zookeeper-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From maha...@apache.org
Subject svn commit: r1240919 - in /zookeeper/branches/branch-3.4: ./ src/java/main/org/apache/zookeeper/ src/java/main/org/apache/zookeeper/client/ src/java/test/org/apache/zookeeper/test/
Date Mon, 06 Feb 2012 08:36:36 GMT
Author: mahadev
Date: Mon Feb  6 08:36:36 2012
New Revision: 1240919

URL: http://svn.apache.org/viewvc?rev=1240919&view=rev
Log:
ZOOKEEPER-1373. Hardcoded SASL login context name clashes with Hadoop security configuration
override. (Eugene Koontz and Thomas Weise via mahadev)

Added:
    zookeeper/branches/branch-3.4/src/java/test/org/apache/zookeeper/test/SaslAuthDesignatedClientTest.java
    zookeeper/branches/branch-3.4/src/java/test/org/apache/zookeeper/test/SaslAuthFailDesignatedClientTest.java
    zookeeper/branches/branch-3.4/src/java/test/org/apache/zookeeper/test/SaslAuthMissingClientConfigTest.java
Modified:
    zookeeper/branches/branch-3.4/CHANGES.txt
    zookeeper/branches/branch-3.4/src/java/main/org/apache/zookeeper/ClientCnxn.java
    zookeeper/branches/branch-3.4/src/java/main/org/apache/zookeeper/Login.java
    zookeeper/branches/branch-3.4/src/java/main/org/apache/zookeeper/client/ZooKeeperSaslClient.java

Modified: zookeeper/branches/branch-3.4/CHANGES.txt
URL: http://svn.apache.org/viewvc/zookeeper/branches/branch-3.4/CHANGES.txt?rev=1240919&r1=1240918&r2=1240919&view=diff
==============================================================================
--- zookeeper/branches/branch-3.4/CHANGES.txt (original)
+++ zookeeper/branches/branch-3.4/CHANGES.txt Mon Feb  6 08:36:36 2012
@@ -26,6 +26,9 @@ BUGFIXES: 
   ZOOKEEPER-1353. C client test suite fails consistently.
   (Clint Byrum via mahadev)
 
+  ZOOKEEPER-1373. Hardcoded SASL login context name clashes with Hadoop security 
+  configuration override. (Eugene Koontz and Thomas Weise via mahadev)
+
 Release 3.4.2 - 2011-12-21
 
 Backward compatible changes:

Modified: zookeeper/branches/branch-3.4/src/java/main/org/apache/zookeeper/ClientCnxn.java
URL: http://svn.apache.org/viewvc/zookeeper/branches/branch-3.4/src/java/main/org/apache/zookeeper/ClientCnxn.java?rev=1240919&r1=1240918&r2=1240919&view=diff
==============================================================================
--- zookeeper/branches/branch-3.4/src/java/main/org/apache/zookeeper/ClientCnxn.java (original)
+++ zookeeper/branches/branch-3.4/src/java/main/org/apache/zookeeper/ClientCnxn.java Mon Feb
 6 08:36:36 2012
@@ -934,20 +934,14 @@ public class ClientCnxn {
 
             setName(getName().replaceAll("\\(.*\\)",
                     "(" + addr.getHostName() + ":" + addr.getPort() + ")"));
-
-            if (System.getProperty("java.security.auth.login.config") != null) {
-                try {
-                    zooKeeperSaslClient = new ZooKeeperSaslClient(ClientCnxn.this, "zookeeper"+"/"+
addr.getHostName());
-                }
-                catch (LoginException e) {
-                    LOG.warn("Zookeeper client cannot authenticate using the Client section
of the supplied "
-                      + "configuration file: '" + System.getProperty("java.security.auth.login.config")
-                      + "'. Will continue connection to Zookeeper server without SASL authentication,
if Zookeeper "
-                      + "server allows it.");
-                    eventThread.queueEvent(new WatchedEvent(
-                            Watcher.Event.EventType.None,
-                            KeeperState.AuthFailed, null));
-                }
+            try {
+                zooKeeperSaslClient = new ZooKeeperSaslClient("zookeeper/"+addr.getHostName());
+            } catch (LoginException e) {
+                LOG.warn("SASL authentication failed: " + e + " Will continue connection
to Zookeeper server without "
+                        + "SASL authentication, if Zookeeper server allows it.");
+                eventThread.queueEvent(new WatchedEvent(
+                        Watcher.Event.EventType.None,
+                        Watcher.Event.KeeperState.AuthFailed, null));
             }
             clientCnxnSocket.connect(addr);
         }
@@ -981,9 +975,9 @@ public class ClientCnxn {
                     }
 
                     if (state.isConnected()) {
-                        if ((zooKeeperSaslClient != null) && (zooKeeperSaslClient.isComplete()
!= true)) {
+                        if ((zooKeeperSaslClient != null) && (zooKeeperSaslClient.isFailed()
!= true) && (zooKeeperSaslClient.isComplete() != true)) {
                             try {
-                                zooKeeperSaslClient.initialize();
+                                zooKeeperSaslClient.initialize(ClientCnxn.this);
                             }
                             catch (SaslException e) {
                                 LOG.error("SASL authentication with Zookeeper Quorum member
failed: " + e);

Modified: zookeeper/branches/branch-3.4/src/java/main/org/apache/zookeeper/Login.java
URL: http://svn.apache.org/viewvc/zookeeper/branches/branch-3.4/src/java/main/org/apache/zookeeper/Login.java?rev=1240919&r1=1240918&r2=1240919&view=diff
==============================================================================
--- zookeeper/branches/branch-3.4/src/java/main/org/apache/zookeeper/Login.java (original)
+++ zookeeper/branches/branch-3.4/src/java/main/org/apache/zookeeper/Login.java Mon Feb  6
08:36:36 2012
@@ -33,7 +33,7 @@ import javax.security.auth.login.LoginEx
 import javax.security.auth.callback.CallbackHandler;
 
 import org.apache.log4j.Logger;
-
+import org.apache.zookeeper.client.ZooKeeperSaslClient;
 import javax.security.auth.kerberos.KerberosTicket;
 import javax.security.auth.Subject;
 import java.util.Date;
@@ -279,7 +279,10 @@ public class Login {
     private synchronized LoginContext login(final String loginContextName) throws LoginException
{
         if (loginContextName == null) {
             throw new LoginException("loginContext name (JAAS file section header) was null.
" +
-                    "Please check your java.security.login.auth.config setting.");
+                    "Please check your java.security.login.auth.config (=" +
+                    System.getProperty("java.security.login.auth.config") +
+                    ") and your " + ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY + "(=" + 
+                    System.getProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client")
+ ")");
         }
         LoginContext loginContext = new LoginContext(loginContextName,callbackHandler);
         loginContext.login();

Modified: zookeeper/branches/branch-3.4/src/java/main/org/apache/zookeeper/client/ZooKeeperSaslClient.java
URL: http://svn.apache.org/viewvc/zookeeper/branches/branch-3.4/src/java/main/org/apache/zookeeper/client/ZooKeeperSaslClient.java?rev=1240919&r1=1240918&r2=1240919&view=diff
==============================================================================
--- zookeeper/branches/branch-3.4/src/java/main/org/apache/zookeeper/client/ZooKeeperSaslClient.java
(original)
+++ zookeeper/branches/branch-3.4/src/java/main/org/apache/zookeeper/client/ZooKeeperSaslClient.java
Mon Feb  6 08:36:36 2012
@@ -21,12 +21,12 @@ package org.apache.zookeeper.client;
 import org.apache.zookeeper.AsyncCallback;
 import org.apache.zookeeper.ClientCnxn;
 import org.apache.zookeeper.Login;
+import org.apache.zookeeper.ZooDefs;
 import org.apache.zookeeper.data.Stat;
 import org.apache.zookeeper.proto.GetSASLRequest;
 import org.apache.zookeeper.proto.ReplyHeader;
 import org.apache.zookeeper.proto.RequestHeader;
 import org.apache.zookeeper.proto.SetSASLResponse;
-import org.apache.zookeeper.ZooDefs;
 import org.apache.zookeeper.server.auth.KerberosName;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -40,6 +40,8 @@ import javax.security.auth.callback.Call
 import javax.security.auth.callback.NameCallback;
 import javax.security.auth.callback.PasswordCallback;
 import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.Configuration;
 import javax.security.auth.login.LoginException;
 import javax.security.sasl.AuthorizeCallback;
 import javax.security.sasl.RealmCallback;
@@ -52,12 +54,12 @@ import javax.security.sasl.SaslException
  * allows ClientCnxn to authenticate using SASL with a Zookeeper server.
  */
 public class ZooKeeperSaslClient {
+    public static final String LOGIN_CONTEXT_NAME_KEY = "zookeeper.sasl.clientconfig";
     private static final Logger LOG = LoggerFactory.getLogger(ZooKeeperSaslClient.class);
     private static Login login = null;
     private SaslClient saslClient;
 
     private byte[] saslToken = new byte[0];
-    private ClientCnxn cnxn;
 
     public enum SaslState {
         INITIAL,INTERMEDIATE,COMPLETE,FAILED
@@ -69,15 +71,87 @@ public class ZooKeeperSaslClient {
         return saslState;
     }
 
-    public ZooKeeperSaslClient(ClientCnxn cnxn, String serverPrincipal) throws LoginException
{
-        this.cnxn = cnxn;
-        this.saslClient = createSaslClient(serverPrincipal);
+    private String loginContext;
+
+    public String getLoginContext() {
+      return loginContext;
+    }
+
+    public ZooKeeperSaslClient(final String serverPrincipal)
+            throws LoginException {
+        /**
+         * ZOOKEEPER-1373: allow system property to specify the JAAS
+         * configuration section that the zookeeper client should use.
+         * Default to "Client".
+         */
+        String clientSection = System.getProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY,
"Client");
+        // Note that 'Configuration' here refers to javax.security.auth.login.Configuration.
+        AppConfigurationEntry entries[] = null;
+        SecurityException securityException = null;
+        try {
+            entries = Configuration.getConfiguration().getAppConfigurationEntry(clientSection);
+        } catch (SecurityException e) {
+            // handle below: might be harmless if the user doesn't intend to use JAAS authentication.
+            securityException = e;
+        }
+        if (entries != null) {
+            LOG.info("Found Login Context section '" + clientSection + "': will use it to
attempt to SASL-authenticate.");
+            this.saslClient = createSaslClient(serverPrincipal, clientSection);
+        } else {
+            // Handle situation of clientSection's being null: it might simply because the
client does not intend to 
+            // use SASL, so not necessarily an error.
+            saslState = SaslState.FAILED;
+            String explicitClientSection = System.getProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY);
+            if (explicitClientSection != null) {
+                // If the user explicitly overrides the default Login Context, they probably
expected SASL to
+                // succeed. But if we got here, SASL failed.
+                if (securityException != null) {
+                    throw new LoginException("Zookeeper client cannot authenticate using
the " + explicitClientSection +
+                            " section of the supplied JAAS configuration: '" +
+                            System.getProperty("java.security.auth.login.config") + "' because
of a " +
+                            "SecurityException: " + securityException);
+                    
+                    
+                } else {
+                    throw new LoginException("Client cannot SASL-authenticate because the
specified JAAS configuration " +
+                            "section '" + explicitClientSection + "' could not be found.");
+                }
+            } else {
+                // The user did not override the default context. It might be that they just
don't intend to use SASL,
+                // so log at INFO, not WARN, since they don't expect any SASL-related information.
+                if (securityException != null) {
+                    LOG.warn("SecurityException: " + securityException + " occurred when
trying to find JAAS configuration.");
+                }
+                LOG.info("Client will not SASL-authenticate because the default JAAS configuration
section 'Client' " +
+                        "could not be found. If you are not using SASL, you may ignore this.
On the other hand, " +
+                        "if you expected SASL to work, please fix your JAAS configuration.");
+            }
+            if (System.getProperty("java.security.auth.login.config")  != null) {
+                // Again, the user explicitly set something SASL-related, so they probably
expected SASL to succeed.
+                if (securityException != null) {
+                    throw new LoginException("Zookeeper client cannot authenticate using
the '" +
+                            System.getProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY,
"Client") +
+                            "' section of the supplied JAAS configuration: '" +
+                            System.getProperty("java.security.auth.login.config") + "' because
of a " +
+                            "SecurityException: " + securityException);
+                } else {
+                    throw new LoginException("No JAAS configuration section named '" +
+                            System.getProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY,
"Client") +
+                            "' was found in specified JAAS configuration file: '" +
+                            System.getProperty("java.security.auth.login.config") + "'.");
+                }
+            }
+        }
     }
 
     public boolean isComplete() {
         return (saslState == SaslState.COMPLETE);
     }
 
+    public boolean isFailed() {
+        return (saslState == SaslState.FAILED);
+    }
+
     public static class ServerSaslResponseCallback implements AsyncCallback.DataCallback
{
         public void processResult(int rc, String path, Object ctx, byte data[], Stat stat)
{
             // processResult() is used by ClientCnxn's sendThread to respond to
@@ -97,16 +171,21 @@ public class ZooKeeperSaslClient {
                 usedata = new byte[0];
                 LOG.debug("ServerSaslResponseCallback(): using empty data[] as server response
(length="+usedata.length+")");
             }
-            client.prepareSaslResponseToServer(usedata);
+            client.prepareSaslResponseToServer(usedata, (ClientCnxn)ctx);
         }
     }
 
-    synchronized private SaslClient createSaslClient(final String servicePrincipal) throws
LoginException {
+    synchronized private SaslClient createSaslClient(final String servicePrincipal,
+                                                     final String loginContext) throws LoginException
{
         try {
             if (login == null) {
+                if (LOG.isDebugEnabled()) {
+                    LOG.debug("JAAS loginContext is: " + loginContext);
+                }
+                this.loginContext = loginContext;
                 // note that the login object is static: it's shared amongst all zookeeper-related
connections.
                 // createSaslClient() must be declared synchronized so that login is initialized
only once.
-                login = new Login("Client",new ClientCallbackHandler(null));
+                login = new Login(loginContext, new ClientCallbackHandler(null));
                 login.startThreadIfNeeded();
             }
             Subject subject = login.getSubject();
@@ -163,7 +242,7 @@ public class ZooKeeperSaslClient {
         }
     }
 
-    private void prepareSaslResponseToServer(byte[] serverToken) {
+    private void prepareSaslResponseToServer(byte[] serverToken, ClientCnxn cnxn) {
         saslToken = serverToken;
 
         if (saslClient == null) {
@@ -177,16 +256,17 @@ public class ZooKeeperSaslClient {
                 saslToken = createSaslToken(saslToken);
                 if (saslToken != null) {
                     LOG.debug("saslToken (client) length: " + saslToken.length);
-                    queueSaslPacket(saslToken);
+                    queueSaslPacket(saslToken, cnxn);
                 }
             } catch (SaslException e) {
-                LOG.error("SASL authentication failed.");
+                LOG.error("SASL authentication failed using login context '" +
+                this.getLoginContext() + "'.");
                 saslState = SaslState.FAILED;
             }
         }
     }
 
-    public byte[] createSaslToken() throws SaslException {
+    private byte[] createSaslToken() throws SaslException {
         saslState = SaslState.INTERMEDIATE;
         return createSaslToken(saslToken);
     }
@@ -234,7 +314,7 @@ public class ZooKeeperSaslClient {
         }
     }
 
-    public void queueSaslPacket(byte[] saslToken) {
+    private void queueSaslPacket(byte[] saslToken, ClientCnxn cnxn) {
         LOG.debug("ClientCnxn:sendSaslPacket:length="+saslToken.length);
         RequestHeader h = new RequestHeader();
         h.setType(ZooDefs.OpCode.sasl);
@@ -245,9 +325,9 @@ public class ZooKeeperSaslClient {
         ReplyHeader r = new ReplyHeader();
         cnxn.queuePacket(h,r,request,response,cb);
     }
-
-    public void queueSaslPacket() throws SaslException {
-        queueSaslPacket(createSaslToken());
+    
+    private void queueSaslPacket(ClientCnxn cnxn) throws SaslException {
+        queueSaslPacket(createSaslToken(), cnxn);
     }
 
     // used by ClientCnxn to know when to emit SaslAuthenticated event.
@@ -268,17 +348,17 @@ public class ZooKeeperSaslClient {
         return false;
     }
 
-    public void initialize() throws SaslException {
+    public void initialize(ClientCnxn cnxn) throws SaslException {
         if (saslClient == null) {
             throw new SaslException("saslClient failed to initialize properly: it's null.");
         }
         if (saslState == SaslState.INITIAL) {
             if (saslClient.hasInitialResponse()) {
-                queueSaslPacket();
+                queueSaslPacket(cnxn);
             }
             else {
                 byte[] emptyToken = new byte[0];
-                queueSaslPacket(emptyToken);
+                queueSaslPacket(emptyToken, cnxn);
             }
             saslState = SaslState.INTERMEDIATE;
         }

Added: zookeeper/branches/branch-3.4/src/java/test/org/apache/zookeeper/test/SaslAuthDesignatedClientTest.java
URL: http://svn.apache.org/viewvc/zookeeper/branches/branch-3.4/src/java/test/org/apache/zookeeper/test/SaslAuthDesignatedClientTest.java?rev=1240919&view=auto
==============================================================================
--- zookeeper/branches/branch-3.4/src/java/test/org/apache/zookeeper/test/SaslAuthDesignatedClientTest.java
(added)
+++ zookeeper/branches/branch-3.4/src/java/test/org/apache/zookeeper/test/SaslAuthDesignatedClientTest.java
Mon Feb  6 08:36:36 2012
@@ -0,0 +1,99 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.test;
+
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.util.concurrent.atomic.AtomicInteger;
+
+import org.apache.zookeeper.CreateMode;
+import org.apache.zookeeper.KeeperException;
+import org.apache.zookeeper.WatchedEvent;
+import org.apache.zookeeper.ZooKeeper;
+import org.apache.zookeeper.Watcher.Event.KeeperState;
+import org.apache.zookeeper.ZooDefs.Ids;
+import org.apache.zookeeper.client.ZooKeeperSaslClient;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class SaslAuthDesignatedClientTest extends ClientBase {
+    static {
+        System.setProperty("zookeeper.authProvider.1","org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
+        System.setProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "MyZookeeperClient");
+
+        try {
+            File tmpDir = createTmpDir();
+            File saslConfFile = new File(tmpDir, "jaas.conf");
+            FileWriter fwriter = new FileWriter(saslConfFile);
+
+            fwriter.write("" +
+                "Server {\n" +
+                "          org.apache.zookeeper.server.auth.DigestLoginModule required\n"
+
+                "          user_myuser=\"mypassword\";\n" +
+                "};\n" +
+                "Client {\n" + /* this 'Client' section has an incorrect password, but we're
not configured
+                                  to  use it (we're configured by the above System.setProperty(...LOGIN_CONTEXT_NAME_KEY...)
to 
+                                  use the 'MyZookeeperClient' section below, which has the
correct password).*/
+                "       org.apache.zookeeper.server.auth.DigestLoginModule required\n" +
+                "       username=\"myuser\"\n" +
+                "       password=\"wrongpassword\";\n" +
+                "};" +
+                "MyZookeeperClient {\n" +
+                "       org.apache.zookeeper.server.auth.DigestLoginModule required\n" +
+                "       username=\"myuser\"\n" +
+                "       password=\"mypassword\";\n" +
+                "};" + "\n");
+            fwriter.close();
+            System.setProperty("java.security.auth.login.config",saslConfFile.getAbsolutePath());
+        }
+        catch (IOException e) {
+            // could not create tmp directory to hold JAAS conf file : test will fail now.
+        }
+    }
+
+    private AtomicInteger authFailed = new AtomicInteger(0);
+
+    private class MyWatcher extends CountdownWatcher {
+        @Override
+        public synchronized void process(WatchedEvent event) {
+            if (event.getState() == KeeperState.AuthFailed) {
+                authFailed.incrementAndGet();
+            }
+            else {
+                super.process(event);
+            }
+        }
+    }
+
+    @Test
+    public void testAuth() throws Exception {
+        ZooKeeper zk = createClient();
+        Thread.sleep(1000);
+        try {
+            zk.create("/path1", null, Ids.CREATOR_ALL_ACL, CreateMode.PERSISTENT);
+            Thread.sleep(1000);
+        } catch (KeeperException e) {
+          Assert.fail("test failed :" + e);
+        }
+        finally {
+            zk.close();
+        }
+    }
+}

Added: zookeeper/branches/branch-3.4/src/java/test/org/apache/zookeeper/test/SaslAuthFailDesignatedClientTest.java
URL: http://svn.apache.org/viewvc/zookeeper/branches/branch-3.4/src/java/test/org/apache/zookeeper/test/SaslAuthFailDesignatedClientTest.java?rev=1240919&view=auto
==============================================================================
--- zookeeper/branches/branch-3.4/src/java/test/org/apache/zookeeper/test/SaslAuthFailDesignatedClientTest.java
(added)
+++ zookeeper/branches/branch-3.4/src/java/test/org/apache/zookeeper/test/SaslAuthFailDesignatedClientTest.java
Mon Feb  6 08:36:36 2012
@@ -0,0 +1,100 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.test;
+
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.util.concurrent.atomic.AtomicInteger;
+
+import org.apache.zookeeper.CreateMode;
+import org.apache.zookeeper.KeeperException;
+import org.apache.zookeeper.WatchedEvent;
+import org.apache.zookeeper.ZooKeeper;
+import org.apache.zookeeper.Watcher.Event.KeeperState;
+import org.apache.zookeeper.ZooDefs.Ids;
+import org.apache.zookeeper.client.ZooKeeperSaslClient;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class SaslAuthFailDesignatedClientTest extends ClientBase {
+    static {
+        System.setProperty("zookeeper.authProvider.1","org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
+        System.setProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "MyZookeeperClient");
+
+        try {
+            File tmpDir = createTmpDir();
+            File saslConfFile = new File(tmpDir, "jaas.conf");
+            FileWriter fwriter = new FileWriter(saslConfFile);
+
+            fwriter.write("" +
+                "Server {\n" +
+                "          org.apache.zookeeper.server.auth.DigestLoginModule required\n"
+
+                "          user_myuser=\"mypassword\";\n" +
+                "};\n" +
+                "Client {\n" + /* this 'Client' section has the correct password, but we're
not configured
+                                  to  use it (we're configured by the above System.setProperty(...LOGIN_CONTEXT_NAME_KEY...)
to 
+                                  use the 'MyZookeeperClient' section, which has an incorrect
password).*/
+                "       org.apache.zookeeper.server.auth.DigestLoginModule required\n" +
+                "       username=\"myuser\"\n" +
+                "       password=\"mypassword\";\n" +
+                "};" +
+                "MyZookeeperClient {\n" +
+                "       org.apache.zookeeper.server.auth.DigestLoginModule required\n" +
+                "       username=\"myuser\"\n" +
+                "       password=\"wrongpassword\";\n" +
+                "};" + "\n");
+            fwriter.close();
+            System.setProperty("java.security.auth.login.config",saslConfFile.getAbsolutePath());
+        }
+        catch (IOException e) {
+            // could not create tmp directory to hold JAAS conf file : test will fail now.
+        }
+    }
+
+    private AtomicInteger authFailed = new AtomicInteger(0);
+
+    private class MyWatcher extends CountdownWatcher {
+        @Override
+        public synchronized void process(WatchedEvent event) {
+            if (event.getState() == KeeperState.AuthFailed) {
+                authFailed.incrementAndGet();
+            }
+            else {
+                super.process(event);
+            }
+        }
+    }
+
+    @Test
+    public void testAuth() throws Exception {
+        ZooKeeper zk = createClient();
+        Thread.sleep(1000);
+        try {
+            zk.create("/path1", null, Ids.CREATOR_ALL_ACL, CreateMode.PERSISTENT);
+            Assert.fail("Should have gotten exception.");
+        } catch (KeeperException e) {
+            // ok, exception as expected.
+            LOG.info("Got exception as expected: " + e);
+        }
+        finally {
+            zk.close();
+        }
+    }
+}

Added: zookeeper/branches/branch-3.4/src/java/test/org/apache/zookeeper/test/SaslAuthMissingClientConfigTest.java
URL: http://svn.apache.org/viewvc/zookeeper/branches/branch-3.4/src/java/test/org/apache/zookeeper/test/SaslAuthMissingClientConfigTest.java?rev=1240919&view=auto
==============================================================================
--- zookeeper/branches/branch-3.4/src/java/test/org/apache/zookeeper/test/SaslAuthMissingClientConfigTest.java
(added)
+++ zookeeper/branches/branch-3.4/src/java/test/org/apache/zookeeper/test/SaslAuthMissingClientConfigTest.java
Mon Feb  6 08:36:36 2012
@@ -0,0 +1,98 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.test;
+
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.util.concurrent.atomic.AtomicInteger;
+
+import org.apache.zookeeper.CreateMode;
+import org.apache.zookeeper.KeeperException;
+import org.apache.zookeeper.WatchedEvent;
+import org.apache.zookeeper.ZooKeeper;
+import org.apache.zookeeper.Watcher.Event.KeeperState;
+import org.apache.zookeeper.ZooDefs.Ids;
+import org.apache.zookeeper.client.ZooKeeperSaslClient;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class SaslAuthMissingClientConfigTest extends ClientBase {
+    static {
+        System.setProperty("zookeeper.authProvider.1","org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
+        // This configuration section 'MyZookeeperClient', is missing from the JAAS configuration.
+        // As a result, SASL authentication should fail, which is tested by this test (testAuth()).
+        System.setProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "MyZookeeperClient");
+
+        try {
+            File tmpDir = createTmpDir();
+            File saslConfFile = new File(tmpDir, "jaas.conf");
+            FileWriter fwriter = new FileWriter(saslConfFile);
+
+            fwriter.write("" +
+                "Server {\n" +
+                "          org.apache.zookeeper.server.auth.DigestLoginModule required\n"
+
+                "          user_myuser=\"mypassword\";\n" +
+                "};\n" +
+                "Client {\n" + /* this 'Client' section has the correct password, but we're
not configured
+                                  to  use it - we're configured instead by the above
+                                  System.setProperty(...LOGIN_CONTEXT_NAME_KEY...) to
+                                  use the (nonexistent) 'MyZookeeperClient' section. */
+                "       org.apache.zookeeper.server.auth.DigestLoginModule required\n" +
+                "       username=\"myuser\"\n" +
+                "       password=\"mypassword\";\n" +
+                "};\n");
+            fwriter.close();
+            System.setProperty("java.security.auth.login.config",saslConfFile.getAbsolutePath());
+        }
+        catch (IOException e) {
+            // could not create tmp directory to hold JAAS conf file : test will fail now.
+        }
+    }
+
+    private AtomicInteger authFailed = new AtomicInteger(0);
+
+    private class MyWatcher extends CountdownWatcher {
+        @Override
+        public synchronized void process(WatchedEvent event) {
+            if (event.getState() == KeeperState.AuthFailed) {
+                authFailed.incrementAndGet();
+            }
+            else {
+                super.process(event);
+            }
+        }
+    }
+
+    @Test
+    public void testAuth() throws Exception {
+        ZooKeeper zk = createClient();
+        Thread.sleep(1000);
+        try {
+            zk.create("/path1", null, Ids.CREATOR_ALL_ACL, CreateMode.PERSISTENT);
+            Assert.fail("Should have gotten exception.");
+        } catch (KeeperException e) {
+            // ok, exception as expected.
+            LOG.info("Got exception as expected: " + e);
+        }
+        finally {
+            zk.close();
+        }
+    }
+}



Mime
View raw message