solr/core/src/test/org/apache/solr/security/hadoop/TestZkAclsWithHadoopAuth.java - lucene-solr - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.solr.security.hadoop;

 import static org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider.DEFAULT_DIGEST_READONLY_PASSWORD_VM_PARAM_NAME;
 import static org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider.DEFAULT_DIGEST_READONLY_USERNAME_VM_PARAM_NAME;
 import static org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider.DEFAULT_DIGEST_PASSWORD_VM_PARAM_NAME;
 import static org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider.DEFAULT_DIGEST_USERNAME_VM_PARAM_NAME;

 import java.nio.charset.StandardCharsets;
 import java.security.NoSuchAlgorithmException;
 import java.util.List;
 import java.util.Locale;
 import java.util.concurrent.TimeUnit;

 import org.apache.solr.cloud.MiniSolrCloudCluster;
 import org.apache.solr.cloud.SolrCloudTestCase;
 import org.apache.solr.cloud.hdfs.HdfsTestUtil;
 import org.apache.solr.common.cloud.SecurityAwareZkACLProvider;
 import org.apache.solr.common.cloud.SolrZkClient;
 import org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider;
 import org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider;
 import org.apache.zookeeper.ZooDefs;
 import org.apache.zookeeper.ZooKeeper;
 import org.apache.zookeeper.data.ACL;
 import org.apache.zookeeper.data.Id;
 import org.apache.zookeeper.data.Stat;
 import org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;

 public class TestZkAclsWithHadoopAuth extends SolrCloudTestCase {
   protected static final int NUM_SERVERS = 1;
   protected static final int NUM_SHARDS = 1;
   protected static final int REPLICATION_FACTOR = 1;
   private static final String SOLR_PASSWD = "solr";
   private static final String FOO_PASSWD = "foo";
   private static final Id SOLR_ZK_ID = new Id("digest", digest ("solr", SOLR_PASSWD));
   private static final Id FOO_ZK_ID = new Id("digest", digest ("foo", FOO_PASSWD));

   @BeforeClass
   public static void setupClass() throws Exception {
     HdfsTestUtil.checkAssumptions();

     System.setProperty(SolrZkClient.ZK_ACL_PROVIDER_CLASS_NAME_VM_PARAM_NAME,
         VMParamsAllAndReadonlyDigestZkACLProvider.class.getName());
     System.setProperty(SolrZkClient.ZK_CRED_PROVIDER_CLASS_NAME_VM_PARAM_NAME,
         VMParamsSingleSetCredentialsDigestZkCredentialsProvider.class.getName());
     System.setProperty(DEFAULT_DIGEST_USERNAME_VM_PARAM_NAME, "solr");
     System.setProperty(DEFAULT_DIGEST_PASSWORD_VM_PARAM_NAME, SOLR_PASSWD);
     System.setProperty(DEFAULT_DIGEST_READONLY_USERNAME_VM_PARAM_NAME, "foo");
     System.setProperty(DEFAULT_DIGEST_READONLY_PASSWORD_VM_PARAM_NAME, FOO_PASSWD);

     configureCluster(NUM_SERVERS)// nodes
         .withSolrXml(MiniSolrCloudCluster.DEFAULT_CLOUD_SOLR_XML)
         .withSecurityJson(TEST_PATH().resolve("security").resolve("hadoop_simple_auth_with_delegation.json"))
         .addConfig("conf1", TEST_PATH().resolve("configsets").resolve("cloud-minimal").resolve("conf"))
         .configure();
   }

   @AfterClass
   public static void tearDownClass() {
     System.clearProperty(SolrZkClient.ZK_ACL_PROVIDER_CLASS_NAME_VM_PARAM_NAME);
     System.clearProperty(SolrZkClient.ZK_CRED_PROVIDER_CLASS_NAME_VM_PARAM_NAME);
     System.clearProperty(DEFAULT_DIGEST_USERNAME_VM_PARAM_NAME);
     System.clearProperty(DEFAULT_DIGEST_PASSWORD_VM_PARAM_NAME);
     System.clearProperty(DEFAULT_DIGEST_READONLY_USERNAME_VM_PARAM_NAME);
     System.clearProperty(DEFAULT_DIGEST_READONLY_PASSWORD_VM_PARAM_NAME);
   }

   @Test
   @SuppressWarnings({"try"})
   public void testZkAcls() throws Exception {
     try (ZooKeeper keeper = new ZooKeeper(cluster.getZkServer().getZkAddress(),
         (int) TimeUnit.MINUTES.toMillis(1), arg0 -> {/* Do nothing */})) {
       keeper.addAuthInfo("digest", ("solr:" + SOLR_PASSWD).getBytes(StandardCharsets.UTF_8));

       // Test well known paths.
       checkNonSecurityACLs(keeper, "/solr.xml");
       checkSecurityACLs(keeper, "/security/token");
       checkSecurityACLs(keeper, "/security");

       // Now test all ZK tree.
       String zkHost = cluster.getSolrClient().getZkHost();
       String zkChroot = zkHost.contains("/") ? zkHost.substring(zkHost.indexOf("/")) : null;
       walkZkTree(keeper, zkChroot, "/");
     }
   }

   private void walkZkTree (ZooKeeper keeper, String zkChroot, String path) throws Exception {
     if (isSecurityZNode(zkChroot, path)) {
       checkSecurityACLs(keeper, path);
     } else {
       checkNonSecurityACLs(keeper, path);
     }

     List<String> children = keeper.getChildren(path, false);
     for (String child : children) {
       String subpath = path.endsWith("/") ? path + child : path + "/" + child;
       walkZkTree(keeper, zkChroot, subpath);
     }
   }

   private boolean isSecurityZNode(String zkChroot, String path) {
     String temp = path;
     if (zkChroot != null) {
       temp = path.replace(zkChroot, "");
     }
     return temp.startsWith(SecurityAwareZkACLProvider.SECURITY_ZNODE_PATH);
   }

   private void checkSecurityACLs(ZooKeeper keeper, String path) throws Exception {
     List<ACL> acls = keeper.getACL(path, new Stat());
     String message = String.format(Locale.ROOT, "Path %s ACLs found %s", path, acls);
     assertEquals(message, 1, acls.size());
     assertTrue(message, acls.contains(new ACL(ZooDefs.Perms.ALL, SOLR_ZK_ID)));
   }

   private void checkNonSecurityACLs(ZooKeeper keeper, String path)  throws Exception {
     List<ACL> acls = keeper.getACL(path, new Stat());
     String message = String.format(Locale.ROOT, "Path %s ACLs found %s", path, acls);
     assertEquals(message, 2, acls.size());
     assertTrue(message, acls.contains(new ACL(ZooDefs.Perms.ALL, SOLR_ZK_ID)));
     assertTrue(message, acls.contains(new ACL(ZooDefs.Perms.READ, FOO_ZK_ID)));
   }

   private static String digest (String userName, String passwd) {
     try {
       return DigestAuthenticationProvider.generateDigest(userName+":"+passwd);
     } catch (NoSuchAlgorithmException ex) {
       throw new RuntimeException(ex);
     }
   }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.solr.security.hadoop;

	import static org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider.DEFAULT_DIGEST_READONLY_PASSWORD_VM_PARAM_NAME;
	import static org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider.DEFAULT_DIGEST_READONLY_USERNAME_VM_PARAM_NAME;
	import static org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider.DEFAULT_DIGEST_PASSWORD_VM_PARAM_NAME;
	import static org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider.DEFAULT_DIGEST_USERNAME_VM_PARAM_NAME;

	import java.nio.charset.StandardCharsets;
	import java.security.NoSuchAlgorithmException;
	import java.util.List;
	import java.util.Locale;
	import java.util.concurrent.TimeUnit;

	import org.apache.solr.cloud.MiniSolrCloudCluster;
	import org.apache.solr.cloud.SolrCloudTestCase;
	import org.apache.solr.cloud.hdfs.HdfsTestUtil;
	import org.apache.solr.common.cloud.SecurityAwareZkACLProvider;
	import org.apache.solr.common.cloud.SolrZkClient;
	import org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider;
	import org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider;
	import org.apache.zookeeper.ZooDefs;
	import org.apache.zookeeper.ZooKeeper;
	import org.apache.zookeeper.data.ACL;
	import org.apache.zookeeper.data.Id;
	import org.apache.zookeeper.data.Stat;
	import org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
	import org.junit.AfterClass;
	import org.junit.BeforeClass;
	import org.junit.Test;

	public class TestZkAclsWithHadoopAuth extends SolrCloudTestCase {
	protected static final int NUM_SERVERS = 1;
	protected static final int NUM_SHARDS = 1;
	protected static final int REPLICATION_FACTOR = 1;
	private static final String SOLR_PASSWD = "solr";
	private static final String FOO_PASSWD = "foo";
	private static final Id SOLR_ZK_ID = new Id("digest", digest ("solr", SOLR_PASSWD));
	private static final Id FOO_ZK_ID = new Id("digest", digest ("foo", FOO_PASSWD));

	@BeforeClass
	public static void setupClass() throws Exception {
	HdfsTestUtil.checkAssumptions();

	System.setProperty(SolrZkClient.ZK_ACL_PROVIDER_CLASS_NAME_VM_PARAM_NAME,
	VMParamsAllAndReadonlyDigestZkACLProvider.class.getName());
	System.setProperty(SolrZkClient.ZK_CRED_PROVIDER_CLASS_NAME_VM_PARAM_NAME,
	VMParamsSingleSetCredentialsDigestZkCredentialsProvider.class.getName());
	System.setProperty(DEFAULT_DIGEST_USERNAME_VM_PARAM_NAME, "solr");
	System.setProperty(DEFAULT_DIGEST_PASSWORD_VM_PARAM_NAME, SOLR_PASSWD);
	System.setProperty(DEFAULT_DIGEST_READONLY_USERNAME_VM_PARAM_NAME, "foo");
	System.setProperty(DEFAULT_DIGEST_READONLY_PASSWORD_VM_PARAM_NAME, FOO_PASSWD);

	configureCluster(NUM_SERVERS)// nodes
	.withSolrXml(MiniSolrCloudCluster.DEFAULT_CLOUD_SOLR_XML)
	.withSecurityJson(TEST_PATH().resolve("security").resolve("hadoop_simple_auth_with_delegation.json"))
	.addConfig("conf1", TEST_PATH().resolve("configsets").resolve("cloud-minimal").resolve("conf"))
	.configure();
	}

	@AfterClass
	public static void tearDownClass() {
	System.clearProperty(SolrZkClient.ZK_ACL_PROVIDER_CLASS_NAME_VM_PARAM_NAME);
	System.clearProperty(SolrZkClient.ZK_CRED_PROVIDER_CLASS_NAME_VM_PARAM_NAME);
	System.clearProperty(DEFAULT_DIGEST_USERNAME_VM_PARAM_NAME);
	System.clearProperty(DEFAULT_DIGEST_PASSWORD_VM_PARAM_NAME);
	System.clearProperty(DEFAULT_DIGEST_READONLY_USERNAME_VM_PARAM_NAME);
	System.clearProperty(DEFAULT_DIGEST_READONLY_PASSWORD_VM_PARAM_NAME);
	}

	@Test
	@SuppressWarnings({"try"})
	public void testZkAcls() throws Exception {
	try (ZooKeeper keeper = new ZooKeeper(cluster.getZkServer().getZkAddress(),
	(int) TimeUnit.MINUTES.toMillis(1), arg0 -> {/* Do nothing */})) {
	keeper.addAuthInfo("digest", ("solr:" + SOLR_PASSWD).getBytes(StandardCharsets.UTF_8));

	// Test well known paths.
	checkNonSecurityACLs(keeper, "/solr.xml");
	checkSecurityACLs(keeper, "/security/token");
	checkSecurityACLs(keeper, "/security");

	// Now test all ZK tree.
	String zkHost = cluster.getSolrClient().getZkHost();
	String zkChroot = zkHost.contains("/") ? zkHost.substring(zkHost.indexOf("/")) : null;
	walkZkTree(keeper, zkChroot, "/");
	}
	}

	private void walkZkTree (ZooKeeper keeper, String zkChroot, String path) throws Exception {
	if (isSecurityZNode(zkChroot, path)) {
	checkSecurityACLs(keeper, path);
	} else {
	checkNonSecurityACLs(keeper, path);
	}

	List<String> children = keeper.getChildren(path, false);
	for (String child : children) {
	String subpath = path.endsWith("/") ? path + child : path + "/" + child;
	walkZkTree(keeper, zkChroot, subpath);
	}
	}

	private boolean isSecurityZNode(String zkChroot, String path) {
	String temp = path;
	if (zkChroot != null) {
	temp = path.replace(zkChroot, "");
	}
	return temp.startsWith(SecurityAwareZkACLProvider.SECURITY_ZNODE_PATH);
	}

	private void checkSecurityACLs(ZooKeeper keeper, String path) throws Exception {
	List<ACL> acls = keeper.getACL(path, new Stat());
	String message = String.format(Locale.ROOT, "Path %s ACLs found %s", path, acls);
	assertEquals(message, 1, acls.size());
	assertTrue(message, acls.contains(new ACL(ZooDefs.Perms.ALL, SOLR_ZK_ID)));
	}

	private void checkNonSecurityACLs(ZooKeeper keeper, String path) throws Exception {
	List<ACL> acls = keeper.getACL(path, new Stat());
	String message = String.format(Locale.ROOT, "Path %s ACLs found %s", path, acls);
	assertEquals(message, 2, acls.size());
	assertTrue(message, acls.contains(new ACL(ZooDefs.Perms.ALL, SOLR_ZK_ID)));
	assertTrue(message, acls.contains(new ACL(ZooDefs.Perms.READ, FOO_ZK_ID)));
	}

	private static String digest (String userName, String passwd) {
	try {
	return DigestAuthenticationProvider.generateDigest(userName+":"+passwd);
	} catch (NoSuchAlgorithmException ex) {
	throw new RuntimeException(ex);
	}
	}
	}