diff options
author | Arne H Juul <arnej@yahoo-inc.com> | 2016-11-15 15:19:31 +0100 |
---|---|---|
committer | Arne H Juul <arnej@yahoo-inc.com> | 2016-11-15 15:19:31 +0100 |
commit | 08076a6efe9eff85123028222cb120be6a8e54f2 (patch) | |
tree | 6978186075927b0da7d5776379a3b3af5863bcf2 /zkfacade | |
parent | 6a06153176b6420b659dbef1458be6733211cb28 (diff) |
return as expected but close the socket
* rejecting a connection by throwing an exception didn't work
in practice, we got gigabytes of NullPointerException warnings
and the configserver couldn't respond to requests anymore.
* instead, make the requested object normally, but check the
SocketChannel and close it for traffic if it's not allowed
before returning. This should make the normal handling of
closed connections do cleanup for us.
* Log any unexpected exceptions (since we're not quite sure
where the NullPointerException came from).
Diffstat (limited to 'zkfacade')
-rw-r--r-- | zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java | 33 |
1 files changed, 23 insertions, 10 deletions
diff --git a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java index 4c30e125d74..bababa9a25c 100644 --- a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java +++ b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java @@ -29,18 +29,31 @@ public class RestrictedServerCnxnFactory extends NIOServerCnxnFactory { @Override protected NIOServerCnxn createConnection(SocketChannel socket, SelectionKey selection) throws IOException { - ImmutableSet<String> allowedZooKeeperClients = findAllowedZooKeeperClients(); - String remoteHost = ((InetSocketAddress)socket.getRemoteAddress()).getHostName(); + NIOServerCnxn ret = super.createConnection(socket, selection); + validateRemoteOrClose(socket); + return ret; + } + + private void validateRemoteOrClose(SocketChannel socket) { + try { + String remoteHost = ((InetSocketAddress)socket.getRemoteAddress()).getHostName(); + + if (isLocalHost(remoteHost)) return; // always allow localhost - if (isLocalHost(remoteHost)) return super.createConnection(socket, selection); // always allow localhost - if (allowedZooKeeperClients.isEmpty()) return super.createConnection(socket, selection); // inactive: allow all - if (allowedZooKeeperClients.contains(remoteHost)) return super.createConnection(socket, selection); // allowed + ImmutableSet<String> allowedZooKeeperClients = findAllowedZooKeeperClients(); - // Not allowed: Reject connection - String errorMessage = "Rejecting connection to ZooKeeper from " + remoteHost + - ": This cluster only allow connection from hosts in: " + allowedZooKeeperClients; - log.info(errorMessage); - throw new IllegalArgumentException(errorMessage); // log and throw as this exception will be suppressed by zk + if (allowedZooKeeperClients.isEmpty()) return; // inactive: allow all + if (allowedZooKeeperClients.contains(remoteHost)) return; // allowed + + // Not allowed: Reject connection + String errorMessage = "Rejecting connection to ZooKeeper from " + remoteHost + + ": This cluster only allow connection from hosts in: " + allowedZooKeeperClients; + log.info(errorMessage); + socket.shutdownInput(); + socket.shutdownOutput(); + } catch (Exception e) { + log.warning("Unexpected exception: "+e); + } } /** Returns the allowed client host names. If the list is empty any host is allowed. */ |