bookkeeper-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From si...@apache.org
Subject bookkeeper git commit: BOOKKEEPER-390: Provide support for ZooKeeper authentication
Date Tue, 28 Mar 2017 20:40:38 GMT
Repository: bookkeeper
Updated Branches:
  refs/heads/master 825e0e7b4 -> b30b527ba


BOOKKEEPER-390: Provide support for ZooKeeper authentication

Author: eolivelli <eolivelli@gmail.com>

Reviewers: Sijie Guo <sijie@apache.org>

Closes #76 from eolivelli/BOOKKEEPER-390


Project: http://git-wip-us.apache.org/repos/asf/bookkeeper/repo
Commit: http://git-wip-us.apache.org/repos/asf/bookkeeper/commit/b30b527b
Tree: http://git-wip-us.apache.org/repos/asf/bookkeeper/tree/b30b527b
Diff: http://git-wip-us.apache.org/repos/asf/bookkeeper/diff/b30b527b

Branch: refs/heads/master
Commit: b30b527ba995978694ebf735c02b508374001021
Parents: 825e0e7
Author: eolivelli <eolivelli@gmail.com>
Authored: Tue Mar 28 13:40:35 2017 -0700
Committer: Sijie Guo <sijie@apache.org>
Committed: Tue Mar 28 13:40:35 2017 -0700

----------------------------------------------------------------------
 .../org/apache/bookkeeper/bookie/Bookie.java    |   9 +-
 .../org/apache/bookkeeper/bookie/Cookie.java    |   9 +-
 .../bookie/ScanAndCompareGarbageCollector.java  |   6 +-
 .../bookkeeper/client/BookKeeperAdmin.java      |  12 +-
 .../apache/bookkeeper/client/BookieWatcher.java |   7 +-
 .../bookkeeper/conf/AbstractConfiguration.java  |  21 ++++
 .../meta/AbstractZkLedgerManager.java           |   4 +-
 .../meta/FlatLedgerManagerFactory.java          |   5 +-
 .../meta/HierarchicalLedgerManagerFactory.java  |   5 +-
 .../apache/bookkeeper/meta/LedgerLayout.java    |   6 +-
 .../bookkeeper/meta/LedgerManagerFactory.java   |   6 +-
 .../bookkeeper/meta/MSLedgerManagerFactory.java |   6 +-
 .../bookkeeper/meta/ZkLedgerIdGenerator.java    |   9 +-
 .../meta/ZkLedgerUnderreplicationManager.java   |  28 +++--
 .../bookkeeper/replication/AuditorElector.java  |  10 +-
 .../apache/bookkeeper/util/LocalBookKeeper.java |   1 +
 .../org/apache/bookkeeper/util/ZkUtils.java     |  11 ++
 .../bookie/EnableZkSecurityBasicTest.java       | 126 +++++++++++++++++++
 .../bookie/TestGcOverreplicatedLedger.java      |   3 +-
 .../bookkeeper/meta/LedgerLayoutTest.java       |   5 +-
 .../bookkeeper/meta/TestLedgerManager.java      |   7 +-
 .../meta/TestZkLedgerIdGenerator.java           |   3 +-
 22 files changed, 254 insertions(+), 45 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/main/java/org/apache/bookkeeper/bookie/Bookie.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/bookie/Bookie.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/bookie/Bookie.java
index 61ba9b1..c743ef4 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/bookie/Bookie.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/bookie/Bookie.java
@@ -75,7 +75,6 @@ import org.apache.zookeeper.WatchedEvent;
 import org.apache.zookeeper.Watcher;
 import org.apache.zookeeper.Watcher.Event.EventType;
 import org.apache.zookeeper.Watcher.Event.KeeperState;
-import org.apache.zookeeper.ZooDefs.Ids;
 import org.apache.zookeeper.ZooKeeper;
 import org.apache.zookeeper.data.Stat;
 import org.slf4j.Logger;
@@ -95,6 +94,8 @@ import static org.apache.bookkeeper.bookie.BookKeeperServerStats.READ_BYTES;
 import static org.apache.bookkeeper.bookie.BookKeeperServerStats.SERVER_STATUS;
 import static org.apache.bookkeeper.bookie.BookKeeperServerStats.WRITE_BYTES;
 import static org.apache.bookkeeper.bookie.BookKeeperServerStats.JOURNAL_SCOPE;
+import org.apache.bookkeeper.util.ZkUtils;
+import org.apache.zookeeper.data.ACL;
 
 /**
  * Implements a bookie.
@@ -143,6 +144,7 @@ public class Bookie extends BookieCriticalThread {
 
     final protected String zkBookieRegPath;
     final protected String zkBookieReadOnlyPath;
+    final protected List<ACL> zkAcls;
 
     final private AtomicBoolean zkRegistered = new AtomicBoolean(false);
     final protected AtomicBoolean readOnly = new AtomicBoolean(false);
@@ -648,6 +650,7 @@ public class Bookie extends BookieCriticalThread {
     public Bookie(ServerConfiguration conf, StatsLogger statsLogger)
             throws IOException, KeeperException, InterruptedException, BookieException {
         super("Bookie-" + conf.getBookiePort());
+        this.zkAcls = ZkUtils.getACLs(conf);
         this.bookieRegistrationPath = conf.getZkAvailableBookiesPath() + "/";
         this.bookieReadonlyRegistrationPath =
             this.bookieRegistrationPath + BookKeeperConstants.READONLY;
@@ -1033,7 +1036,7 @@ public class Bookie extends BookieCriticalThread {
         try{
             if (!checkRegNodeAndWaitExpired(regPath)) {
                 // Create the ZK ephemeral node for this Bookie.
-                zk.create(regPath, new byte[0], Ids.OPEN_ACL_UNSAFE,
+                zk.create(regPath, new byte[0], zkAcls,
                         CreateMode.EPHEMERAL);
                 LOG.info("Registered myself in ZooKeeper at {}.", regPath);
             }
@@ -1141,7 +1144,7 @@ public class Bookie extends BookieCriticalThread {
             if (null == zk.exists(this.bookieReadonlyRegistrationPath, false)) {
                 try {
                     zk.create(this.bookieReadonlyRegistrationPath, new byte[0],
-                              Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
+                              zkAcls, CreateMode.PERSISTENT);
                 } catch (NodeExistsException e) {
                     // this node is just now created by someone.
                 }

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/main/java/org/apache/bookkeeper/bookie/Cookie.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/bookie/Cookie.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/bookie/Cookie.java
index 691dc1d..b1aa2dc 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/bookie/Cookie.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/bookie/Cookie.java
@@ -47,14 +47,16 @@ import org.apache.bookkeeper.versioning.Version;
 import org.apache.bookkeeper.versioning.Versioned;
 import org.apache.zookeeper.CreateMode;
 import org.apache.zookeeper.KeeperException;
-import org.apache.zookeeper.ZooDefs.Ids;
 import org.apache.zookeeper.ZooKeeper;
+import org.apache.zookeeper.data.ACL;
 import org.apache.zookeeper.data.Stat;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import com.google.common.collect.Sets;
 import com.google.protobuf.TextFormat;
+import java.util.List;
+import org.apache.bookkeeper.util.ZkUtils;
 
 /**
  * When a bookie starts for the first time it generates  a cookie, and stores
@@ -249,6 +251,7 @@ class Cookie {
      */
     void writeToZooKeeper(ZooKeeper zk, ServerConfiguration conf, Version version)
             throws KeeperException, InterruptedException, UnknownHostException {
+        List<ACL> zkAcls = ZkUtils.getACLs(conf);
         String bookieCookiePath = conf.getZkLedgersRootPath() + "/"
                 + BookKeeperConstants.COOKIE_NODE;
         String zkPath = getZkPath(conf);
@@ -257,14 +260,14 @@ class Cookie {
             if (zk.exists(bookieCookiePath, false) == null) {
                 try {
                     zk.create(bookieCookiePath, new byte[0],
-                            Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
+                            zkAcls, CreateMode.PERSISTENT);
                 } catch (KeeperException.NodeExistsException nne) {
                     LOG.info("More than one bookie tried to create {} at once. Safe to ignore",
                             bookieCookiePath);
                 }
             }
             zk.create(zkPath, data,
-                    Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
+                    zkAcls, CreateMode.PERSISTENT);
         } else {
             if (!(version instanceof ZkVersion)) {
                 throw new IllegalArgumentException("Invalid version type, expected ZkVersion type");

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/main/java/org/apache/bookkeeper/bookie/ScanAndCompareGarbageCollector.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/bookie/ScanAndCompareGarbageCollector.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/bookie/ScanAndCompareGarbageCollector.java
index 4a4c15b..ebcb98c 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/bookie/ScanAndCompareGarbageCollector.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/bookie/ScanAndCompareGarbageCollector.java
@@ -46,6 +46,9 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import com.google.common.collect.Sets;
+import java.util.List;
+import org.apache.bookkeeper.util.ZkUtils;
+import org.apache.zookeeper.data.ACL;
 
 /**
  * Garbage collector implementation using scan and compare.
@@ -165,6 +168,7 @@ public class ScanAndCompareGarbageCollector implements GarbageCollector{
 
     private Set<Long> removeOverReplicatedledgers(Set<Long> bkActiveledgers, final GarbageCleaner garbageCleaner)
             throws InterruptedException, KeeperException {
+        final List<ACL> zkAcls = ZkUtils.getACLs(conf);
         final Set<Long> overReplicatedLedgers = Sets.newHashSet();
         final Semaphore semaphore = new Semaphore(MAX_CONCURRENT_ZK_REQUESTS);
         final CountDownLatch latch = new CountDownLatch(bkActiveledgers.size());
@@ -178,7 +182,7 @@ public class ScanAndCompareGarbageCollector implements GarbageCollector{
                 // we try to acquire the underreplicated ledger lock to not let the bookie replicate the ledger that is
                 // already being checked for deletion, since that might change the ledger ensemble to include the
                 // current bookie again and, in that case, we cannot remove the ledger from local storage
-                ZkLedgerUnderreplicationManager.acquireUnderreplicatedLedgerLock(zk, zkLedgersRootPath, ledgerId);
+                ZkLedgerUnderreplicationManager.acquireUnderreplicatedLedgerLock(zk, zkLedgersRootPath, ledgerId, zkAcls);
                 semaphore.acquire();
                 ledgerManager.readLedgerMetadata(ledgerId, new GenericCallback<LedgerMetadata>() {
 

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/main/java/org/apache/bookkeeper/client/BookKeeperAdmin.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/client/BookKeeperAdmin.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/client/BookKeeperAdmin.java
index f528455..d4d8d1f 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/client/BookKeeperAdmin.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/client/BookKeeperAdmin.java
@@ -37,7 +37,6 @@ import java.util.NoSuchElementException;
 import java.util.Random;
 import java.util.UUID;
 import java.util.concurrent.CompletableFuture;
-import java.util.concurrent.ExecutionException;
 
 import org.apache.bookkeeper.client.AsyncCallback.OpenCallback;
 import org.apache.bookkeeper.client.AsyncCallback.RecoverCallback;
@@ -58,9 +57,10 @@ import org.apache.zookeeper.KeeperException;
 import org.apache.zookeeper.KeeperException.Code;
 import org.apache.bookkeeper.stats.NullStatsLogger;
 import org.apache.bookkeeper.stats.StatsLogger;
+import org.apache.bookkeeper.util.ZkUtils;
 import org.apache.zookeeper.ZKUtil;
-import org.apache.zookeeper.ZooDefs.Ids;
 import org.apache.zookeeper.ZooKeeper;
+import org.apache.zookeeper.data.ACL;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -902,16 +902,16 @@ public class BookKeeperAdmin {
                     conf.getZkLedgersRootPath(), false);
             boolean availableNodeExists = null != zkc.exists(
                     conf.getZkAvailableBookiesPath(), false);
-
+            List<ACL> zkAcls = ZkUtils.getACLs(conf);
             // Create ledgers root node if not exists
             if (!ledgerRootExists) {
                 zkc.create(conf.getZkLedgersRootPath(), "".getBytes(UTF_8),
-                        Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
+                        zkAcls, CreateMode.PERSISTENT);
             }
             // create available bookies node if not exists
             if (!availableNodeExists) {
                 zkc.create(conf.getZkAvailableBookiesPath(), "".getBytes(UTF_8),
-                        Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
+                        zkAcls, CreateMode.PERSISTENT);
             }
 
             // If old data was there then confirm with admin.
@@ -977,7 +977,7 @@ public class BookKeeperAdmin {
             String instanceId = UUID.randomUUID().toString();
             zkc.create(conf.getZkLedgersRootPath() + "/"
                     + BookKeeperConstants.INSTANCEID, instanceId.getBytes(UTF_8),
-                    Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
+                    zkAcls, CreateMode.PERSISTENT);
 
             LOG.info("Successfully formatted BookKeeper metadata");
         } finally {

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/main/java/org/apache/bookkeeper/client/BookieWatcher.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/client/BookieWatcher.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/client/BookieWatcher.java
index 04499eb..ae0ac50 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/client/BookieWatcher.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/client/BookieWatcher.java
@@ -41,7 +41,6 @@ import org.apache.zookeeper.KeeperException.NodeExistsException;
 import org.apache.zookeeper.WatchedEvent;
 import org.apache.zookeeper.Watcher;
 import org.apache.zookeeper.Watcher.Event.EventType;
-import org.apache.zookeeper.ZooDefs.Ids;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -49,7 +48,10 @@ import com.google.common.cache.Cache;
 import com.google.common.cache.CacheBuilder;
 import com.google.common.cache.RemovalListener;
 import com.google.common.cache.RemovalNotification;
+
 import java.util.Map;
+import org.apache.bookkeeper.util.ZkUtils;
+import org.apache.zookeeper.data.ACL;
 
 /**
  * This class is responsible for maintaining a consistent view of what bookies
@@ -336,7 +338,8 @@ class BookieWatcher implements Watcher, ChildrenCallback {
                     + BookKeeperConstants.READONLY;
             if (null == bk.getZkHandle().exists(readOnlyBookieRegPath, false)) {
                 try {
-                    bk.getZkHandle().create(readOnlyBookieRegPath, new byte[0], Ids.OPEN_ACL_UNSAFE,
+                    List<ACL> zkAcls = ZkUtils.getACLs(conf);
+                    bk.getZkHandle().create(readOnlyBookieRegPath, new byte[0], zkAcls,
                             CreateMode.PERSISTENT);
                 } catch (NodeExistsException e) {
                     // this node is just now created by someone.

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/main/java/org/apache/bookkeeper/conf/AbstractConfiguration.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/conf/AbstractConfiguration.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/conf/AbstractConfiguration.java
index 1497c7a..07e5d08 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/conf/AbstractConfiguration.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/conf/AbstractConfiguration.java
@@ -73,6 +73,9 @@ public abstract class AbstractConfiguration extends CompositeConfiguration {
     protected final static String NETTY_MAX_FRAME_SIZE = "nettyMaxFrameSizeBytes";
     protected final static int DEFAULT_NETTY_MAX_FRAME_SIZE = 5 * 1024 * 1024; // 5MB
 
+    // Zookeeper ACL settings
+    protected final static String ZK_ENABLE_SECURITY = "zkEnableSecurity";
+
     protected AbstractConfiguration() {
         super();
         if (READ_SYSTEM_PROPERTIES) {
@@ -188,6 +191,24 @@ public abstract class AbstractConfiguration extends CompositeConfiguration {
     }
 
     /**
+     * Are z-node created with strict ACLs
+     *
+     * @return usage of secure ZooKeeper ACLs
+     */
+    public boolean isZkEnableSecurity() {
+        return getBoolean(ZK_ENABLE_SECURITY, false);
+    }
+
+    /**
+     * Set the usage of ACLs of new z-nodes
+     *
+     * @param zkEnableSecurity
+     */
+    public void setZkEnableSecurity(boolean zkEnableSecurity) {
+        setProperty(ZK_ENABLE_SECURITY, zkEnableSecurity);
+    }
+
+    /**
      * Get the node under which available bookies are stored
      *
      * @return Node under which available bookies are stored.

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/AbstractZkLedgerManager.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/AbstractZkLedgerManager.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/AbstractZkLedgerManager.java
index fb4e8b5..6db3375 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/AbstractZkLedgerManager.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/AbstractZkLedgerManager.java
@@ -57,6 +57,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import com.google.common.util.concurrent.ThreadFactoryBuilder;
+import org.apache.zookeeper.data.ACL;
 
 /**
  * Abstract ledger manager based on zookeeper, which provides common methods such as query zk nodes.
@@ -241,7 +242,8 @@ abstract class AbstractZkLedgerManager implements LedgerManager, Watcher {
                 }
             }
         };
-        ZkUtils.asyncCreateFullPathOptimistic(zk, ledgerPath, metadata.serialize(), Ids.OPEN_ACL_UNSAFE,
+        List<ACL> zkAcls = ZkUtils.getACLs(conf);
+        ZkUtils.asyncCreateFullPathOptimistic(zk, ledgerPath, metadata.serialize(), zkAcls,
                 CreateMode.PERSISTENT, scb, null);
     }
 

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/FlatLedgerManagerFactory.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/FlatLedgerManagerFactory.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/FlatLedgerManagerFactory.java
index 78a1867..7c64fec 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/FlatLedgerManagerFactory.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/FlatLedgerManagerFactory.java
@@ -25,7 +25,9 @@ import org.apache.zookeeper.KeeperException;
 import org.apache.zookeeper.ZKUtil;
 import org.apache.bookkeeper.replication.ReplicationException;
 import org.apache.bookkeeper.conf.AbstractConfiguration;
+import org.apache.bookkeeper.util.ZkUtils;
 import org.apache.zookeeper.ZooKeeper;
+import org.apache.zookeeper.data.ACL;
 
 /**
  * Flat Ledger Manager Factory
@@ -65,7 +67,8 @@ public class FlatLedgerManagerFactory extends LedgerManagerFactory {
 
     @Override
     public LedgerIdGenerator newLedgerIdGenerator() {
-        return new ZkLedgerIdGenerator(zk, conf.getZkLedgersRootPath(), null);
+        List<ACL> zkAcls = ZkUtils.getACLs(conf);
+        return new ZkLedgerIdGenerator(zk, conf.getZkLedgersRootPath(), null, zkAcls);
     }
 
     @Override

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/HierarchicalLedgerManagerFactory.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/HierarchicalLedgerManagerFactory.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/HierarchicalLedgerManagerFactory.java
index dac9e96..084d73d 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/HierarchicalLedgerManagerFactory.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/HierarchicalLedgerManagerFactory.java
@@ -25,7 +25,9 @@ import org.apache.zookeeper.KeeperException;
 import org.apache.zookeeper.ZKUtil;
 import org.apache.bookkeeper.replication.ReplicationException;
 import org.apache.bookkeeper.conf.AbstractConfiguration;
+import org.apache.bookkeeper.util.ZkUtils;
 import org.apache.zookeeper.ZooKeeper;
+import org.apache.zookeeper.data.ACL;
 
 /**
  * Hierarchical Ledger Manager Factory
@@ -65,7 +67,8 @@ public class HierarchicalLedgerManagerFactory extends LedgerManagerFactory {
 
     @Override
     public LedgerIdGenerator newLedgerIdGenerator() {
-        return new ZkLedgerIdGenerator(zk, conf.getZkLedgersRootPath(), HierarchicalLedgerManager.IDGEN_ZNODE);
+        List<ACL> zkAcls = ZkUtils.getACLs(conf);
+        return new ZkLedgerIdGenerator(zk, conf.getZkLedgersRootPath(), HierarchicalLedgerManager.IDGEN_ZNODE, zkAcls);
     }
 
     @Override

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/LedgerLayout.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/LedgerLayout.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/LedgerLayout.java
index 313f1c1..b49817b 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/LedgerLayout.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/LedgerLayout.java
@@ -19,12 +19,14 @@ package org.apache.bookkeeper.meta;
  */
 
 import java.io.IOException;
+import java.util.List;
 
 import org.apache.bookkeeper.util.BookKeeperConstants;
 import org.apache.zookeeper.CreateMode;
 import org.apache.zookeeper.KeeperException;
 import org.apache.zookeeper.ZooDefs.Ids;
 import org.apache.zookeeper.ZooKeeper;
+import org.apache.zookeeper.data.ACL;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -139,11 +141,11 @@ class LedgerLayout {
     /**
      * Store the ledger layout into zookeeper
      */
-    public void store(final ZooKeeper zk, String ledgersRoot) 
+    public void store(final ZooKeeper zk, String ledgersRoot, List<ACL> zkAcls)
             throws IOException, KeeperException, InterruptedException {
         String ledgersLayout = ledgersRoot + "/"
                 + BookKeeperConstants.LAYOUT_ZNODE;
-        zk.create(ledgersLayout, serialize(), Ids.OPEN_ACL_UNSAFE,
+        zk.create(ledgersLayout, serialize(), zkAcls,
                 CreateMode.PERSISTENT);
     }
 

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/LedgerManagerFactory.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/LedgerManagerFactory.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/LedgerManagerFactory.java
index 3a53623..76d1572 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/LedgerManagerFactory.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/LedgerManagerFactory.java
@@ -19,6 +19,7 @@ package org.apache.bookkeeper.meta;
  */
 
 import java.io.IOException;
+import java.util.List;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -26,9 +27,11 @@ import org.slf4j.LoggerFactory;
 import org.apache.bookkeeper.replication.ReplicationException;
 import org.apache.bookkeeper.conf.AbstractConfiguration;
 import org.apache.bookkeeper.util.ReflectionUtils;
+import org.apache.bookkeeper.util.ZkUtils;
 import org.apache.commons.configuration.ConfigurationException;
 import org.apache.zookeeper.KeeperException;
 import org.apache.zookeeper.ZooKeeper;
+import org.apache.zookeeper.data.ACL;
 
 public abstract class LedgerManagerFactory {
 
@@ -218,8 +221,9 @@ public abstract class LedgerManagerFactory {
 
         layout = new LedgerLayout(factoryClass.getName(),
                 lmFactory.getCurrentVersion());
+        List<ACL> zkAcls = ZkUtils.getACLs(conf);
         try {
-            layout.store(zk, ledgerRootPath);
+            layout.store(zk, ledgerRootPath, zkAcls);
         } catch (KeeperException.NodeExistsException nee) {
             LedgerLayout layout2 = LedgerLayout.readLayout(zk, ledgerRootPath);
             if (!layout2.equals(layout)) {

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/MSLedgerManagerFactory.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/MSLedgerManagerFactory.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/MSLedgerManagerFactory.java
index 8a82d41..890bab7 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/MSLedgerManagerFactory.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/MSLedgerManagerFactory.java
@@ -65,6 +65,9 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import com.google.common.util.concurrent.ThreadFactoryBuilder;
+import java.util.List;
+import org.apache.bookkeeper.util.ZkUtils;
+import org.apache.zookeeper.data.ACL;
 
 /**
  * MetaStore Based Ledger Manager Factory
@@ -179,7 +182,8 @@ public class MSLedgerManagerFactory extends LedgerManagerFactory {
 
     @Override
     public LedgerIdGenerator newLedgerIdGenerator() {
-        return new ZkLedgerIdGenerator(zk, conf.getZkLedgersRootPath(), MsLedgerManager.IDGEN_ZNODE);
+        List<ACL> zkAcls = ZkUtils.getACLs(conf);
+        return new ZkLedgerIdGenerator(zk, conf.getZkLedgersRootPath(), MsLedgerManager.IDGEN_ZNODE, zkAcls);
     }
 
     static class MsLedgerManager implements LedgerManager, MetastoreWatcher {

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/ZkLedgerIdGenerator.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/ZkLedgerIdGenerator.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/ZkLedgerIdGenerator.java
index b54c891..a2e79af 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/ZkLedgerIdGenerator.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/ZkLedgerIdGenerator.java
@@ -18,6 +18,7 @@
 package org.apache.bookkeeper.meta;
 
 import java.io.IOException;
+import java.util.List;
 
 import org.apache.bookkeeper.client.BKException;
 import org.apache.bookkeeper.proto.BookkeeperInternalCallbacks.GenericCallback;
@@ -29,6 +30,7 @@ import org.apache.zookeeper.CreateMode;
 import org.apache.zookeeper.KeeperException;
 import org.apache.zookeeper.ZooDefs.Ids;
 import org.apache.zookeeper.ZooKeeper;
+import org.apache.zookeeper.data.ACL;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -47,11 +49,14 @@ public class ZkLedgerIdGenerator implements LedgerIdGenerator {
     final ZooKeeper zk;
     final String ledgerIdGenPath;
     final String ledgerPrefix;
+    final List<ACL> zkAcls;
 
     public ZkLedgerIdGenerator(ZooKeeper zk,
                                String ledgersPath,
-                               String idGenZnodeName) {
+                               String idGenZnodeName,
+                               List<ACL> zkAcls) {
         this.zk = zk;
+        this.zkAcls = zkAcls;
         if (StringUtils.isBlank(idGenZnodeName)) {
             this.ledgerIdGenPath = ledgersPath;
         } else {
@@ -62,7 +67,7 @@ public class ZkLedgerIdGenerator implements LedgerIdGenerator {
 
     @Override
     public void generateLedgerId(final GenericCallback<Long> cb) {
-        ZkUtils.asyncCreateFullPathOptimistic(zk, ledgerPrefix, new byte[0], Ids.OPEN_ACL_UNSAFE,
+        ZkUtils.asyncCreateFullPathOptimistic(zk, ledgerPrefix, new byte[0], zkAcls,
                 CreateMode.EPHEMERAL_SEQUENTIAL,
                 new StringCallback() {
                     @Override

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/ZkLedgerUnderreplicationManager.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/ZkLedgerUnderreplicationManager.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/ZkLedgerUnderreplicationManager.java
index e307b2c..8c0d7ed 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/ZkLedgerUnderreplicationManager.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/meta/ZkLedgerUnderreplicationManager.java
@@ -57,6 +57,7 @@ import org.slf4j.LoggerFactory;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Joiner;
 import com.google.protobuf.TextFormat;
+import org.apache.zookeeper.data.ACL;
 
 /**
  * ZooKeeper implementation of underreplication manager.
@@ -99,11 +100,12 @@ public class ZkLedgerUnderreplicationManager implements LedgerUnderreplicationMa
     private final String urLedgerPath;
     private final String urLockPath;
     private final String layoutZNode;
-
+    private final AbstractConfiguration conf;
     private final ZooKeeper zkc;
 
     public ZkLedgerUnderreplicationManager(AbstractConfiguration conf, ZooKeeper zkc)
             throws KeeperException, InterruptedException, ReplicationException.CompatibilityException {
+        this.conf = conf;
         basePath = getBasePath(conf.getZkLedgersRootPath());
         layoutZNode = basePath + '/' + BookKeeperConstants.LAYOUT_ZNODE;
         urLedgerPath = basePath
@@ -137,9 +139,10 @@ public class ZkLedgerUnderreplicationManager implements LedgerUnderreplicationMa
 
     private void checkLayout()
             throws KeeperException, InterruptedException, ReplicationException.CompatibilityException {
+        List<ACL> zkAcls = ZkUtils.getACLs(conf);
         if (zkc.exists(basePath, false) == null) {
             try {
-                zkc.create(basePath, new byte[0], Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
+                zkc.create(basePath, new byte[0], zkAcls, CreateMode.PERSISTENT);
             } catch (KeeperException.NodeExistsException nee) {
                 // do nothing, someone each could have created it
             }
@@ -151,7 +154,7 @@ public class ZkLedgerUnderreplicationManager implements LedgerUnderreplicationMa
                 builder.setType(LAYOUT).setVersion(LAYOUT_VERSION);
                 try {
                     zkc.create(layoutZNode, TextFormat.printToString(builder.build()).getBytes(UTF_8),
-                               Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
+                               zkAcls, CreateMode.PERSISTENT);
                 } catch (KeeperException.NodeExistsException nne) {
                     // someone else managed to create it
                     continue;
@@ -179,14 +182,14 @@ public class ZkLedgerUnderreplicationManager implements LedgerUnderreplicationMa
         }
         if (zkc.exists(urLedgerPath, false) == null) {
             try {
-                zkc.create(urLedgerPath, new byte[0], Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
+                zkc.create(urLedgerPath, new byte[0], zkAcls, CreateMode.PERSISTENT);
             } catch (KeeperException.NodeExistsException nee) {
                 // do nothing, someone each could have created it
             }
         }
         if (zkc.exists(urLockPath, false) == null) {
             try {
-                zkc.create(urLockPath, new byte[0], Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
+                zkc.create(urLockPath, new byte[0], zkAcls, CreateMode.PERSISTENT);
             } catch (KeeperException.NodeExistsException nee) {
                 // do nothing, someone each could have created it
             }
@@ -239,6 +242,7 @@ public class ZkLedgerUnderreplicationManager implements LedgerUnderreplicationMa
             throws ReplicationException.UnavailableException {
         LOG.debug("markLedgerUnderreplicated(ledgerId={}, missingReplica={})", ledgerId, missingReplica);
         try {
+            List<ACL> zkAcls = ZkUtils.getACLs(conf);
             String znode = getUrLedgerZnode(ledgerId);
             while (true) {
                 UnderreplicatedLedgerFormat.Builder builder = UnderreplicatedLedgerFormat.newBuilder();
@@ -246,7 +250,7 @@ public class ZkLedgerUnderreplicationManager implements LedgerUnderreplicationMa
                     builder.addReplica(missingReplica);
                     ZkUtils.createFullPathOptimistic(zkc, znode, TextFormat
                             .printToString(builder.build()).getBytes(UTF_8),
-                            Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
+                            zkAcls, CreateMode.PERSISTENT);
                 } catch (KeeperException.NodeExistsException nee) {
                     Stat s = zkc.exists(znode, false);
                     if (s == null) {
@@ -389,7 +393,7 @@ public class ZkLedgerUnderreplicationManager implements LedgerUnderreplicationMa
             }
 
             Collections.shuffle(children);
-
+            List<ACL> zkAcls = ZkUtils.getACLs(conf);
             while (children.size() > 0) {
                 String tryChild = children.get(0);
                 try {
@@ -407,7 +411,7 @@ public class ZkLedgerUnderreplicationManager implements LedgerUnderreplicationMa
                     }
 
                     long ledgerId = getLedgerId(tryChild);
-                    zkc.create(lockPath, LOCK_DATA, Ids.OPEN_ACL_UNSAFE, CreateMode.EPHEMERAL);
+                    zkc.create(lockPath, LOCK_DATA, zkAcls, CreateMode.EPHEMERAL);
                     heldLocks.put(ledgerId, new Lock(lockPath, stat.getVersion()));
                     return ledgerId;
                 } catch (KeeperException.NodeExistsException nee) {
@@ -542,10 +546,11 @@ public class ZkLedgerUnderreplicationManager implements LedgerUnderreplicationMa
     @Override
     public void disableLedgerReplication()
             throws ReplicationException.UnavailableException {
+        List<ACL> zkAcls = ZkUtils.getACLs(conf);
         LOG.debug("disableLedegerReplication()");
         try {
             String znode = basePath + '/' + BookKeeperConstants.DISABLE_NODE;
-            zkc.create(znode, "".getBytes(UTF_8), Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
+            zkc.create(znode, "".getBytes(UTF_8), zkAcls, CreateMode.PERSISTENT);
             LOG.info("Auto ledger re-replication is disabled!");
         } catch (KeeperException.NodeExistsException ke) {
             LOG.warn("AutoRecovery is already disabled!", ke);
@@ -647,10 +652,11 @@ public class ZkLedgerUnderreplicationManager implements LedgerUnderreplicationMa
     /**
      * Acquire the underreplicated ledger lock
      */
-    public static void acquireUnderreplicatedLedgerLock(ZooKeeper zkc, String zkLedgersRootPath, long ledgerId)
+    public static void acquireUnderreplicatedLedgerLock(ZooKeeper zkc, String zkLedgersRootPath,
+        long ledgerId, List<ACL> zkAcls)
             throws KeeperException, InterruptedException {
         ZkUtils.createFullPathOptimistic(zkc, getUrLedgerLockZnode(getUrLockPath(zkLedgersRootPath), ledgerId),
-                LOCK_DATA, Ids.OPEN_ACL_UNSAFE, CreateMode.EPHEMERAL);
+                LOCK_DATA, zkAcls, CreateMode.EPHEMERAL);
     }
 
     /**

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/main/java/org/apache/bookkeeper/replication/AuditorElector.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/replication/AuditorElector.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/replication/AuditorElector.java
index e8dfb02..b396e89 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/replication/AuditorElector.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/replication/AuditorElector.java
@@ -56,6 +56,8 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import static org.apache.bookkeeper.replication.ReplicationStats.ELECTION_ATTEMPTS;
+import org.apache.bookkeeper.util.ZkUtils;
+import org.apache.zookeeper.data.ACL;
 
 /**
  * Performing auditor election using Apache ZooKeeper. Using ZooKeeper as a
@@ -147,10 +149,11 @@ public class AuditorElector {
 
     private void createMyVote() throws KeeperException, InterruptedException {
         if (null == myVote || null == zkc.exists(myVote, false)) {
+            List<ACL> zkAcls = ZkUtils.getACLs(conf);
             AuditorVoteFormat.Builder builder = AuditorVoteFormat.newBuilder()
                 .setBookieId(bookieId);
             myVote = zkc.create(getVotePath(PATH_SEPARATOR + VOTE_PREFIX),
-                    TextFormat.printToString(builder.build()).getBytes(UTF_8), Ids.OPEN_ACL_UNSAFE,
+                    TextFormat.printToString(builder.build()).getBytes(UTF_8), zkAcls,
                     CreateMode.EPHEMERAL_SEQUENTIAL);
         }
     }
@@ -161,9 +164,10 @@ public class AuditorElector {
 
     private void createElectorPath() throws UnavailableException {
         try {
+            List<ACL> zkAcls = ZkUtils.getACLs(conf);
             if (zkc.exists(basePath, false) == null) {
                 try {
-                    zkc.create(basePath, new byte[0], Ids.OPEN_ACL_UNSAFE,
+                    zkc.create(basePath, new byte[0], zkAcls,
                             CreateMode.PERSISTENT);
                 } catch (KeeperException.NodeExistsException nee) {
                     // do nothing, someone else could have created it
@@ -172,7 +176,7 @@ public class AuditorElector {
             if (zkc.exists(getVotePath(""), false) == null) {
                 try {
                     zkc.create(getVotePath(""), new byte[0],
-                            Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
+                            zkAcls, CreateMode.PERSISTENT);
                 } catch (KeeperException.NodeExistsException nee) {
                     // do nothing, someone else could have created it
                 }

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java
index 125f084..d9a6bcf 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java
@@ -45,6 +45,7 @@ import org.apache.zookeeper.ZooKeeper;
 import org.apache.zookeeper.ZooDefs.Ids;
 
 import static com.google.common.base.Charsets.UTF_8;
+import org.apache.zookeeper.data.ACL;
 
 public class LocalBookKeeper {
     protected static final Logger LOG = LoggerFactory.getLogger(LocalBookKeeper.class);

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/ZkUtils.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/ZkUtils.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/ZkUtils.java
index f237988..24c0a52 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/ZkUtils.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/ZkUtils.java
@@ -26,6 +26,7 @@ import java.io.IOException;
 import java.util.List;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.atomic.AtomicInteger;
+import org.apache.bookkeeper.conf.AbstractConfiguration;
 
 import org.apache.bookkeeper.proto.BookkeeperInternalCallbacks.GenericCallback;
 import org.apache.bookkeeper.zookeeper.BoundExponentialBackoffRetryPolicy;
@@ -36,6 +37,7 @@ import org.apache.zookeeper.AsyncCallback;
 import org.apache.zookeeper.KeeperException;
 import org.apache.zookeeper.AsyncCallback.StringCallback;
 import org.apache.zookeeper.KeeperException.Code;
+import org.apache.zookeeper.ZooDefs;
 import org.apache.zookeeper.data.ACL;
 import org.apache.zookeeper.ZooKeeper;
 import org.slf4j.Logger;
@@ -231,4 +233,13 @@ public class ZkUtils {
         }, null);
     }
 
+    /**
+     * Compute ZooKeeper ACLs using actual configuration
+     *
+     * @param conf Bookie or BookKeeper configuration
+     */
+    public static List<ACL> getACLs(AbstractConfiguration conf) {
+        return conf.isZkEnableSecurity() ? ZooDefs.Ids.CREATOR_ALL_ACL: ZooDefs.Ids.OPEN_ACL_UNSAFE;
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/test/java/org/apache/bookkeeper/bookie/EnableZkSecurityBasicTest.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/test/java/org/apache/bookkeeper/bookie/EnableZkSecurityBasicTest.java b/bookkeeper-server/src/test/java/org/apache/bookkeeper/bookie/EnableZkSecurityBasicTest.java
new file mode 100644
index 0000000..277801f
--- /dev/null
+++ b/bookkeeper-server/src/test/java/org/apache/bookkeeper/bookie/EnableZkSecurityBasicTest.java
@@ -0,0 +1,126 @@
+/*
+ * Copyright 2016 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.bookkeeper.bookie;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.util.List;
+import javax.security.auth.login.Configuration;
+import org.apache.bookkeeper.client.BookKeeper;
+import org.apache.bookkeeper.client.LedgerHandle;
+import org.apache.bookkeeper.conf.ClientConfiguration;
+import org.apache.bookkeeper.test.BookKeeperClusterTestCase;
+import org.apache.bookkeeper.util.BookKeeperConstants;
+import org.apache.bookkeeper.zookeeper.ZooKeeperClient;
+import org.apache.zookeeper.KeeperException;
+import org.apache.zookeeper.ZooKeeper;
+import org.apache.zookeeper.data.ACL;
+import org.apache.zookeeper.data.Stat;
+import org.junit.AfterClass;
+import static org.junit.Assert.assertEquals;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+/**
+ * Test basic functions using secured ZooKeeper
+ */
+public class EnableZkSecurityBasicTest extends BookKeeperClusterTestCase {
+
+    public EnableZkSecurityBasicTest() {
+        super(0);
+        this.baseClientConf.setZkEnableSecurity(true);
+        this.baseConf.setZkEnableSecurity(true);
+    }
+
+    @BeforeClass
+    public static void setupJAAS() throws IOException {
+        System.setProperty("zookeeper.authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
+        File tmpJaasDir = new File("target").getAbsoluteFile();
+        File tmpJaasFile = new File(tmpJaasDir, "jaas.conf");
+        String jassFileContent
+            = "Server {\n"
+            + "       org.apache.zookeeper.server.auth.DigestLoginModule required\n"
+            + "       user_foo=\"bar\";\n"
+            + "};\n"
+            + "\n"
+            + "Client {\n"
+            + "       org.apache.zookeeper.server.auth.DigestLoginModule required\n"
+            + "       username=\"foo\"\n"
+            + "       password=\"bar\";\n"
+            + "};";
+        Files.write(tmpJaasFile.toPath(), jassFileContent.getBytes(StandardCharsets.UTF_8));
+        System.setProperty("java.security.auth.login.config", tmpJaasFile.getAbsolutePath());
+        Configuration.getConfiguration().refresh();
+    }
+
+    @AfterClass
+    public static void cleanUpJAAS() {
+        System.clearProperty("java.security.auth.login.config");
+        Configuration.getConfiguration().refresh();
+        System.clearProperty("zookeeper.authProvider.1");
+    }
+
+    @Test
+    public void testCreateLedgerAddEntryOnSecureZooKeepeer() throws Exception {
+        startNewBookie();
+
+        ClientConfiguration conf = new ClientConfiguration()
+            .setZkServers(zkUtil.getZooKeeperConnectString())
+            .setZkTimeout(20000);
+
+        conf.setZkEnableSecurity(true);
+
+        try (BookKeeper bkc = new BookKeeper(conf);) {
+            try (LedgerHandle lh = bkc.createLedger(1, 1, 1, BookKeeper.DigestType.CRC32, "testPasswd".getBytes());) {
+                lh.addEntry("foo".getBytes(StandardCharsets.UTF_8));
+            }
+        }
+
+        checkAllAcls();
+    }
+
+    private void checkAllAcls() throws IOException, InterruptedException, KeeperException {
+        ZooKeeper zk = ZooKeeperClient.newBuilder()
+            .connectString(zkUtil.getZooKeeperConnectString())
+            .sessionTimeoutMs(20000)
+            .build();
+        checkACls(zk, "/");
+        zk.close();
+    }
+
+    private void checkACls(ZooKeeper zk, String path) throws KeeperException, InterruptedException {
+        List<String> children = zk.getChildren(path, null);
+        for (String child : children) {
+            String fullPath = path.equals("/") ? path + child : path + "/" + child;
+            List<ACL> acls = zk.getACL(fullPath, new Stat());
+            checkACls(zk, fullPath);
+
+            if (!fullPath.startsWith("/zookeeper") // skip zookeeper internal nodes
+                && !fullPath.equals("/ledgers") // node created by test setup
+                && !fullPath.equals("/ledgers/" + BookKeeperConstants.AVAILABLE_NODE) // node created by test setup
+                ) {
+                assertEquals(1, acls.size());
+                assertEquals(31, acls.get(0).getPerms());
+                assertEquals(31, acls.get(0).getPerms());
+                assertEquals("unexpected ACLS on " + fullPath + ": " + acls.get(0), "foo", acls.get(0).getId().getId());
+                assertEquals("unexpected ACLS on " + fullPath + ": " + acls.get(0), "sasl", acls.get(0).getId().getScheme());
+            }
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/test/java/org/apache/bookkeeper/bookie/TestGcOverreplicatedLedger.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/test/java/org/apache/bookkeeper/bookie/TestGcOverreplicatedLedger.java b/bookkeeper-server/src/test/java/org/apache/bookkeeper/bookie/TestGcOverreplicatedLedger.java
index 5004817..2dae0b0 100644
--- a/bookkeeper-server/src/test/java/org/apache/bookkeeper/bookie/TestGcOverreplicatedLedger.java
+++ b/bookkeeper-server/src/test/java/org/apache/bookkeeper/bookie/TestGcOverreplicatedLedger.java
@@ -54,6 +54,7 @@ import org.junit.runners.Parameterized;
 import org.junit.runners.Parameterized.Parameters;
 
 import com.google.common.collect.Lists;
+import org.apache.zookeeper.ZooDefs;
 
 @RunWith(Parameterized.class)
 public class TestGcOverreplicatedLedger extends LedgerManagerTestCase {
@@ -201,7 +202,7 @@ public class TestGcOverreplicatedLedger extends LedgerManagerTestCase {
         lh.close();
 
         ZkLedgerUnderreplicationManager.acquireUnderreplicatedLedgerLock(zkc, baseConf.getZkLedgersRootPath(),
-                lh.getId());
+                lh.getId(), ZooDefs.Ids.OPEN_ACL_UNSAFE);
 
         final CompactableLedgerStorage mockLedgerStorage = new MockLedgerStorage();
         final GarbageCollector garbageCollector = new ScanAndCompareGarbageCollector(ledgerManager, mockLedgerStorage,

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/test/java/org/apache/bookkeeper/meta/LedgerLayoutTest.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/test/java/org/apache/bookkeeper/meta/LedgerLayoutTest.java b/bookkeeper-server/src/test/java/org/apache/bookkeeper/meta/LedgerLayoutTest.java
index 18a818a..4552e65 100644
--- a/bookkeeper-server/src/test/java/org/apache/bookkeeper/meta/LedgerLayoutTest.java
+++ b/bookkeeper-server/src/test/java/org/apache/bookkeeper/meta/LedgerLayoutTest.java
@@ -29,6 +29,7 @@ import org.apache.zookeeper.CreateMode;
 import org.apache.zookeeper.ZooDefs.Ids;
 import org.apache.bookkeeper.test.BookKeeperClusterTestCase;
 import org.apache.bookkeeper.util.BookKeeperConstants;
+import org.apache.zookeeper.ZooDefs;
 import org.junit.Test;
 
 import static org.junit.Assert.*;
@@ -55,7 +56,7 @@ public class LedgerLayoutTest extends BookKeeperClusterTestCase {
         int testVersion = 0xdeadbeef;
         // use layout defined in configuration also create it in zookeeper
         LedgerLayout layout2 = new LedgerLayout(testName, testVersion);
-        layout2.store(zkc, ledgerRootPath);
+        layout2.store(zkc, ledgerRootPath, ZooDefs.Ids.OPEN_ACL_UNSAFE);
 
         layout = LedgerLayout.readLayout(zkc, ledgerRootPath);
         assertEquals(testName, layout.getManagerFactoryClass());
@@ -73,7 +74,7 @@ public class LedgerLayoutTest extends BookKeeperClusterTestCase {
         f.setAccessible(true);
         f.set(layout, layoutVersion);
 
-        layout.store(zkc, ledgersRootPath);
+        layout.store(zkc, ledgersRootPath, ZooDefs.Ids.OPEN_ACL_UNSAFE);
     }
 
     @Test(timeout=60000)

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/test/java/org/apache/bookkeeper/meta/TestLedgerManager.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/test/java/org/apache/bookkeeper/meta/TestLedgerManager.java b/bookkeeper-server/src/test/java/org/apache/bookkeeper/meta/TestLedgerManager.java
index bc2fd93..62ccb01 100644
--- a/bookkeeper-server/src/test/java/org/apache/bookkeeper/meta/TestLedgerManager.java
+++ b/bookkeeper-server/src/test/java/org/apache/bookkeeper/meta/TestLedgerManager.java
@@ -30,6 +30,7 @@ import java.util.concurrent.CyclicBarrier;
 import java.util.List;
 import java.util.ArrayList;
 import java.lang.reflect.Field;
+import org.apache.zookeeper.ZooDefs;
 
 import org.junit.Test;
 import org.slf4j.Logger;
@@ -54,7 +55,7 @@ public class TestLedgerManager extends BookKeeperClusterTestCase {
         f.setAccessible(true);
         f.set(layout, layoutVersion);
 
-        layout.store(zkc, ledgersRootPath);
+        layout.store(zkc, ledgersRootPath, ZooDefs.Ids.OPEN_ACL_UNSAFE);
     }
 
     /**
@@ -159,7 +160,7 @@ public class TestLedgerManager extends BookKeeperClusterTestCase {
         conf.setZkLedgersRootPath(root0);
 
         new LedgerLayout("DoesNotExist",
-                         0xdeadbeef).store(zkc, root0);
+                         0xdeadbeef).store(zkc, root0, ZooDefs.Ids.OPEN_ACL_UNSAFE);
 
         try {
             LedgerManagerFactory.newLedgerManagerFactory(conf, zkc);
@@ -177,7 +178,7 @@ public class TestLedgerManager extends BookKeeperClusterTestCase {
         conf.setZkLedgersRootPath(root1);
 
         new LedgerLayout(FlatLedgerManagerFactory.class.getName(),
-                         0xdeadbeef).store(zkc, root1);
+                         0xdeadbeef).store(zkc, root1, ZooDefs.Ids.OPEN_ACL_UNSAFE);
 
         try {
             LedgerManagerFactory.newLedgerManagerFactory(conf, zkc);

http://git-wip-us.apache.org/repos/asf/bookkeeper/blob/b30b527b/bookkeeper-server/src/test/java/org/apache/bookkeeper/meta/TestZkLedgerIdGenerator.java
----------------------------------------------------------------------
diff --git a/bookkeeper-server/src/test/java/org/apache/bookkeeper/meta/TestZkLedgerIdGenerator.java b/bookkeeper-server/src/test/java/org/apache/bookkeeper/meta/TestZkLedgerIdGenerator.java
index 708fbc7..f9cad2e 100644
--- a/bookkeeper-server/src/test/java/org/apache/bookkeeper/meta/TestZkLedgerIdGenerator.java
+++ b/bookkeeper-server/src/test/java/org/apache/bookkeeper/meta/TestZkLedgerIdGenerator.java
@@ -29,6 +29,7 @@ import junit.framework.TestCase;
 import org.apache.bookkeeper.proto.BookkeeperInternalCallbacks.GenericCallback;
 import org.apache.bookkeeper.test.ZooKeeperUtil;
 import org.apache.zookeeper.KeeperException.Code;
+import org.apache.zookeeper.ZooDefs;
 import org.apache.zookeeper.ZooKeeper;
 import org.junit.After;
 import org.junit.Before;
@@ -55,7 +56,7 @@ public class TestZkLedgerIdGenerator extends TestCase {
         zk = zkutil.getZooKeeperClient();
 
         ledgerIdGenerator = new ZkLedgerIdGenerator(zk,
-                "/test-zk-ledger-id-generator", "idgen");
+                "/test-zk-ledger-id-generator", "idgen", ZooDefs.Ids.OPEN_ACL_UNSAFE);
     }
 
     @Override


Mime
View raw message