[SLIDER-931] Security permissions on set up ZK path are too lax
diff --git a/slider-core/src/main/java/org/apache/slider/client/SliderClient.java b/slider-core/src/main/java/org/apache/slider/client/SliderClient.java
index 1008ae5..77dacd8 100644
--- a/slider-core/src/main/java/org/apache/slider/client/SliderClient.java
+++ b/slider-core/src/main/java/org/apache/slider/client/SliderClient.java
@@ -158,6 +158,8 @@
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.InterruptedIOException;
import java.io.PrintStream;
import java.io.StringWriter;
import java.io.Writer;
@@ -464,16 +466,15 @@
client.deleteRecursive(zkPath);
return true;
}
- } catch (InterruptedException ignored) {
- e = ignored;
- } catch (KeeperException ignored) {
- e = ignored;
- } catch (BadConfigException ignored) {
- e = ignored;
+ } catch (InterruptedException ex) {
+ e = ex;
+ } catch (KeeperException ex) {
+ e = ex;
+ } catch (BadConfigException ex) {
+ e = ex;
}
if (e != null) {
- log.debug("Unable to recursively delete zk node {}", zkPath);
- log.debug("Reason: ", e);
+ log.warn("Unable to recursively delete zk node {}", zkPath, e);
}
return false;
@@ -484,6 +485,31 @@
*/
@VisibleForTesting
public String createZookeeperNode(String clusterName, Boolean nameOnly) throws YarnException, IOException {
+ try {
+ return createZookeeperNodeInner(clusterName, nameOnly);
+ } catch (KeeperException.NodeExistsException e) {
+ return null;
+ } catch (KeeperException e) {
+ return null;
+ } catch (InterruptedException e) {
+ throw new InterruptedIOException(e.toString());
+ }
+ }
+
+ /**
+ * Create the zookeeper node associated with the calling user and the cluster
+ * -throwing exceptions on any failure
+ * @param clusterName cluster name
+ * @param nameOnly create the path, not the node
+ * @return the path, with the node created
+ * @throws YarnException
+ * @throws IOException
+ * @throws KeeperException
+ * @throws InterruptedException
+ */
+ @VisibleForTesting
+ public String createZookeeperNodeInner(String clusterName, Boolean nameOnly)
+ throws YarnException, IOException, KeeperException, InterruptedException {
String user = getUsername();
String zkPath = ZKIntegration.mkClusterPath(user, clusterName);
if (nameOnly) {
@@ -491,22 +517,22 @@
}
ZKIntegration client = getZkClient(clusterName, user);
if (client != null) {
- try {
- List<ACL> zkperms = new ArrayList<ACL>();
- zkperms.addAll(ZooDefs.Ids.CREATOR_ALL_ACL);
- zkperms.addAll(ZooDefs.Ids.READ_ACL_UNSAFE);
- client.createPath(zkPath, "",
- zkperms,
- CreateMode.PERSISTENT);
- return zkPath;
- } catch (InterruptedException e) {
- log.warn("Unable to create default zk node {}", zkPath, e);
- } catch (KeeperException e) {
- log.warn("Unable to create default zk node {}", zkPath, e);
+ // set up the permissions. This must be done differently on a secure cluster from an insecure
+ // one
+ List<ACL> zkperms = new ArrayList<ACL>();
+ if (UserGroupInformation.isSecurityEnabled()) {
+ zkperms.add(new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.AUTH_IDS));
+ zkperms.add(new ACL(ZooDefs.Perms.READ, ZooDefs.Ids.ANYONE_ID_UNSAFE));
+ } else {
+ zkperms.add(new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.ANYONE_ID_UNSAFE));
}
+ client.createPath(zkPath, "",
+ zkperms,
+ CreateMode.PERSISTENT);
+ return zkPath;
+ } else {
+ return null;
}
-
- return null;
}
/**
diff --git a/slider-core/src/test/app_packages/test_command_log/appConfig.json b/slider-core/src/test/app_packages/test_command_log/appConfig.json
index b9383ec..f53225e 100644
--- a/slider-core/src/test/app_packages/test_command_log/appConfig.json
+++ b/slider-core/src/test/app_packages/test_command_log/appConfig.json
@@ -9,7 +9,8 @@
"site.global.app_root": "${AGENT_WORK_ROOT}/app/install/command-logger",
"site.cl-site.logfile.location": "${AGENT_LOG_ROOT}/operations.log",
"site.cl-site.datetime.format": "%A, %d. %B %Y %I:%M%p",
- "site.cl-site.pattern.for.test.to.verify": "verify this pattern"
+ "site.cl-site.pattern.for.test.to.verify": "verify this pattern",
+ "create.default.zookeeper.node": true
},
"components": {
"COMMAND_LOGGER": {
diff --git a/slider-core/src/test/groovy/org/apache/slider/common/tools/TestZKIntegration.groovy b/slider-core/src/test/groovy/org/apache/slider/common/tools/TestZKIntegration.groovy
index 431c49f..efc550a 100644
--- a/slider-core/src/test/groovy/org/apache/slider/common/tools/TestZKIntegration.groovy
+++ b/slider-core/src/test/groovy/org/apache/slider/common/tools/TestZKIntegration.groovy
@@ -107,7 +107,7 @@
public void testCreateAndDeleteDefaultZKPath() throws Throwable {
MockSliderClient client = new MockSliderClient()
- String path = client.createZookeeperNode("cl1", true)
+ String path = client.createZookeeperNodeInner("cl1", true)
zki = client.lastZKIntegration
String zkPath = ZKIntegration.mkClusterPath(USER, "cl1")
@@ -117,7 +117,7 @@
zki = createZKIntegrationInstance(getZKBinding(), "cl1", true, false, 5000);
assert !zki.exists(zkPath)
- path = client.createZookeeperNode("cl1", false)
+ path = client.createZookeeperNodeInner("cl1", false)
zki = client.lastZKIntegration
assert zki
assert zkPath == "/services/slider/users/" + USER + "/cl1", "zkPath must be as expected"