| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package org.apache.oozie.util; |
| |
| import java.util.List; |
| import static junit.framework.Assert.assertEquals; |
| |
| import org.apache.oozie.lock.LockToken; |
| import org.apache.oozie.service.Services; |
| import org.apache.oozie.service.ZKLocksService; |
| import org.apache.oozie.test.ZKXTestCaseWithSecurity; |
| import org.apache.zookeeper.ZooDefs; |
| import org.apache.zookeeper.data.ACL; |
| import org.apache.zookeeper.data.Stat; |
| |
| public class TestZKUtilsWithSecurity extends ZKXTestCaseWithSecurity { |
| |
| @Override |
| protected void setUp() throws Exception { |
| super.setUp(); |
| } |
| |
| @Override |
| protected void tearDown() throws Exception { |
| super.tearDown(); |
| } |
| |
| public void testCheckAndSetACLs() throws Exception { |
| // We want to verify the ACLs on locks and the service discovery; ZKUtils does the service discovery and starting |
| // ZKLocksService will use ZKUtils which will start advertising on the service discovery. We can also acquire a lock so |
| // it will create a lock znode. |
| ZKLocksService zkls = new ZKLocksService(); |
| try { |
| zkls.init(Services.get()); |
| LockToken lock = zkls.getWriteLock("foo", 3); |
| lock.release(); |
| List<ACL> acls = getClient().getZookeeperClient().getZooKeeper().getACL("/oozie", new Stat()); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("world", acls.get(0).getId().getScheme()); |
| assertEquals("anyone", acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/locks"); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("world", acls.get(0).getId().getScheme()); |
| assertEquals("anyone", acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/locks/foo"); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("world", acls.get(0).getId().getScheme()); |
| assertEquals("anyone", acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/services"); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("world", acls.get(0).getId().getScheme()); |
| assertEquals("anyone", acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/services/servers"); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("world", acls.get(0).getId().getScheme()); |
| assertEquals("anyone", acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/services/servers/" + ZK_ID); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("world", acls.get(0).getId().getScheme()); |
| assertEquals("anyone", acls.get(0).getId().getId()); |
| } |
| finally { |
| // unregistering all users of ZKUtils (i.e. ZKLocksService) will cause it to disconnect so when we set |
| // "oozie.zookeeper.secure" to true, it will again connect but using SASL/Kerberos |
| zkls.destroy(); |
| } |
| |
| // Verify that the expected paths created above still exist with the "world" ACLs |
| List<ACL> acls = getClient().getZookeeperClient().getZooKeeper().getACL("/oozie", new Stat()); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("world", acls.get(0).getId().getScheme()); |
| assertEquals("anyone", acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/locks"); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("world", acls.get(0).getId().getScheme()); |
| assertEquals("anyone", acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/locks/foo"); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("world", acls.get(0).getId().getScheme()); |
| assertEquals("anyone", acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/services"); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("world", acls.get(0).getId().getScheme()); |
| assertEquals("anyone", acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/services/servers"); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("world", acls.get(0).getId().getScheme()); |
| assertEquals("anyone", acls.get(0).getId().getId()); |
| |
| zkls = new ZKLocksService(); |
| try { |
| Services.get().getConf().set("oozie.zookeeper.secure", "true"); |
| // Now that security is enabled, it will trigger the checkAndSetACLs() code to go through and set all of the previously |
| // created znodes to have "sasl" ACLs |
| zkls.init(Services.get()); |
| acls = getClient().getZookeeperClient().getZooKeeper().getACL("/oozie", new Stat()); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("sasl", acls.get(0).getId().getScheme()); |
| assertEquals(PRIMARY_PRINCIPAL, acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/locks"); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("sasl", acls.get(0).getId().getScheme()); |
| assertEquals(PRIMARY_PRINCIPAL, acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/locks/foo"); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("sasl", acls.get(0).getId().getScheme()); |
| assertEquals(PRIMARY_PRINCIPAL, acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/services"); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("sasl", acls.get(0).getId().getScheme()); |
| assertEquals(PRIMARY_PRINCIPAL, acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/services/servers"); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("sasl", acls.get(0).getId().getScheme()); |
| assertEquals(PRIMARY_PRINCIPAL, acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/services/servers/" + ZK_ID); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("sasl", acls.get(0).getId().getScheme()); |
| assertEquals(PRIMARY_PRINCIPAL, acls.get(0).getId().getId()); |
| } |
| finally { |
| zkls.destroy(); |
| Services.get().getConf().set("oozie.zookeeper.secure", "false"); |
| } |
| } |
| |
| public void testNewUsingACLs() throws Exception { |
| // We want to verify the ACLs on new locks and the service discovery; ZKUtils does the service discovery and starting |
| // ZKLocksService will use ZKUtils which will start advertising on the service discovery. We can also acquire a lock so |
| // it will create a lock znode. |
| ZKLocksService zkls = new ZKLocksService(); |
| try { |
| Services.get().getConf().set("oozie.zookeeper.secure", "true"); |
| // Verify that the znodes don't already exist |
| assertNull(getClient().getZookeeperClient().getZooKeeper().exists("/oozie", null)); |
| assertNull(getClient().checkExists().forPath("/locks")); |
| assertNull(getClient().checkExists().forPath("/services")); |
| // Check that new znodes will use the ACLs |
| zkls.init(Services.get()); |
| LockToken lock = zkls.getWriteLock("foo", 3); |
| lock.release(); |
| List<ACL> acls = getClient().getZookeeperClient().getZooKeeper().getACL("/oozie", new Stat()); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("sasl", acls.get(0).getId().getScheme()); |
| assertEquals(PRIMARY_PRINCIPAL, acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/locks"); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("sasl", acls.get(0).getId().getScheme()); |
| assertEquals(PRIMARY_PRINCIPAL, acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/locks/foo"); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("sasl", acls.get(0).getId().getScheme()); |
| assertEquals(PRIMARY_PRINCIPAL, acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/services"); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("sasl", acls.get(0).getId().getScheme()); |
| assertEquals(PRIMARY_PRINCIPAL, acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/services/servers"); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("sasl", acls.get(0).getId().getScheme()); |
| assertEquals(PRIMARY_PRINCIPAL, acls.get(0).getId().getId()); |
| acls = getClient().getACL().forPath("/services/servers/" + ZK_ID); |
| assertEquals(ZooDefs.Perms.ALL, acls.get(0).getPerms()); |
| assertEquals("sasl", acls.get(0).getId().getScheme()); |
| assertEquals(PRIMARY_PRINCIPAL, acls.get(0).getId().getId()); |
| } |
| finally { |
| zkls.destroy(); |
| Services.get().getConf().set("oozie.zookeeper.secure", "false"); |
| } |
| } |
| } |