storm-server/src/main/java/org/apache/storm/zookeeper/AclEnforcement.java - storm - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.  The ASF licenses this file to you under the Apache License, Version
  * 2.0 (the "License"); you may not use this file except in compliance with the License.  You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
  * and limitations under the License.
  */

 package org.apache.storm.zookeeper;

 import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import javax.security.auth.Subject;
 import org.apache.storm.Config;
 import org.apache.storm.blobstore.BlobStore;
 import org.apache.storm.callback.DefaultWatcherCallBack;
 import org.apache.storm.cluster.ClusterUtils;
 import org.apache.storm.cluster.DaemonType;
 import org.apache.storm.generated.KeyNotFoundException;
 import org.apache.storm.generated.WorkerTokenServiceType;
 import org.apache.storm.nimbus.NimbusInfo;
 import org.apache.storm.security.auth.NimbusPrincipal;
 import org.apache.storm.shade.org.apache.curator.framework.CuratorFramework;
 import org.apache.storm.shade.org.apache.zookeeper.KeeperException;
 import org.apache.storm.shade.org.apache.zookeeper.ZooDefs;
 import org.apache.storm.shade.org.apache.zookeeper.data.ACL;
 import org.apache.storm.shade.org.apache.zookeeper.data.Id;
 import org.apache.storm.shade.org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
 import org.apache.storm.utils.ConfigUtils;
 import org.apache.storm.utils.ObjectReader;
 import org.apache.storm.utils.ServerUtils;
 import org.apache.storm.utils.Utils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 /**
  * This is code intended to enforce ZK ACLs.
  */
 public class AclEnforcement {
     private static final Logger LOG = LoggerFactory.getLogger(AclEnforcement.class);

     /**
      * Verify the ZK ACLs are correct and optionally fix them if needed.
      * @param conf the cluster config.
      * @param fixUp true if we want to fix the ACLs else false.
      * @throws Exception on any error.
      */
     public static void verifyAcls(Map<String, Object> conf, final boolean fixUp) throws Exception {
         if (!Utils.isZkAuthenticationConfiguredStormServer(conf)) {
             LOG.info("SECURITY IS DISABLED NO FURTHER CHECKS...");
             //There is no security so we are done.
             return;
         }
         ACL superUserAcl = Utils.getSuperUserAcl(conf);
         List<ACL> superAcl = new ArrayList<>(1);
         superAcl.add(superUserAcl);

         List<ACL> drpcFullAcl = new ArrayList<>(2);
         drpcFullAcl.add(superUserAcl);

         String drpcAclString = (String) conf.get(Config.STORM_ZOOKEEPER_DRPC_ACL);
         if (drpcAclString != null) {
             Id drpcAclId = Utils.parseZkId(drpcAclString, Config.STORM_ZOOKEEPER_DRPC_ACL);
             ACL drpcUserAcl = new ACL(ZooDefs.Perms.READ, drpcAclId);
             drpcFullAcl.add(drpcUserAcl);
         }

         List<String> zkServers = (List<String>) conf.get(Config.STORM_ZOOKEEPER_SERVERS);
         int port = ObjectReader.getInt(conf.get(Config.STORM_ZOOKEEPER_PORT));
         String stormRoot = (String) conf.get(Config.STORM_ZOOKEEPER_ROOT);

         try (CuratorFramework zk = ClientZookeeper.mkClient(conf, zkServers, port, "",
                                                             new DefaultWatcherCallBack(), conf, DaemonType.NIMBUS)) {
             if (zk.checkExists().forPath(stormRoot) != null) {
                 //First off we want to verify that ROOT is good
                 verifyAclStrict(zk, superAcl, stormRoot, fixUp);
             } else {
                 LOG.warn("{} does not exist no need to check any more...", stormRoot);
                 return;
             }
         }

         // Now that the root is fine we can start to look at the other paths under it.
         try (CuratorFramework zk = ClientZookeeper.mkClient(conf, zkServers, port, stormRoot,
                                                             new DefaultWatcherCallBack(), conf, DaemonType.NIMBUS)) {
             //Next verify that the blob store is correct before we start it up.
             if (zk.checkExists().forPath(ClusterUtils.BLOBSTORE_SUBTREE) != null) {
                 verifyAclStrictRecursive(zk, superAcl, ClusterUtils.BLOBSTORE_SUBTREE, fixUp);
             }

             if (zk.checkExists().forPath(ClusterUtils.BLOBSTORE_MAX_KEY_SEQUENCE_NUMBER_SUBTREE) != null) {
                 verifyAclStrict(zk, superAcl, ClusterUtils.BLOBSTORE_MAX_KEY_SEQUENCE_NUMBER_SUBTREE, fixUp);
             }

             //The blobstore is good, now lets get the list of all topo Ids
             Set<String> topoIds = new HashSet<>();
             if (zk.checkExists().forPath(ClusterUtils.STORMS_SUBTREE) != null) {
                 topoIds.addAll(zk.getChildren().forPath(ClusterUtils.STORMS_SUBTREE));
             }

             Map<String, Id> topoToZkCreds = new HashMap<>();
             //Now lets get the creds for the topos so we can verify those as well.
             BlobStore bs = ServerUtils.getNimbusBlobStore(conf, NimbusInfo.fromConf(conf), null);
             try {
                 Subject nimbusSubject = new Subject();
                 nimbusSubject.getPrincipals().add(new NimbusPrincipal());
                 for (String topoId : topoIds) {
                     try {
                         String blobKey = topoId + "-stormconf.ser";
                         Map<String, Object> topoConf = Utils.fromCompressedJsonConf(bs.readBlob(blobKey, nimbusSubject));
                         String payload = (String) topoConf.get(Config.STORM_ZOOKEEPER_TOPOLOGY_AUTH_PAYLOAD);
                         try {
                             topoToZkCreds.put(topoId, new Id("digest", DigestAuthenticationProvider.generateDigest(payload)));
                         } catch (NoSuchAlgorithmException e) {
                             throw new RuntimeException(e);
                         }
                     } catch (KeyNotFoundException knf) {
                         LOG.debug("topo removed {}", topoId, knf);
                     }
                 }
             } finally {
                 if (bs != null) {
                     bs.shutdown();
                 }
             }

             verifyParentWithReadOnlyTopoChildren(zk, superUserAcl, ClusterUtils.STORMS_SUBTREE, topoToZkCreds, fixUp);
             verifyParentWithReadOnlyTopoChildren(zk, superUserAcl, ClusterUtils.ASSIGNMENTS_SUBTREE, topoToZkCreds, fixUp);
             //There is a race on credentials where they can be leaked in some versions of storm.
             verifyParentWithReadOnlyTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.CREDENTIALS_SUBTREE, topoToZkCreds, fixUp);
             //There is a race on logconfig where they can be leaked in some versions of storm.
             verifyParentWithReadOnlyTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.LOGCONFIG_SUBTREE, topoToZkCreds, fixUp);
             //There is a race on backpressure too...
             verifyParentWithReadWriteTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.BACKPRESSURE_SUBTREE, topoToZkCreds, fixUp);

             if (zk.checkExists().forPath(ClusterUtils.ERRORS_SUBTREE) != null) {
                 //errors is a bit special because in older versions of storm the worker created the parent directories lazily
                 // because of this it means we need to auto create at least the topo-id directory for all running topos.
                 for (String topoId : topoToZkCreds.keySet()) {
                     String path = ClusterUtils.errorStormRoot(topoId);
                     if (zk.checkExists().forPath(path) == null) {
                         LOG.warn("Creating missing errors location {}", path);
                         zk.create().withACL(getTopoReadWrite(path, topoId, topoToZkCreds, superUserAcl, fixUp)).forPath(path);
                     }
                 }
             }
             //Error should not be leaked according to the code, but they are not important enough to fail the build if
             // for some odd reason they are leaked.
             verifyParentWithReadWriteTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.ERRORS_SUBTREE, topoToZkCreds, fixUp);

             if (zk.checkExists().forPath(ClusterUtils.SECRET_KEYS_SUBTREE) != null) {
                 verifyAclStrict(zk, superAcl, ClusterUtils.SECRET_KEYS_SUBTREE, fixUp);
                 verifyAclStrictRecursive(zk, superAcl, ClusterUtils.secretKeysPath(WorkerTokenServiceType.NIMBUS), fixUp);
                 verifyAclStrictRecursive(zk, drpcFullAcl, ClusterUtils.secretKeysPath(WorkerTokenServiceType.DRPC), fixUp);
             }

             if (zk.checkExists().forPath(ClusterUtils.NIMBUSES_SUBTREE) != null) {
                 verifyAclStrictRecursive(zk, superAcl, ClusterUtils.NIMBUSES_SUBTREE, fixUp);
             }

             if (zk.checkExists().forPath("/leader-lock") != null) {
                 verifyAclStrictRecursive(zk, superAcl, "/leader-lock", fixUp);
             }

             if (zk.checkExists().forPath(ClusterUtils.PROFILERCONFIG_SUBTREE) != null) {
                 verifyAclStrictRecursive(zk, superAcl, ClusterUtils.PROFILERCONFIG_SUBTREE, fixUp);
             }

             if (zk.checkExists().forPath(ClusterUtils.SUPERVISORS_SUBTREE) != null) {
                 verifyAclStrictRecursive(zk, superAcl, ClusterUtils.SUPERVISORS_SUBTREE, fixUp);
             }

             // When moving to pacemaker workerbeats can be leaked too...
             verifyParentWithReadWriteTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.WORKERBEATS_SUBTREE, topoToZkCreds, fixUp);
         }
     }

     private static List<ACL> getTopoAcl(String path, String topoId, Map<String, Id> topoToZkCreds, ACL superAcl, boolean fixUp, int perms) {
         Id id = topoToZkCreds.get(topoId);
         if (id == null) {
             String error = "Could not find credentials for topology " + topoId + " at path " + path + ".";
             if (fixUp) {
                 error += " Don't know how to fix this automatically. Please add needed ACLs, or delete the path.";
             }
             throw new IllegalStateException(error);
         }
         List<ACL> ret = new ArrayList<>(2);
         ret.add(superAcl);
         ret.add(new ACL(perms, id));
         return ret;
     }

     private static List<ACL> getTopoReadWrite(String path, String topoId, Map<String, Id> topoToZkCreds, ACL superAcl, boolean fixUp) {
         return getTopoAcl(path, topoId, topoToZkCreds, superAcl, fixUp, ZooDefs.Perms.ALL);
     }

     private static void verifyParentWithTopoChildrenDeleteDead(CuratorFramework zk, ACL superUserAcl, String path,
                                                                Map<String, Id> topoToZkCreds, boolean fixUp, int perms) throws Exception {
         if (zk.checkExists().forPath(path) != null) {
             verifyAclStrict(zk, Arrays.asList(superUserAcl), path, fixUp);
             Set<String> possiblyBadIds = new HashSet<>();
             for (String topoId : zk.getChildren().forPath(path)) {
                 String childPath = path + ClusterUtils.ZK_SEPERATOR + topoId;
                 if (!topoToZkCreds.containsKey(topoId)) {
                     //Save it to try again later...
                     possiblyBadIds.add(topoId);
                 } else {
                     List<ACL> rwAcl = getTopoAcl(path, topoId, topoToZkCreds, superUserAcl, fixUp, perms);
                     verifyAclStrictRecursive(zk, rwAcl, childPath, fixUp);
                 }
             }

             if (!possiblyBadIds.isEmpty()) {
                 //Lets reread the children in STORMS as the source of truth and see if a new one was created in the background
                 possiblyBadIds.removeAll(zk.getChildren().forPath(ClusterUtils.STORMS_SUBTREE));
                 for (String topoId : possiblyBadIds) {
                     //Now we know for sure that this is a bad id
                     String childPath = path + ClusterUtils.ZK_SEPERATOR + topoId;
                     zk.delete().deletingChildrenIfNeeded().forPath(childPath);
                 }
             }
         }
     }

     private static void verifyParentWithReadOnlyTopoChildrenDeleteDead(CuratorFramework zk, ACL superUserAcl, String path,
                                                                        Map<String, Id> topoToZkCreds, boolean fixUp) throws Exception {
         verifyParentWithTopoChildrenDeleteDead(zk, superUserAcl, path, topoToZkCreds, fixUp, ZooDefs.Perms.READ);
     }

     private static void verifyParentWithReadWriteTopoChildrenDeleteDead(CuratorFramework zk, ACL superUserAcl, String path,
                                                                         Map<String, Id> topoToZkCreds, boolean fixUp) throws Exception {
         verifyParentWithTopoChildrenDeleteDead(zk, superUserAcl, path, topoToZkCreds, fixUp, ZooDefs.Perms.ALL);
     }

     private static void verifyParentWithTopoChildren(CuratorFramework zk, ACL superUserAcl, String path,
                                                      Map<String, Id> topoToZkCreds, boolean fixUp, int perms) throws Exception {
         if (zk.checkExists().forPath(path) != null) {
             verifyAclStrict(zk, Arrays.asList(superUserAcl), path, fixUp);
             for (String topoId : zk.getChildren().forPath(path)) {
                 String childPath = path + ClusterUtils.ZK_SEPERATOR + topoId;
                 List<ACL> rwAcl = getTopoAcl(path, topoId, topoToZkCreds, superUserAcl, fixUp, perms);
                 verifyAclStrictRecursive(zk, rwAcl, childPath, fixUp);
             }
         }
     }

     private static void verifyParentWithReadOnlyTopoChildren(CuratorFramework zk, ACL superUserAcl, String path,
                                                              Map<String, Id> topoToZkCreds, boolean fixUp) throws Exception {
         verifyParentWithTopoChildren(zk, superUserAcl, path, topoToZkCreds, fixUp, ZooDefs.Perms.READ);
     }

     private static void verifyParentWithReadWriteTopoChildren(CuratorFramework zk, ACL superUserAcl, String path,
                                                               Map<String, Id> topoToZkCreds, boolean fixUp) throws Exception {
         verifyParentWithTopoChildren(zk, superUserAcl, path, topoToZkCreds, fixUp, ZooDefs.Perms.ALL);
     }

     private static void verifyAclStrictRecursive(CuratorFramework zk, List<ACL> strictAcl, String path, boolean fixUp) throws Exception {
         verifyAclStrict(zk, strictAcl, path, fixUp);
         for (String child : zk.getChildren().forPath(path)) {
             String newPath = path + ClusterUtils.ZK_SEPERATOR + child;
             verifyAclStrictRecursive(zk, strictAcl, newPath, fixUp);
         }
     }

     private static void verifyAclStrict(CuratorFramework zk, List<ACL> strictAcl, String path, boolean fixUp) throws Exception {
         try {
             List<ACL> foundAcl = zk.getACL().forPath(path);
             if (!equivalent(foundAcl, strictAcl)) {
                 if (fixUp) {
                     LOG.warn("{} expected to have ACL {}, but has {}.  Fixing...", path, strictAcl, foundAcl);
                     zk.setACL().withACL(strictAcl).forPath(path);
                 } else {
                     throw new IllegalStateException(path + " did not have the correct ACL found " + foundAcl + " expected " + strictAcl);
                 }
             }
         } catch (KeeperException.NoNodeException ne) {
             LOG.debug("{} removed in the middle of checking it", ne);
         }
     }

     private static boolean equivalent(List<ACL> a, List<ACL> b) {
         if (a.size() == b.size()) {
             for (ACL acl : a) {
                 if (!b.contains(acl)) {
                     return false;
                 }
             }
             return true;
         }
         return false;
     }

     public static void main(String[] args) throws Exception {
         Map<String, Object> conf = ConfigUtils.readStormConfig();
         boolean fixUp = false;
         for (String arg : args) {
             String a = arg.toLowerCase();
             if ("-f".equals(a) || "--fixup".equals(a)) {
                 fixUp = true;
             } else {
                 throw new IllegalArgumentException("Unsupported argument " + arg + " only -f or --fixup is supported.");
             }
         }
         verifyAcls(conf, fixUp);
     }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version
	* 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
	* and limitations under the License.
	*/

	package org.apache.storm.zookeeper;

	import java.security.NoSuchAlgorithmException;
	import java.util.ArrayList;
	import java.util.Arrays;
	import java.util.HashMap;
	import java.util.HashSet;
	import java.util.List;
	import java.util.Map;
	import java.util.Set;
	import javax.security.auth.Subject;
	import org.apache.storm.Config;
	import org.apache.storm.blobstore.BlobStore;
	import org.apache.storm.callback.DefaultWatcherCallBack;
	import org.apache.storm.cluster.ClusterUtils;
	import org.apache.storm.cluster.DaemonType;
	import org.apache.storm.generated.KeyNotFoundException;
	import org.apache.storm.generated.WorkerTokenServiceType;
	import org.apache.storm.nimbus.NimbusInfo;
	import org.apache.storm.security.auth.NimbusPrincipal;
	import org.apache.storm.shade.org.apache.curator.framework.CuratorFramework;
	import org.apache.storm.shade.org.apache.zookeeper.KeeperException;
	import org.apache.storm.shade.org.apache.zookeeper.ZooDefs;
	import org.apache.storm.shade.org.apache.zookeeper.data.ACL;
	import org.apache.storm.shade.org.apache.zookeeper.data.Id;
	import org.apache.storm.shade.org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
	import org.apache.storm.utils.ConfigUtils;
	import org.apache.storm.utils.ObjectReader;
	import org.apache.storm.utils.ServerUtils;
	import org.apache.storm.utils.Utils;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	/**
	* This is code intended to enforce ZK ACLs.
	*/
	public class AclEnforcement {
	private static final Logger LOG = LoggerFactory.getLogger(AclEnforcement.class);

	/**
	* Verify the ZK ACLs are correct and optionally fix them if needed.
	* @param conf the cluster config.
	* @param fixUp true if we want to fix the ACLs else false.
	* @throws Exception on any error.
	*/
	public static void verifyAcls(Map<String, Object> conf, final boolean fixUp) throws Exception {
	if (!Utils.isZkAuthenticationConfiguredStormServer(conf)) {
	LOG.info("SECURITY IS DISABLED NO FURTHER CHECKS...");
	//There is no security so we are done.
	return;
	}
	ACL superUserAcl = Utils.getSuperUserAcl(conf);
	List<ACL> superAcl = new ArrayList<>(1);
	superAcl.add(superUserAcl);

	List<ACL> drpcFullAcl = new ArrayList<>(2);
	drpcFullAcl.add(superUserAcl);

	String drpcAclString = (String) conf.get(Config.STORM_ZOOKEEPER_DRPC_ACL);
	if (drpcAclString != null) {
	Id drpcAclId = Utils.parseZkId(drpcAclString, Config.STORM_ZOOKEEPER_DRPC_ACL);
	ACL drpcUserAcl = new ACL(ZooDefs.Perms.READ, drpcAclId);
	drpcFullAcl.add(drpcUserAcl);
	}

	List<String> zkServers = (List<String>) conf.get(Config.STORM_ZOOKEEPER_SERVERS);
	int port = ObjectReader.getInt(conf.get(Config.STORM_ZOOKEEPER_PORT));
	String stormRoot = (String) conf.get(Config.STORM_ZOOKEEPER_ROOT);

	try (CuratorFramework zk = ClientZookeeper.mkClient(conf, zkServers, port, "",
	new DefaultWatcherCallBack(), conf, DaemonType.NIMBUS)) {
	if (zk.checkExists().forPath(stormRoot) != null) {
	//First off we want to verify that ROOT is good
	verifyAclStrict(zk, superAcl, stormRoot, fixUp);
	} else {
	LOG.warn("{} does not exist no need to check any more...", stormRoot);
	return;
	}
	}

	// Now that the root is fine we can start to look at the other paths under it.
	try (CuratorFramework zk = ClientZookeeper.mkClient(conf, zkServers, port, stormRoot,
	new DefaultWatcherCallBack(), conf, DaemonType.NIMBUS)) {
	//Next verify that the blob store is correct before we start it up.
	if (zk.checkExists().forPath(ClusterUtils.BLOBSTORE_SUBTREE) != null) {
	verifyAclStrictRecursive(zk, superAcl, ClusterUtils.BLOBSTORE_SUBTREE, fixUp);
	}

	if (zk.checkExists().forPath(ClusterUtils.BLOBSTORE_MAX_KEY_SEQUENCE_NUMBER_SUBTREE) != null) {
	verifyAclStrict(zk, superAcl, ClusterUtils.BLOBSTORE_MAX_KEY_SEQUENCE_NUMBER_SUBTREE, fixUp);
	}

	//The blobstore is good, now lets get the list of all topo Ids
	Set<String> topoIds = new HashSet<>();
	if (zk.checkExists().forPath(ClusterUtils.STORMS_SUBTREE) != null) {
	topoIds.addAll(zk.getChildren().forPath(ClusterUtils.STORMS_SUBTREE));
	}

	Map<String, Id> topoToZkCreds = new HashMap<>();
	//Now lets get the creds for the topos so we can verify those as well.
	BlobStore bs = ServerUtils.getNimbusBlobStore(conf, NimbusInfo.fromConf(conf), null);
	try {
	Subject nimbusSubject = new Subject();
	nimbusSubject.getPrincipals().add(new NimbusPrincipal());
	for (String topoId : topoIds) {
	try {
	String blobKey = topoId + "-stormconf.ser";
	Map<String, Object> topoConf = Utils.fromCompressedJsonConf(bs.readBlob(blobKey, nimbusSubject));
	String payload = (String) topoConf.get(Config.STORM_ZOOKEEPER_TOPOLOGY_AUTH_PAYLOAD);
	try {
	topoToZkCreds.put(topoId, new Id("digest", DigestAuthenticationProvider.generateDigest(payload)));
	} catch (NoSuchAlgorithmException e) {
	throw new RuntimeException(e);
	}
	} catch (KeyNotFoundException knf) {
	LOG.debug("topo removed {}", topoId, knf);
	}
	}
	} finally {
	if (bs != null) {
	bs.shutdown();
	}
	}

	verifyParentWithReadOnlyTopoChildren(zk, superUserAcl, ClusterUtils.STORMS_SUBTREE, topoToZkCreds, fixUp);
	verifyParentWithReadOnlyTopoChildren(zk, superUserAcl, ClusterUtils.ASSIGNMENTS_SUBTREE, topoToZkCreds, fixUp);
	//There is a race on credentials where they can be leaked in some versions of storm.
	verifyParentWithReadOnlyTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.CREDENTIALS_SUBTREE, topoToZkCreds, fixUp);
	//There is a race on logconfig where they can be leaked in some versions of storm.
	verifyParentWithReadOnlyTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.LOGCONFIG_SUBTREE, topoToZkCreds, fixUp);
	//There is a race on backpressure too...
	verifyParentWithReadWriteTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.BACKPRESSURE_SUBTREE, topoToZkCreds, fixUp);

	if (zk.checkExists().forPath(ClusterUtils.ERRORS_SUBTREE) != null) {
	//errors is a bit special because in older versions of storm the worker created the parent directories lazily
	// because of this it means we need to auto create at least the topo-id directory for all running topos.
	for (String topoId : topoToZkCreds.keySet()) {
	String path = ClusterUtils.errorStormRoot(topoId);
	if (zk.checkExists().forPath(path) == null) {
	LOG.warn("Creating missing errors location {}", path);
	zk.create().withACL(getTopoReadWrite(path, topoId, topoToZkCreds, superUserAcl, fixUp)).forPath(path);
	}
	}
	}
	//Error should not be leaked according to the code, but they are not important enough to fail the build if
	// for some odd reason they are leaked.
	verifyParentWithReadWriteTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.ERRORS_SUBTREE, topoToZkCreds, fixUp);

	if (zk.checkExists().forPath(ClusterUtils.SECRET_KEYS_SUBTREE) != null) {
	verifyAclStrict(zk, superAcl, ClusterUtils.SECRET_KEYS_SUBTREE, fixUp);
	verifyAclStrictRecursive(zk, superAcl, ClusterUtils.secretKeysPath(WorkerTokenServiceType.NIMBUS), fixUp);
	verifyAclStrictRecursive(zk, drpcFullAcl, ClusterUtils.secretKeysPath(WorkerTokenServiceType.DRPC), fixUp);
	}

	if (zk.checkExists().forPath(ClusterUtils.NIMBUSES_SUBTREE) != null) {
	verifyAclStrictRecursive(zk, superAcl, ClusterUtils.NIMBUSES_SUBTREE, fixUp);
	}

	if (zk.checkExists().forPath("/leader-lock") != null) {
	verifyAclStrictRecursive(zk, superAcl, "/leader-lock", fixUp);
	}

	if (zk.checkExists().forPath(ClusterUtils.PROFILERCONFIG_SUBTREE) != null) {
	verifyAclStrictRecursive(zk, superAcl, ClusterUtils.PROFILERCONFIG_SUBTREE, fixUp);
	}

	if (zk.checkExists().forPath(ClusterUtils.SUPERVISORS_SUBTREE) != null) {
	verifyAclStrictRecursive(zk, superAcl, ClusterUtils.SUPERVISORS_SUBTREE, fixUp);
	}

	// When moving to pacemaker workerbeats can be leaked too...
	verifyParentWithReadWriteTopoChildrenDeleteDead(zk, superUserAcl, ClusterUtils.WORKERBEATS_SUBTREE, topoToZkCreds, fixUp);
	}
	}

	private static List<ACL> getTopoAcl(String path, String topoId, Map<String, Id> topoToZkCreds, ACL superAcl, boolean fixUp, int perms) {
	Id id = topoToZkCreds.get(topoId);
	if (id == null) {
	String error = "Could not find credentials for topology " + topoId + " at path " + path + ".";
	if (fixUp) {
	error += " Don't know how to fix this automatically. Please add needed ACLs, or delete the path.";
	}
	throw new IllegalStateException(error);
	}
	List<ACL> ret = new ArrayList<>(2);
	ret.add(superAcl);
	ret.add(new ACL(perms, id));
	return ret;
	}

	private static List<ACL> getTopoReadWrite(String path, String topoId, Map<String, Id> topoToZkCreds, ACL superAcl, boolean fixUp) {
	return getTopoAcl(path, topoId, topoToZkCreds, superAcl, fixUp, ZooDefs.Perms.ALL);
	}

	private static void verifyParentWithTopoChildrenDeleteDead(CuratorFramework zk, ACL superUserAcl, String path,
	Map<String, Id> topoToZkCreds, boolean fixUp, int perms) throws Exception {
	if (zk.checkExists().forPath(path) != null) {
	verifyAclStrict(zk, Arrays.asList(superUserAcl), path, fixUp);
	Set<String> possiblyBadIds = new HashSet<>();
	for (String topoId : zk.getChildren().forPath(path)) {
	String childPath = path + ClusterUtils.ZK_SEPERATOR + topoId;
	if (!topoToZkCreds.containsKey(topoId)) {
	//Save it to try again later...
	possiblyBadIds.add(topoId);
	} else {
	List<ACL> rwAcl = getTopoAcl(path, topoId, topoToZkCreds, superUserAcl, fixUp, perms);
	verifyAclStrictRecursive(zk, rwAcl, childPath, fixUp);
	}
	}

	if (!possiblyBadIds.isEmpty()) {
	//Lets reread the children in STORMS as the source of truth and see if a new one was created in the background
	possiblyBadIds.removeAll(zk.getChildren().forPath(ClusterUtils.STORMS_SUBTREE));
	for (String topoId : possiblyBadIds) {
	//Now we know for sure that this is a bad id
	String childPath = path + ClusterUtils.ZK_SEPERATOR + topoId;
	zk.delete().deletingChildrenIfNeeded().forPath(childPath);
	}
	}
	}
	}

	private static void verifyParentWithReadOnlyTopoChildrenDeleteDead(CuratorFramework zk, ACL superUserAcl, String path,
	Map<String, Id> topoToZkCreds, boolean fixUp) throws Exception {
	verifyParentWithTopoChildrenDeleteDead(zk, superUserAcl, path, topoToZkCreds, fixUp, ZooDefs.Perms.READ);
	}

	private static void verifyParentWithReadWriteTopoChildrenDeleteDead(CuratorFramework zk, ACL superUserAcl, String path,
	Map<String, Id> topoToZkCreds, boolean fixUp) throws Exception {
	verifyParentWithTopoChildrenDeleteDead(zk, superUserAcl, path, topoToZkCreds, fixUp, ZooDefs.Perms.ALL);
	}

	private static void verifyParentWithTopoChildren(CuratorFramework zk, ACL superUserAcl, String path,
	Map<String, Id> topoToZkCreds, boolean fixUp, int perms) throws Exception {
	if (zk.checkExists().forPath(path) != null) {
	verifyAclStrict(zk, Arrays.asList(superUserAcl), path, fixUp);
	for (String topoId : zk.getChildren().forPath(path)) {
	String childPath = path + ClusterUtils.ZK_SEPERATOR + topoId;
	List<ACL> rwAcl = getTopoAcl(path, topoId, topoToZkCreds, superUserAcl, fixUp, perms);
	verifyAclStrictRecursive(zk, rwAcl, childPath, fixUp);
	}
	}
	}

	private static void verifyParentWithReadOnlyTopoChildren(CuratorFramework zk, ACL superUserAcl, String path,
	Map<String, Id> topoToZkCreds, boolean fixUp) throws Exception {
	verifyParentWithTopoChildren(zk, superUserAcl, path, topoToZkCreds, fixUp, ZooDefs.Perms.READ);
	}

	private static void verifyParentWithReadWriteTopoChildren(CuratorFramework zk, ACL superUserAcl, String path,
	Map<String, Id> topoToZkCreds, boolean fixUp) throws Exception {
	verifyParentWithTopoChildren(zk, superUserAcl, path, topoToZkCreds, fixUp, ZooDefs.Perms.ALL);
	}

	private static void verifyAclStrictRecursive(CuratorFramework zk, List<ACL> strictAcl, String path, boolean fixUp) throws Exception {
	verifyAclStrict(zk, strictAcl, path, fixUp);
	for (String child : zk.getChildren().forPath(path)) {
	String newPath = path + ClusterUtils.ZK_SEPERATOR + child;
	verifyAclStrictRecursive(zk, strictAcl, newPath, fixUp);
	}
	}

	private static void verifyAclStrict(CuratorFramework zk, List<ACL> strictAcl, String path, boolean fixUp) throws Exception {
	try {
	List<ACL> foundAcl = zk.getACL().forPath(path);
	if (!equivalent(foundAcl, strictAcl)) {
	if (fixUp) {
	LOG.warn("{} expected to have ACL {}, but has {}. Fixing...", path, strictAcl, foundAcl);
	zk.setACL().withACL(strictAcl).forPath(path);
	} else {
	throw new IllegalStateException(path + " did not have the correct ACL found " + foundAcl + " expected " + strictAcl);
	}
	}
	} catch (KeeperException.NoNodeException ne) {
	LOG.debug("{} removed in the middle of checking it", ne);
	}
	}

	private static boolean equivalent(List<ACL> a, List<ACL> b) {
	if (a.size() == b.size()) {
	for (ACL acl : a) {
	if (!b.contains(acl)) {
	return false;
	}
	}
	return true;
	}
	return false;
	}

	public static void main(String[] args) throws Exception {
	Map<String, Object> conf = ConfigUtils.readStormConfig();
	boolean fixUp = false;
	for (String arg : args) {
	String a = arg.toLowerCase();
	if ("-f".equals(a) \|\| "--fixup".equals(a)) {
	fixUp = true;
	} else {
	throw new IllegalArgumentException("Unsupported argument " + arg + " only -f or --fixup is supported.");
	}
	}
	verifyAcls(conf, fixUp);
	}
	}