diff options
| author | Harald Musum <musum@oath.com> | 2018-10-24 13:48:12 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-10-24 13:48:12 +0200 |
| commit | df4d28c2386a4f8702086412b0e66211e4237b4f (patch) | |
| tree | 6d26e6fd59fc5ad0ecbbbe9339f0dc4498597ebc | |
| parent | 9775bbacdd69dc5cf9deea0f919b3f9624521b22 (diff) | |
Revert "No need for restricting access to zookeeper in hosted vespa"
3 files changed, 25 insertions, 8 deletions
diff --git a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java index dab9ddb243b..d7f42c7e6e9 100644 --- a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java +++ b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java @@ -16,8 +16,7 @@ import java.util.Set; import java.util.logging.Logger; /** - * This class is created by zookeeper by reflection, see the ZooKeeperServer constructor. It will only work - * when using ZooKeeper 3.4 + * This class is created by zookeeper by reflection, see the ZooKeeperServer constructor. * * @author bratseth */ @@ -67,8 +66,9 @@ public class RestrictedServerCnxnFactory extends NIOServerCnxnFactory { String environmentAllowedZooKeeperClients = System.getenv("vespa_zkfacade__restrict"); if (environmentAllowedZooKeeperClients != null) return ImmutableSet.copyOf(toHostnameSet(environmentAllowedZooKeeperClients)); - else - return ImmutableSet.of(); + + // No environment setting -> use static field + return ZooKeeperServer.getAllowedClientHostnames(); } private Set<String> toHostnameSet(String hostnamesString) { diff --git a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java index 9c580b4f9ce..c42c1793c41 100644 --- a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java +++ b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java @@ -1,7 +1,9 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.zookeeper; +import com.google.common.collect.ImmutableSet; import com.google.inject.Inject; +import com.yahoo.cloud.config.ConfigserverConfig; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.component.AbstractComponent; import com.yahoo.log.LogLevel; @@ -21,18 +23,29 @@ import java.util.stream.Collectors; */ public class ZooKeeperServer extends AbstractComponent implements Runnable { + /** + * The set of hosts which can access the ZooKeeper server in this VM, or empty + * to allow access from anywhere. + * This belongs logically to the server instance and is final, but must be static to make it accessible + * from RestrictedServerCnxnFactory, which is created by ZK through reflection. + */ + private static ImmutableSet<String> allowedClientHostnames = ImmutableSet.of(); + private static final java.util.logging.Logger log = java.util.logging.Logger.getLogger(ZooKeeperServer.class.getName()); private static final String ZOOKEEPER_JMX_LOG4J_DISABLE = "zookeeper.jmx.log4j.disable"; static final String ZOOKEEPER_JUTE_MAX_BUFFER = "jute.maxbuffer"; private final Thread zkServerThread; private final ZookeeperServerConfig zookeeperServerConfig; - ZooKeeperServer(ZookeeperServerConfig zookeeperServerConfig, boolean startServer) { + ZooKeeperServer(ZookeeperServerConfig zookeeperServerConfig, ConfigserverConfig configserverConfig, boolean startServer) { this.zookeeperServerConfig = zookeeperServerConfig; System.setProperty("zookeeper.jmx.log4j.disable", "true"); System.setProperty(ZOOKEEPER_JUTE_MAX_BUFFER, "" + zookeeperServerConfig.juteMaxBuffer()); System.setProperty("zookeeper.serverCnxnFactory", "com.yahoo.vespa.zookeeper.RestrictedServerCnxnFactory"); + if (configserverConfig.hostedVespa()) // restrict access to config servers only + allowedClientHostnames = ImmutableSet.copyOf(zookeeperServerHostnames(zookeeperServerConfig)); + writeConfigToDisk(zookeeperServerConfig); zkServerThread = new Thread(this, "zookeeper server"); if (startServer) { @@ -41,10 +54,13 @@ public class ZooKeeperServer extends AbstractComponent implements Runnable { } @Inject - public ZooKeeperServer(ZookeeperServerConfig zookeeperServerConfig) { - this(zookeeperServerConfig, true); + public ZooKeeperServer(ZookeeperServerConfig zookeeperServerConfig, ConfigserverConfig configserverConfig) { + this(zookeeperServerConfig, configserverConfig, true); } + /** Returns the hosts which are allowed to access this ZooKeeper server, or empty to allow access from anywhere */ + public static ImmutableSet<String> getAllowedClientHostnames() { return allowedClientHostnames; } + private void writeConfigToDisk(ZookeeperServerConfig config) { String configFilePath = getDefaults().underVespaHome(config.zooKeeperConfigFile()); new File(configFilePath).getParentFile().mkdirs(); diff --git a/zkfacade/src/test/java/com/yahoo/vespa/zookeeper/ZooKeeperServerTest.java b/zkfacade/src/test/java/com/yahoo/vespa/zookeeper/ZooKeeperServerTest.java index db1852d9d2a..362ea901534 100644 --- a/zkfacade/src/test/java/com/yahoo/vespa/zookeeper/ZooKeeperServerTest.java +++ b/zkfacade/src/test/java/com/yahoo/vespa/zookeeper/ZooKeeperServerTest.java @@ -1,6 +1,7 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.zookeeper; +import com.yahoo.cloud.config.ConfigserverConfig; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.io.IOUtils; import org.junit.Rule; @@ -53,7 +54,7 @@ public class ZooKeeperServerTest { } private void createServer(ZookeeperServerConfig.Builder builder) { - new ZooKeeperServer(new ZookeeperServerConfig(builder), false); + new ZooKeeperServer(new ZookeeperServerConfig(builder), new ConfigserverConfig(new ConfigserverConfig.Builder()), false); } @Test(expected = RuntimeException.class) |