Return-Path: Delivered-To: apmail-hadoop-zookeeper-commits-archive@minotaur.apache.org Received: (qmail 75090 invoked from network); 9 Jun 2009 05:21:38 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 9 Jun 2009 05:21:38 -0000 Received: (qmail 92344 invoked by uid 500); 9 Jun 2009 05:21:50 -0000 Delivered-To: apmail-hadoop-zookeeper-commits-archive@hadoop.apache.org Received: (qmail 92317 invoked by uid 500); 9 Jun 2009 05:21:50 -0000 Mailing-List: contact zookeeper-commits-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: zookeeper-dev@ Delivered-To: mailing list zookeeper-commits@hadoop.apache.org Received: (qmail 92307 invoked by uid 99); 9 Jun 2009 05:21:50 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Jun 2009 05:21:50 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Jun 2009 05:21:48 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id EC6642388882; Tue, 9 Jun 2009 05:21:27 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r782882 - in /hadoop/zookeeper/trunk: ./ src/docs/src/documentation/content/xdocs/ src/java/main/org/apache/zookeeper/server/auth/ src/java/test/org/apache/zookeeper/test/ Date: Tue, 09 Jun 2009 05:21:27 -0000 To: zookeeper-commits@hadoop.apache.org From: breed@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20090609052127.EC6642388882@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: breed Date: Tue Jun 9 05:21:27 2009 New Revision: 782882 URL: http://svn.apache.org/viewvc?rev=782882&view=rev Log: ZOOKEEPER-435. allow "super" admin digest based auth to be configurable Added: hadoop/zookeeper/trunk/src/java/test/org/apache/zookeeper/test/AuthTest.java Modified: hadoop/zookeeper/trunk/CHANGES.txt hadoop/zookeeper/trunk/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml hadoop/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/auth/DigestAuthenticationProvider.java Modified: hadoop/zookeeper/trunk/CHANGES.txt URL: http://svn.apache.org/viewvc/hadoop/zookeeper/trunk/CHANGES.txt?rev=782882&r1=782881&r2=782882&view=diff ============================================================================== --- hadoop/zookeeper/trunk/CHANGES.txt (original) +++ hadoop/zookeeper/trunk/CHANGES.txt Tue Jun 9 05:21:27 2009 @@ -113,6 +113,8 @@ ZOOKEEPER-406. address all findbugs warnings in persistence classes. (phunt et al via breed) + ZOOKEEPER-435. allow "super" admin digest based auth to be configurable (phunt via breed) + IMPROVEMENTS: ZOOKEEPER-308. improve the atomic broadcast performance 3x. (breed via mahadev) Modified: hadoop/zookeeper/trunk/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml URL: http://svn.apache.org/viewvc/hadoop/zookeeper/trunk/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml?rev=782882&r1=782881&r2=782882&view=diff ============================================================================== --- hadoop/zookeeper/trunk/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml (original) +++ hadoop/zookeeper/trunk/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml Tue Jun 9 05:21:27 2009 @@ -822,6 +822,47 @@ +
+ Authentication & Authorization Options + + The options in this section allow control over + authentication/authorization performed by the service. + + + + zookeeper.DigestAuthenticationProvider.superDigest + + + (Java system property only: zookeeper.DigestAuthenticationProvider.superDigest) + + By default this feature is disabled + + New in 3.2: + Enables a ZooKeeper ensemble administrator to access the + znode hierarchy as a "super" user. In particular no ACL + checking occurs for a user authenticated as + super. + + org.apache.zookeeper.server.auth.DigestAuthenticationProvider + can be used to generate the superDigest, call it with + one parameter of "super:<password>". Provide the + generated "super:<data>" as the system property value + when starting each server of the ensemble. + + When authenticating to a ZooKeeper server (from a + ZooKeeper client) pass a scheme of "digest" and authdata + of "super:<password>". Note that digest auth passes + the authdata in plaintext to the server, it would be + prudent to use this authentication method only on + localhost (not over the network) or over an encrypted + connection. + + + +
+
Unsafe Options Modified: hadoop/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/auth/DigestAuthenticationProvider.java URL: http://svn.apache.org/viewvc/hadoop/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/auth/DigestAuthenticationProvider.java?rev=782882&r1=782881&r2=782882&view=diff ============================================================================== --- hadoop/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/auth/DigestAuthenticationProvider.java (original) +++ hadoop/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/auth/DigestAuthenticationProvider.java Tue Jun 9 05:21:27 2009 @@ -18,7 +18,6 @@ package org.apache.zookeeper.server.auth; -import java.io.IOException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -28,9 +27,16 @@ import org.apache.zookeeper.server.ServerCnxn; public class DigestAuthenticationProvider implements AuthenticationProvider { - private static final Logger LOG = Logger.getLogger(DigestAuthenticationProvider.class); + private static final Logger LOG = + Logger.getLogger(DigestAuthenticationProvider.class); - public final static String superDigest = "super:1wZ8qIvQBMTq0KPxMc6RQ/PCXKM="; + /** specify a command line property with key of + * "zookeeper.DigestAuthenticationProvider.superDigest" + * and value of "super:" to enable + * super user access (i.e. acls disabled) + */ + private final static String superDigest = System.getProperty( + "zookeeper.DigestAuthenticationProvider.superDigest"); public String getScheme() { return "digest"; @@ -119,8 +125,12 @@ return id.equals(aclExpr); } - public static void main(String args[]) throws IOException, - NoSuchAlgorithmException { + /** Call with a single argument of user:pass to generate authdata. + * Authdata output can be used when setting superDigest for example. + * @param args single argument of user:pass + * @throws NoSuchAlgorithmException + */ + public static void main(String args[]) throws NoSuchAlgorithmException { for (int i = 0; i < args.length; i++) { System.out.println(args[i] + "->" + generateDigest(args[i])); } Added: hadoop/zookeeper/trunk/src/java/test/org/apache/zookeeper/test/AuthTest.java URL: http://svn.apache.org/viewvc/hadoop/zookeeper/trunk/src/java/test/org/apache/zookeeper/test/AuthTest.java?rev=782882&view=auto ============================================================================== --- hadoop/zookeeper/trunk/src/java/test/org/apache/zookeeper/test/AuthTest.java (added) +++ hadoop/zookeeper/trunk/src/java/test/org/apache/zookeeper/test/AuthTest.java Tue Jun 9 05:21:27 2009 @@ -0,0 +1,79 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.zookeeper.test; + +import org.apache.zookeeper.CreateMode; +import org.apache.zookeeper.KeeperException; +import org.apache.zookeeper.ZooKeeper; +import org.apache.zookeeper.ZooDefs.Ids; +import org.junit.Test; + +public class AuthTest extends ClientBase { + static { + // password is test + System.setProperty("zookeeper.DigestAuthenticationProvider.superDigest", + "super:D/InIHSb7yEEbrWz8b9l71RjZJU="); + } + + @Test + public void testSuper() throws Exception { + ZooKeeper zk = createClient(); + try { + zk.addAuthInfo("digest", "pat:pass".getBytes()); + zk.create("/path1", null, Ids.CREATOR_ALL_ACL, + CreateMode.PERSISTENT); + zk.close(); + // verify no auth + zk = createClient(); + try { + zk.getData("/path1", false, null); + fail("auth verification"); + } catch (KeeperException.NoAuthException e) { + // expected + } + zk.close(); + // verify bad pass fails + zk = createClient(); + zk.addAuthInfo("digest", "pat:pass2".getBytes()); + try { + zk.getData("/path1", false, null); + fail("auth verification"); + } catch (KeeperException.NoAuthException e) { + // expected + } + zk.close(); + // verify super with bad pass fails + zk = createClient(); + zk.addAuthInfo("digest", "super:test2".getBytes()); + try { + zk.getData("/path1", false, null); + fail("auth verification"); + } catch (KeeperException.NoAuthException e) { + // expected + } + zk.close(); + // verify super with correct pass success + zk = createClient(); + zk.addAuthInfo("digest", "super:test".getBytes()); + zk.getData("/path1", false, null); + } finally { + zk.close(); + } + } +} \ No newline at end of file