Repository: ambari Updated Branches: refs/heads/trunk 8e646eb2d -> 410f57e2a
AMBARI-19425. Add secure znode command for ambari infra solr client (oleewere) Change-Id: I41d56d3af2b5029e669212cd1c4371789fe9e3ef Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/410f57e2 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/410f57e2 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/410f57e2 Branch: refs/heads/trunk Commit: 410f57e2a7bfdb80b9651bb37ba9d341c179137d Parents: 8e646eb Author: oleewere <[email protected]> Authored: Mon Jan 9 15:23:50 2017 +0100 Committer: oleewere <[email protected]> Committed: Tue Jan 10 13:09:59 2017 +0100 ---------------------------------------------------------------------- .../libraries/functions/solr_cloud_util.py | 18 ++++- .../logsearch/solr/AmbariSolrCloudCLI.java | 71 +++++++++--------- .../logsearch/solr/AmbariSolrCloudClient.java | 48 +++--------- .../solr/AmbariSolrCloudClientBuilder.java | 6 -- .../solr/commands/CopyZnodeZkCommand.java | 79 -------------------- .../solr/commands/CreateSaslUsersZkCommand.java | 3 +- .../solr/commands/SecureSolrZNodeZkCommand.java | 74 ++++++++++++++++++ .../solr/commands/SecureZNodeZkCommand.java | 19 ++--- .../ambari/logsearch/solr/util/AclUtils.java | 62 +++++++++++++-- 9 files changed, 199 insertions(+), 181 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/410f57e2/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py ---------------------------------------------------------------------- diff --git a/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py b/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py index 521c9c6..2e48c6a 100644 --- a/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py +++ b/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py @@ -162,14 +162,24 @@ def set_cluster_prop(zookeeper_quorum, solr_znode, prop_name, prop_value, java64 set_cluster_prop_cmd+=format(' --jaas-file {jaas_file}') Execute(set_cluster_prop_cmd) -def create_sasl_users(zookeeper_quorum, solr_znode, jaas_file, java64_home, sasl_users=[]): +def secure_znode(zookeeper_quorum, solr_znode, jaas_file, java64_home, sasl_users=[]): """ - Add list of sasl users to a znode + Secure znode, set a list of sasl users acl to 'cdrwa', and set acl to 'r' only for the world. """ solr_cli_prefix = __create_solr_cloud_cli_prefix(zookeeper_quorum, solr_znode, java64_home, True) sasl_users_str = ",".join(str(x) for x in sasl_users) - create_sasl_users_cmd = format('{solr_cli_prefix} --create-sasl-users --jaas-file {jaas_file} --sasl-users {sasl_users_str}') - Execute(create_sasl_users_cmd) + secure_znode_cmd = format('{solr_cli_prefix} --secure-znode --jaas-file {jaas_file} --sasl-users {sasl_users_str}') + Execute(secure_znode_cmd) + + +def secure_solr_znode(zookeeper_quorum, solr_znode, jaas_file, java64_home, sasl_users=[]): + """ + Secure solr znode - setup acls to 'cdrwa' for solr user, set 'r' only for the world, skipping /znode/configs and znode/collections (set those to 'cr' for the world) + """ + solr_cli_prefix = __create_solr_cloud_cli_prefix(zookeeper_quorum, solr_znode, java64_home, True) + sasl_users_str = ",".join(str(x) for x in sasl_users) + secure_solr_znode_cmd = format('{solr_cli_prefix} --secure-solr-znode --jaas-file {jaas_file} --sasl-users {sasl_users_str}') + Execute(secure_solr_znode_cmd) def default_config(config, name, default_value): subdicts = filter(None, name.split('/')) http://git-wip-us.apache.org/repos/asf/ambari/blob/410f57e2/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/AmbariSolrCloudCLI.java ---------------------------------------------------------------------- diff --git a/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/AmbariSolrCloudCLI.java b/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/AmbariSolrCloudCLI.java index 6035c86..94e43e4 100644 --- a/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/AmbariSolrCloudCLI.java +++ b/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/AmbariSolrCloudCLI.java @@ -46,10 +46,10 @@ public class AmbariSolrCloudCLI { private static final String CREATE_SHARD_COMMAND = "create-shard"; private static final String CREATE_ZNODE = "create-znode"; private static final String SET_CLUSTER_PROP = "cluster-prop"; - private static final String SETUP_KERBEROS = "setup-kerberos"; private static final String SETUP_KERBEROS_PLUGIN = "setup-kerberos-plugin"; - private static final String CREATE_SASL_USERS = "create-sasl-users"; private static final String CHECK_ZNODE = "check-znode"; + private static final String SECURE_ZNODE_COMMAND = "secure-znode"; + private static final String SECURE_SOLR_ZNODE_COMMAND = "secure-solr-znode"; private static final String CMD_LINE_SYNTAX = "\n./solrCloudCli.sh --create-collection -z host1:2181,host2:2181/ambari-solr -c collection -cs conf_set" + "\n./solrCloudCli.sh --upload-config -z host1:2181,host2:2181/ambari-solr -d /tmp/myconfig_dir -cs config_set" @@ -59,8 +59,8 @@ public class AmbariSolrCloudCLI { + "\n./solrCloudCli.sh --create-znode -z host1:2181,host2:2181 -zn /ambari-solr" + "\n./solrCloudCli.sh --check-znode -z host1:2181,host2:2181 -zn /ambari-solr" + "\n./solrCloudCli.sh --cluster-prop -z host1:2181,host2:2181/ambari-solr -cpn urlScheme -cpn http" - + "\n./solrCloudCli.sh --create-sasl-users -z host1:2181,host2:2181 -zn /ambari-solr -csu logsearch,atlas,ranger" - + "\n./solrCloudCli.sh --setup-kerberos -z host1:2181,host2:2181 --secure -zn /ambari-solr-secure -cfz /ambari-solr-unsecure -jf /etc/path/my_jaas.conf" + + "\n./solrCloudCli.sh --secure-znode -z host1:2181,host2:2181 -zn /ambari-solr -su logsearch,atlas,ranger --jaas-file /etc/myconf/jaas_file" + + "\n./solrCloudCli.sh --secure-solr-znode -z host1:2181,host2:2181 -zn /ambari-solr -su logsearch,atlas,ranger --jaas-file /etc/myconf/jaas_file" + "\n./solrCloudCli.sh --setup-kerberos-plugin -z host1:2181,host2:2181 -zn /ambari-solr\n"; public static void main(String[] args) { @@ -119,14 +119,14 @@ public class AmbariSolrCloudCLI { .desc("Setup kerberos plugin in security.json (command)") .build(); - final Option setupKerberosOption = Option.builder("sk") - .longOpt(SETUP_KERBEROS) - .desc("Setup kerberos (command)") + final Option secureSolrZnodeOption = Option.builder("ssz") + .longOpt(SECURE_SOLR_ZNODE_COMMAND) + .desc("Set acls for solr znode") .build(); - final Option createSaslUsersOption = Option.builder("csu") - .longOpt(CREATE_SASL_USERS) - .desc("Create sasl users") + final Option secureZnodeOption = Option.builder("sz") + .longOpt(SECURE_ZNODE_COMMAND) + .desc("Set acls for znode") .build(); final Option shardNameOption = Option.builder("sn") @@ -318,6 +318,8 @@ public class AmbariSolrCloudCLI { options.addOption(configSetOption); options.addOption(configDirOption); options.addOption(collectionOption); + options.addOption(secureZnodeOption); + options.addOption(secureSolrZnodeOption); options.addOption(shardsOption); options.addOption(replicationOption); options.addOption(maxShardsOption); @@ -342,14 +344,14 @@ public class AmbariSolrCloudCLI { options.addOption(propValueOption); options.addOption(createZnodeOption); options.addOption(znodeOption); - options.addOption(setupKerberosOption); options.addOption(secureOption); options.addOption(copyFromZnodeOption); - options.addOption(createSaslUsersOption); options.addOption(saslUsersOption); options.addOption(checkZnodeOption); options.addOption(setupKerberosPluginOption); + AmbariSolrCloudClient solrCloudClient = null; + try { CommandLineParser cmdLineParser = new DefaultParser(); CommandLine cli = cmdLineParser.parse(options, args); @@ -380,22 +382,22 @@ public class AmbariSolrCloudCLI { } else if (cli.hasOption("cz")) { command = CREATE_ZNODE; validateRequiredOptions(cli, command, zkConnectStringOption, znodeOption); - } else if (cli.hasOption("sk")) { - command = SETUP_KERBEROS; - validateRequiredOptions(cli, command, zkConnectStringOption, copyFromZnodeOption); - } else if (cli.hasOption("csu")){ - command = CREATE_SASL_USERS; - validateRequiredOptions(cli, command, zkConnectStringOption, znodeOption, jaasFileOption); } else if (cli.hasOption("chz")){ command = CHECK_ZNODE; validateRequiredOptions(cli, command, zkConnectStringOption, znodeOption); } else if (cli.hasOption("skp")) { command = SETUP_KERBEROS_PLUGIN; validateRequiredOptions(cli, command, zkConnectStringOption, znodeOption); + } else if (cli.hasOption("sz")) { + command = SECURE_ZNODE_COMMAND; + validateRequiredOptions(cli, command, zkConnectStringOption, znodeOption, jaasFileOption, saslUsersOption); + } else if (cli.hasOption("ssz")) { + command = SECURE_SOLR_ZNODE_COMMAND; + validateRequiredOptions(cli, command, zkConnectStringOption, znodeOption, jaasFileOption, saslUsersOption); } else { List<String> commands = Arrays.asList(CREATE_COLLECTION_COMMAND, CREATE_SHARD_COMMAND, UPLOAD_CONFIG_COMMAND, - DOWNLOAD_CONFIG_COMMAND, CONFIG_CHECK_COMMAND, SET_CLUSTER_PROP, CREATE_ZNODE, SETUP_KERBEROS, - CHECK_ZNODE, CREATE_SASL_USERS, SETUP_KERBEROS_PLUGIN); + DOWNLOAD_CONFIG_COMMAND, CONFIG_CHECK_COMMAND, SET_CLUSTER_PROP, CREATE_ZNODE, SECURE_ZNODE_COMMAND, + SECURE_SOLR_ZNODE_COMMAND, CHECK_ZNODE, SETUP_KERBEROS_PLUGIN); helpFormatter.printHelp(CMD_LINE_SYNTAX, options); exit(1, String.format("One of the supported commands is required (%s)", StringUtils.join(commands, "|"))); } @@ -424,8 +426,7 @@ public class AmbariSolrCloudCLI { String clusterPropValue = cli.hasOption("cpv") ? cli.getOptionValue("cpv") : null; String znode = cli.hasOption("zn") ? cli.getOptionValue("zn") : null; boolean isSecure = cli.hasOption("sec"); - String copyFromZnode = cli.hasOption("cfz") ? cli.getOptionValue("cfz") : null; - String saslUsers = cli.hasOption("su") ? cli.getOptionValue("su") : null; + String saslUsers = cli.hasOption("su") ? cli.getOptionValue("su") : ""; AmbariSolrCloudClientBuilder clientBuilder = new AmbariSolrCloudClientBuilder() .withZkConnectString(zkConnectString) @@ -450,11 +451,9 @@ public class AmbariSolrCloudCLI { .withClusterPropName(clusterPropName) .withClusterPropValue(clusterPropValue) .withZnode(znode) - .withCopyFromZnode(copyFromZnode) .withSecure(isSecure) .withSaslUsers(saslUsers); - AmbariSolrCloudClient solrCloudClient = null; switch (command) { case CREATE_COLLECTION_COMMAND: solrCloudClient = clientBuilder @@ -495,18 +494,6 @@ public class AmbariSolrCloudCLI { solrCloudClient = clientBuilder.build(); solrCloudClient.createZnode(); break; - case SETUP_KERBEROS: - solrCloudClient = clientBuilder.build(); - if (solrCloudClient.isSecure()) { - solrCloudClient.enableKerberos(); - } else { - solrCloudClient.disableKerberos(); - } - break; - case CREATE_SASL_USERS: - solrCloudClient = clientBuilder.build(); - solrCloudClient.addSaslUsers(); - break; case CHECK_ZNODE: solrCloudClient = clientBuilder.build(); boolean znodeExists = solrCloudClient.isZnodeExists(znode); @@ -519,6 +506,14 @@ public class AmbariSolrCloudCLI { solrCloudClient = clientBuilder.build(); solrCloudClient.setupKerberosPlugin(); break; + case SECURE_ZNODE_COMMAND: + solrCloudClient = clientBuilder.build(); + solrCloudClient.secureZnode(); + break; + case SECURE_SOLR_ZNODE_COMMAND: + solrCloudClient = clientBuilder.build(); + solrCloudClient.secureSolrZnode(); + break; default: throw new AmbariSolrCloudClientException(String.format("Not found command: '%s'", command)); } @@ -526,6 +521,10 @@ public class AmbariSolrCloudCLI { helpFormatter.printHelp( CMD_LINE_SYNTAX, options); exit(1, e.getMessage()); + } finally { + if (solrCloudClient != null && solrCloudClient.getSolrZkClient() != null) { + solrCloudClient.getSolrZkClient().close(); + } } exit(0, null); } http://git-wip-us.apache.org/repos/asf/ambari/blob/410f57e2/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/AmbariSolrCloudClient.java ---------------------------------------------------------------------- diff --git a/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/AmbariSolrCloudClient.java b/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/AmbariSolrCloudClient.java index 20096fe..fa6162a 100644 --- a/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/AmbariSolrCloudClient.java +++ b/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/AmbariSolrCloudClient.java @@ -19,7 +19,6 @@ package org.apache.ambari.logsearch.solr; import org.apache.ambari.logsearch.solr.commands.CheckConfigZkCommand; -import org.apache.ambari.logsearch.solr.commands.CopyZnodeZkCommand; import org.apache.ambari.logsearch.solr.commands.CreateCollectionCommand; import org.apache.ambari.logsearch.solr.commands.CreateSaslUsersZkCommand; import org.apache.ambari.logsearch.solr.commands.CreateShardCommand; @@ -28,14 +27,12 @@ import org.apache.ambari.logsearch.solr.commands.DownloadConfigZkCommand; import org.apache.ambari.logsearch.solr.commands.EnableKerberosPluginSolrZkCommand; import org.apache.ambari.logsearch.solr.commands.GetShardsCommand; import org.apache.ambari.logsearch.solr.commands.GetSolrHostsCommand; -import org.apache.ambari.logsearch.solr.commands.GetStateFileZkCommand; import org.apache.ambari.logsearch.solr.commands.ListCollectionCommand; +import org.apache.ambari.logsearch.solr.commands.SecureSolrZNodeZkCommand; import org.apache.ambari.logsearch.solr.commands.SecureZNodeZkCommand; import org.apache.ambari.logsearch.solr.commands.SetClusterPropertyZkCommand; -import org.apache.ambari.logsearch.solr.commands.UpdateStateFileZkCommand; import org.apache.ambari.logsearch.solr.commands.UploadConfigZkCommand; import org.apache.ambari.logsearch.solr.commands.CheckZnodeZkCommand; -import org.apache.ambari.logsearch.solr.domain.AmbariSolrState; import org.apache.ambari.logsearch.solr.util.ShardUtils; import org.apache.commons.lang.StringUtils; import org.apache.solr.client.solrj.impl.CloudSolrClient; @@ -74,7 +71,6 @@ public class AmbariSolrCloudClient { private final String propName; private final String propValue; private final boolean secure; - private final String copyFromZnode; public AmbariSolrCloudClient(AmbariSolrCloudClientBuilder builder) { this.zkConnectString = builder.zkConnectString; @@ -97,7 +93,6 @@ public class AmbariSolrCloudClient { this.propName = builder.propName; this.propValue = builder.propValue; this.secure = builder.secure; - this.copyFromZnode = builder.copyFromZnode; } /** @@ -180,35 +175,18 @@ public class AmbariSolrCloudClient { LOG.info("KerberosPlugin is set in security.json"); } - public void enableKerberos() throws Exception { - LOG.info("Trying to enable kerberos from solr-client"); - AmbariSolrState actualState = new GetStateFileZkCommand(getRetryTimes(), getInterval(), this.copyFromZnode).run(this); - if (AmbariSolrState.UNSECURE.equals(actualState)) { - LOG.info("Enable kerberos. Copy unsecure znode ('{}') content to secure ('{}')", this.znode, this.copyFromZnode); - new CopyZnodeZkCommand(getRetryTimes(), getInterval()).run(this); - LOG.info("Copying contents from unsecure znode to secure znode has done."); - setupKerberosPlugin(); - new SecureZNodeZkCommand(getRetryTimes(), getInterval()).run(this); - LOG.info("Set world:anyone permission to READ only."); - AmbariSolrState state = new UpdateStateFileZkCommand(getRetryTimes(), getInterval(), this.copyFromZnode).run(this); - LOG.info("Enabling kerberos successful, state: {}", state); - } else { - LOG.info("It is not needed to enable kerberos."); - } + /** + * Secure solr znode + */ + public void secureSolrZnode() throws Exception { + new SecureSolrZNodeZkCommand(getRetryTimes(), getInterval()).run(this); } - public void disableKerberos() throws Exception { - LOG.info("Trying to disable kerberos from solr-client"); - AmbariSolrState actualState = new GetStateFileZkCommand(getRetryTimes(), getInterval(), this.znode).run(this); - if (AmbariSolrState.SECURE.equals(actualState)) { - LOG.info("Disable kerberos. Copy secure znode ('{}') content to unsecure ('{}')"); - new CopyZnodeZkCommand(getRetryTimes(), getInterval()).run(this); - LOG.info("Copying contents from secure znode to unsecure znode has done."); - AmbariSolrState state = new UpdateStateFileZkCommand(getRetryTimes(), getInterval(), this.znode).run(this); - LOG.info("Set new state: {}", state); - } else { - LOG.info("It is not needed to disable kerberos."); - } + /** + * Secure znode + */ + public void secureZnode() throws Exception { + new SecureZNodeZkCommand(getRetryTimes(), getInterval()).run(this); } /** @@ -361,8 +339,4 @@ public class AmbariSolrCloudClient { public boolean isSecure() { return secure; } - - public String getCopyFromZnode() { - return copyFromZnode; - } } http://git-wip-us.apache.org/repos/asf/ambari/blob/410f57e2/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/AmbariSolrCloudClientBuilder.java ---------------------------------------------------------------------- diff --git a/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/AmbariSolrCloudClientBuilder.java b/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/AmbariSolrCloudClientBuilder.java index bad622b..590485f 100644 --- a/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/AmbariSolrCloudClientBuilder.java +++ b/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/AmbariSolrCloudClientBuilder.java @@ -52,7 +52,6 @@ public class AmbariSolrCloudClientBuilder { String propName; String propValue; boolean secure; - String copyFromZnode; public AmbariSolrCloudClient build() { return new AmbariSolrCloudClient(this); @@ -201,11 +200,6 @@ public class AmbariSolrCloudClientBuilder { return this; } - public AmbariSolrCloudClientBuilder withCopyFromZnode(String copyFromZnode) { - this.copyFromZnode = copyFromZnode; - return this; - } - private void setupSecurity(String jaasFile) { if (jaasFile != null) { System.setProperty("java.security.auth.login.config", jaasFile); http://git-wip-us.apache.org/repos/asf/ambari/blob/410f57e2/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/commands/CopyZnodeZkCommand.java ---------------------------------------------------------------------- diff --git a/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/commands/CopyZnodeZkCommand.java b/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/commands/CopyZnodeZkCommand.java deleted file mode 100644 index a202930..0000000 --- a/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/commands/CopyZnodeZkCommand.java +++ /dev/null @@ -1,79 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.ambari.logsearch.solr.commands; - -import org.apache.ambari.logsearch.solr.AmbariSolrCloudClient; -import org.apache.solr.common.cloud.SolrZkClient; -import org.apache.solr.common.cloud.SolrZooKeeper; -import org.apache.zookeeper.CreateMode; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import java.util.ArrayList; -import java.util.List; - -public class CopyZnodeZkCommand extends AbstractZookeeperRetryCommand<Boolean> { - - private static final Logger LOG = LoggerFactory.getLogger(CopyZnodeZkCommand.class); - - public CopyZnodeZkCommand(int maxRetries, int interval) { - super(maxRetries, interval); - } - - @Override - protected Boolean executeZkCommand(AmbariSolrCloudClient client, SolrZkClient zkClient, SolrZooKeeper solrZooKeeper) - throws Exception { - String znode = client.getZnode(); - String znodeCopyFromZnode = client.getCopyFromZnode(); - List<String> children = solrZooKeeper.getChildren(znodeCopyFromZnode, true); - children = filterRootChildren(children); - copyConent(znodeCopyFromZnode, znode, children, zkClient); - return true; - } - - private void copyConent(String srcParentPath, String destParentPath, List<String> children, SolrZkClient zkClient) - throws Exception { - if (!children.isEmpty()) { - for (String child : children) { - String srcPath = String.format("%s/%s", srcParentPath, child); - String destPath = String.format("%s/%s", destParentPath, child); - byte[] data = zkClient.getData(srcPath, null, null, true); - if (zkClient.exists(destPath, true)) { - zkClient.setData(destPath, data, true); - } else { - zkClient.create(destPath, data, CreateMode.PERSISTENT, true); - } - LOG.info("Copy file from '{}' to '{}'", srcPath, destPath); - copyConent(srcPath, destPath, zkClient.getChildren(srcPath, null, true), zkClient); - } - } - } - - private List<String> filterRootChildren(List<String> children) { - List<String> filteredResult = new ArrayList<>(); - if (!children.isEmpty()) { - for (String child : children) { - if (!child.equals("security.json") && !child.equals(AbstractStateFileZkCommand.STATE_FILE)){ - filteredResult.add(child); - } - } - } - return filteredResult; - } -} http://git-wip-us.apache.org/repos/asf/ambari/blob/410f57e2/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/commands/CreateSaslUsersZkCommand.java ---------------------------------------------------------------------- diff --git a/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/commands/CreateSaslUsersZkCommand.java b/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/commands/CreateSaslUsersZkCommand.java index 1c25b9f..b144b41 100644 --- a/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/commands/CreateSaslUsersZkCommand.java +++ b/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/commands/CreateSaslUsersZkCommand.java @@ -28,7 +28,6 @@ import org.apache.zookeeper.data.ACL; import org.apache.zookeeper.data.Id; import org.apache.zookeeper.data.Stat; -import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.List; import java.util.Set; @@ -49,12 +48,12 @@ public class CreateSaslUsersZkCommand extends AbstractZookeeperRetryCommand<Stri String[] saslUserNames = saslUsers.split(","); for (String saslUser : saslUserNames) { if (!existingUsers.contains(saslUser)) { - //solrZooKeeper.addAuthInfo("sasl", saslUser.getBytes(StandardCharsets.UTF_8)); acls.add(new ACL(ZooDefs.Perms.ALL, new Id("sasl", saslUser))); newUsers.add(saslUser); } } } + acls = AclUtils.updatePermissionForScheme(acls, "world", ZooDefs.Perms.READ); solrZooKeeper.setACL(client.getZnode(), acls, -1); return StringUtils.join(newUsers, ","); } http://git-wip-us.apache.org/repos/asf/ambari/blob/410f57e2/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/commands/SecureSolrZNodeZkCommand.java ---------------------------------------------------------------------- diff --git a/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/commands/SecureSolrZNodeZkCommand.java b/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/commands/SecureSolrZNodeZkCommand.java new file mode 100644 index 0000000..faa21d4 --- /dev/null +++ b/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/commands/SecureSolrZNodeZkCommand.java @@ -0,0 +1,74 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.ambari.logsearch.solr.commands; + +import org.apache.ambari.logsearch.solr.AmbariSolrCloudClient; +import org.apache.ambari.logsearch.solr.util.AclUtils; +import org.apache.commons.lang.StringUtils; +import org.apache.solr.common.cloud.SolrZkClient; +import org.apache.solr.common.cloud.SolrZooKeeper; +import org.apache.zookeeper.ZooDefs; +import org.apache.zookeeper.data.ACL; +import org.apache.zookeeper.data.Id; +import org.apache.zookeeper.data.Stat; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +public class SecureSolrZNodeZkCommand extends AbstractZookeeperRetryCommand<Boolean> { + + private static final Logger LOG = LoggerFactory.getLogger(SecureSolrZNodeZkCommand.class); + + public SecureSolrZNodeZkCommand(int maxRetries, int interval) { + super(maxRetries, interval); + } + + @Override + protected Boolean executeZkCommand(AmbariSolrCloudClient client, SolrZkClient zkClient, SolrZooKeeper solrZooKeeper) throws Exception { + String zNode = client.getZnode(); + List<ACL> newAclList = new ArrayList<>(); + List<ACL> saslUserList = AclUtils.createAclListFromSaslUsers(client.getSaslUsers().split(",")); + newAclList.addAll(saslUserList); + newAclList.add(new ACL(ZooDefs.Perms.READ, new Id("world", "anyone"))); + + String configsPath = String.format("%s/%s", zNode, "configs"); + String collectionsPath = String.format("%s/%s", zNode, "collections"); + List<String> exlustePaths = Arrays.asList(configsPath, collectionsPath); + + AclUtils.setRecursivelyOn(client.getSolrZkClient().getSolrZooKeeper(), zNode, newAclList, exlustePaths); + + List<ACL> commonConfigAcls = new ArrayList<>(); + commonConfigAcls.addAll(saslUserList); + commonConfigAcls.add(new ACL(ZooDefs.Perms.READ | ZooDefs.Perms.CREATE, new Id("world", "anyone"))); + + LOG.info("Set sasl users for znode '{}' : {}", client.getZnode(), StringUtils.join(saslUserList, ",")); + LOG.info("Skip {}/configs and {}/collections", client.getZnode(), client.getZnode()); + solrZooKeeper.setACL(configsPath, AclUtils.mergeAcls(solrZooKeeper.getACL(configsPath, new Stat()), commonConfigAcls), -1); + solrZooKeeper.setACL(collectionsPath, AclUtils.mergeAcls(solrZooKeeper.getACL(collectionsPath, new Stat()), commonConfigAcls), -1); + + LOG.info("Set world:anyone to 'cr' on {}/configs and {}/collections", client.getZnode(), client.getZnode()); + AclUtils.setRecursivelyOn(solrZooKeeper, configsPath, saslUserList); + AclUtils.setRecursivelyOn(solrZooKeeper, collectionsPath, saslUserList); + + return true; + } +} http://git-wip-us.apache.org/repos/asf/ambari/blob/410f57e2/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/commands/SecureZNodeZkCommand.java ---------------------------------------------------------------------- diff --git a/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/commands/SecureZNodeZkCommand.java b/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/commands/SecureZNodeZkCommand.java index cdc3ebf..f62b399 100644 --- a/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/commands/SecureZNodeZkCommand.java +++ b/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/commands/SecureZNodeZkCommand.java @@ -24,8 +24,9 @@ import org.apache.solr.common.cloud.SolrZkClient; import org.apache.solr.common.cloud.SolrZooKeeper; import org.apache.zookeeper.ZooDefs; import org.apache.zookeeper.data.ACL; -import org.apache.zookeeper.data.Stat; +import org.apache.zookeeper.data.Id; +import java.util.ArrayList; import java.util.List; public class SecureZNodeZkCommand extends AbstractZookeeperRetryCommand<Boolean> { @@ -36,13 +37,13 @@ public class SecureZNodeZkCommand extends AbstractZookeeperRetryCommand<Boolean> @Override protected Boolean executeZkCommand(AmbariSolrCloudClient client, SolrZkClient zkClient, SolrZooKeeper solrZooKeeper) throws Exception { - List<ACL> acls = solrZooKeeper.getACL(client.getZnode(), new Stat()); - boolean isSecure = client.isSecure(); - boolean isPermissionDiffers = AclUtils.isPermissionDiffersForScheme(acls, "world", ZooDefs.Perms.READ); - if (isSecure && isPermissionDiffers) { - acls = AclUtils.updatePermissionForScheme(acls, "world", ZooDefs.Perms.READ); - solrZooKeeper.setACL(client.getZnode(), acls, -1); - } - return isSecure; + String zNode = client.getZnode(); + List<ACL> newAclList = new ArrayList<>(); + List<ACL> saslUserList = AclUtils.createAclListFromSaslUsers(client.getSaslUsers().split(",")); + newAclList.addAll(saslUserList); + newAclList.add(new ACL(ZooDefs.Perms.READ, new Id("world", "anyone"))); + AclUtils.setRecursivelyOn(client.getSolrZkClient().getSolrZooKeeper(), zNode, newAclList); + return true; } + } http://git-wip-us.apache.org/repos/asf/ambari/blob/410f57e2/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/util/AclUtils.java ---------------------------------------------------------------------- diff --git a/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/util/AclUtils.java b/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/util/AclUtils.java index 23e5fb3..8e0132d 100644 --- a/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/util/AclUtils.java +++ b/ambari-logsearch/ambari-logsearch-solr-client/src/main/java/org/apache/ambari/logsearch/solr/util/AclUtils.java @@ -18,11 +18,18 @@ */ package org.apache.ambari.logsearch.solr.util; +import org.apache.solr.common.cloud.SolrZooKeeper; +import org.apache.zookeeper.KeeperException; +import org.apache.zookeeper.ZooDefs; import org.apache.zookeeper.data.ACL; +import org.apache.zookeeper.data.Id; +import org.apache.zookeeper.data.Stat; import java.util.ArrayList; +import java.util.HashMap; import java.util.HashSet; import java.util.List; +import java.util.Map; import java.util.Set; public class AclUtils { @@ -57,15 +64,54 @@ public class AclUtils { return aclResult; } - public static boolean isPermissionDiffersForScheme(List<ACL> acls, String scheme, int permission) { - boolean result = false; - if (!acls.isEmpty()) { - for (ACL acl : acls) { - if (scheme.equals(acl.getId().getScheme()) && acl.getPerms() == permission) { - result = true; - } + public static List<ACL> mergeAcls(List<ACL> originalAcls, List<ACL> updateAcls) { + Map<String, ACL> aclMap = new HashMap<>(); + List<ACL> acls = new ArrayList<>(); + if (originalAcls != null) { + for (ACL acl : originalAcls) { + aclMap.put(acl.getId().getId(), acl); } } - return result; + + if (updateAcls != null) { + for (ACL acl : updateAcls) { + aclMap.put(acl.getId().getId(), acl); + } + } + + for (Map.Entry<String, ACL> aclEntry : aclMap.entrySet()) { + acls.add(aclEntry.getValue()); + } + return acls; + } + + public static List<ACL> createAclListFromSaslUsers(String[] saslUsers) { + List<ACL> saslUserList = new ArrayList<>(); + for (String saslUser : saslUsers) { + ACL acl = new ACL(); + acl.setId(new Id("sasl", saslUser)); + acl.setPerms(ZooDefs.Perms.ALL); + saslUserList.add(acl); + } + return saslUserList; + } + + public static void setRecursivelyOn(SolrZooKeeper solrZooKeeper, String node, List<ACL> acls) throws KeeperException, InterruptedException { + setRecursivelyOn(solrZooKeeper, node, acls, new ArrayList<String>()); + } + + public static void setRecursivelyOn(SolrZooKeeper solrZooKeeper, String node, List<ACL> acls, List<String> excludePaths) + throws KeeperException, InterruptedException { + if (!excludePaths.contains(node)) { + List<ACL> newAcls = AclUtils.mergeAcls(solrZooKeeper.getACL(node, new Stat()), acls); + solrZooKeeper.setACL(node, newAcls, -1); + for (String child : solrZooKeeper.getChildren(node, null)) { + setRecursivelyOn(solrZooKeeper, path(node, child), acls, excludePaths); + } + } + } + + private static String path(String node, String child) { + return node.endsWith("/") ? node + child : node + "/" + child; } }
