diff options
author | Harald Musum <musum@verizonmedia.com> | 2019-09-04 00:13:28 +0200 |
---|---|---|
committer | Harald Musum <musum@verizonmedia.com> | 2019-09-04 00:13:28 +0200 |
commit | af3c9a5995a8129ad4370ed5b5683d1ceb4911a0 (patch) | |
tree | 8b5186ff04ff0ea87255286426b9e283aae04627 /zkfacade | |
parent | 60fd75a278e732e0620d71dbfc16853d819309de (diff) |
Do not use RestrictedServerCnxnFactory
Do not use it for self-hosted, feature cannot be supported
with ZooKeeper 3.5 (but secure communications can be setup with
ZooKeeper 3.5, which is supported from that version on)
Diffstat (limited to 'zkfacade')
-rw-r--r-- | zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java | 90 | ||||
-rw-r--r-- | zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java | 2 |
2 files changed, 0 insertions, 92 deletions
diff --git a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java deleted file mode 100644 index dab9ddb243b..00000000000 --- a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java +++ /dev/null @@ -1,90 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.zookeeper; - -import com.google.common.collect.ImmutableSet; -import com.yahoo.net.HostName; -import com.yahoo.text.StringUtilities; -import org.apache.zookeeper.server.NIOServerCnxn; -import org.apache.zookeeper.server.NIOServerCnxnFactory; - -import java.io.IOException; -import java.net.InetSocketAddress; -import java.nio.channels.SelectionKey; -import java.nio.channels.SocketChannel; -import java.util.HashSet; -import java.util.Set; -import java.util.logging.Logger; - -/** - * This class is created by zookeeper by reflection, see the ZooKeeperServer constructor. It will only work - * when using ZooKeeper 3.4 - * - * @author bratseth - */ -@SuppressWarnings("unused") -public class RestrictedServerCnxnFactory extends NIOServerCnxnFactory { - - private static final Logger log = Logger.getLogger(RestrictedServerCnxnFactory.class.getName()); - - public RestrictedServerCnxnFactory() throws IOException { - super(); - } - - @Override - protected NIOServerCnxn createConnection(SocketChannel socket, SelectionKey selection) throws IOException { - NIOServerCnxn ret = super.createConnection(socket, selection); - validateRemoteOrClose(socket); - return ret; - } - - private void validateRemoteOrClose(SocketChannel socket) { - try { - String remoteHost = ((InetSocketAddress)socket.getRemoteAddress()).getHostName(); - - if (isLocalHost(remoteHost)) return; // always allow localhost - - ImmutableSet<String> allowedZooKeeperClients = findAllowedZooKeeperClients(); - - if (allowedZooKeeperClients.isEmpty()) return; // inactive: allow all - if (allowedZooKeeperClients.contains(remoteHost)) return; // allowed - - // Not allowed: Reject connection - String errorMessage = "Rejecting connection to ZooKeeper from " + remoteHost + - ": This cluster only allow connection from hosts in: " + allowedZooKeeperClients; - log.info(errorMessage); - socket.shutdownInput(); - socket.shutdownOutput(); - } catch (Exception e) { - log.warning("Unexpected exception: "+e); - } - } - - /** Returns the allowed client host names. If the list is empty any host is allowed. */ - private ImmutableSet<String> findAllowedZooKeeperClients() { - // Environment has precedence. Note that - // - if this is set to "", client restriction is disabled - // - this environment variable is a public API - do not change - String environmentAllowedZooKeeperClients = System.getenv("vespa_zkfacade__restrict"); - if (environmentAllowedZooKeeperClients != null) - return ImmutableSet.copyOf(toHostnameSet(environmentAllowedZooKeeperClients)); - else - return ImmutableSet.of(); - } - - private Set<String> toHostnameSet(String hostnamesString) { - Set<String> hostnames = new HashSet<>(); - for (String hostname : StringUtilities.split(hostnamesString)) { - if ( ! hostname.trim().isEmpty()) - hostnames.add(hostname.trim()); - } - return hostnames; - } - - private boolean isLocalHost(String remoteHost) { - if (remoteHost.equals("localhost")) return true; - if (remoteHost.equals("localhost.localdomain")) return true; - if (remoteHost.equals(HostName.getLocalhost())) return true; - return false; - } - -} diff --git a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java index 5b78bc48a2d..8342dfb16df 100644 --- a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java +++ b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java @@ -31,8 +31,6 @@ public class ZooKeeperServer extends AbstractComponent implements Runnable { this.zookeeperServerConfig = zookeeperServerConfig; System.setProperty("zookeeper.jmx.log4j.disable", "true"); System.setProperty(ZOOKEEPER_JUTE_MAX_BUFFER, "" + zookeeperServerConfig.juteMaxBuffer()); - if (zookeeperServerConfig.useRestrictedServerCnxnFactory()) - System.setProperty("zookeeper.serverCnxnFactory", "com.yahoo.vespa.zookeeper.RestrictedServerCnxnFactory"); writeConfigToDisk(zookeeperServerConfig); zkServerThread = new Thread(this, "zookeeper server"); |