKeeper();
+    final String rootPath = context.getZooKeeperRoot();
+    try {
+      ZKUtil.visitSubTreeDFS(zk, rootPath, false, (rc, path, ctx, name) -> {
+        try {
+          final Stat stat = new Stat();
+          final List<ACL> acls = zk.getACL(path, stat);
+
+          if (((path.equals(Constants.ZROOT) || path.equals(Constants.ZROOT + Constants.ZINSTANCES))
+              && !acls.equals(ZooDefs.Ids.OPEN_ACL_UNSAFE))
+              || (!ZooUtil.PRIVATE.equals(acls) && !ZooUtil.PUBLIC.equals(acls))) {
+            log.error("ZNode at {} has unexpected ACL: {}", path, acls);
+            aclErrorOccurred.set(true);
+          } else {
+            log.trace("ZNode at {} has expected ACL.", path);
+          }
+        } catch (KeeperException | InterruptedException e) {
+          log.error("Error getting ACL for path: {}", path, e);
+          aclErrorOccurred.set(true);
+        }
+      });
+      if (aclErrorOccurred.get()) {
+        throw new RuntimeException("Upgrade Failed! Error validating ZNode ACLs. "
+            + "Check the log for specific failed paths, check ZooKeeper troubleshooting in user documentation "
+            + "for instructions on how to fix.");
+      }
+    } catch (KeeperException | InterruptedException e) {
+      throw new RuntimeException("Upgrade Failed! Error validating nodes under " + rootPath, e);
+    }
+  }
+
   @Override
   public void upgradeRoot(ServerContext context) {
     upgradeRelativePaths(context, Ample.DataLevel.METADATA);