Use a static variable to communicate

Some third party code somewhere is calling setProperties,
wiping all properties set inside the VM at random times,
so communicate through a static variable instead.

2 files changed, 26 insertions, 8 deletions

diff --git a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java
index 51c9ef681a1..1c60587b6e4 100644
--- a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java
+++ b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java
@@ -1,5 +1,6 @@
 package com.yahoo.vespa.zookeeper;
 
+import com.google.common.collect.ImmutableSet;
 import org.apache.zookeeper.server.NIOServerCnxn;
 import org.apache.zookeeper.server.NIOServerCnxnFactory;
 
@@ -8,6 +9,7 @@ import java.net.InetSocketAddress;
 import java.nio.channels.SelectionKey;
 import java.nio.channels.SocketChannel;
 import java.util.HashSet;
+import java.util.Optional;
 import java.util.Set;
 import java.util.logging.Logger;
 
@@ -29,16 +31,15 @@ public class RestrictedServerCnxnFactory extends NIOServerCnxnFactory {
     protected NIOServerCnxn createConnection(SocketChannel socket, SelectionKey selection) throws IOException {
         String remoteHost = ((InetSocketAddress)socket.getRemoteAddress()).getHostName();
 
-        String zookeeperClients = System.getProperty(ZooKeeperServer.ZOOKEEPER_VESPA_CLIENTS_PROPERTY);
-        if (zookeeperClients == null || zookeeperClients.isEmpty()) {
-            log.fine("On " + Runtime.getRuntime().toString() + ": Allowing connection to ZooKeeper from " + remoteHost + ", as " + ZooKeeperServer.ZOOKEEPER_VESPA_CLIENTS_PROPERTY + " is not set");
+        Optional<ImmutableSet<String>> allowedZooKeeperClients = ZooKeeperServer.getAllowedClientHostnames();
+        if ( ! allowedZooKeeperClients.isPresent()) {
+            log.fine("Allowing connection to ZooKeeper from " + remoteHost + ", as allowed zooKeeper clients is not set");
             return super.createConnection(socket, selection); // client checking is not activated
         }
 
-        Set<String> zooKeeperClients = toHostnameSet(zookeeperClients);
-        if ( ! remoteHost.equals("localhost") && ! zooKeeperClients.contains(remoteHost)) {
+        if ( ! remoteHost.equals("localhost") && ! allowedZooKeeperClients.get().contains(remoteHost)) {
             String errorMessage = "Rejecting connection to ZooKeeper from " + remoteHost +
-                                  ": This cluster only allow connection from hosts in: " + zooKeeperClients;
+                                  ": This cluster only allow connection from hosts in: " + allowedZooKeeperClients.get();
             if ("true".equals(System.getenv("vespa_zkfacade__restrict"))) {
                 log.info(errorMessage);
                 throw new IllegalArgumentException(errorMessage);
@@ -47,7 +48,7 @@ public class RestrictedServerCnxnFactory extends NIOServerCnxnFactory {
                 log.fine("Would reject if activated: " + errorMessage);
             }
         }
-        log.fine("On " + Runtime.getRuntime().toString()+ ": Allowing connection to ZooKeeper from " + remoteHost + ", as it is in " + zookeeperClients);
+        log.fine("Allowing connection to ZooKeeper from " + remoteHost + ", as it is in " + allowedZooKeeperClients.get());
         return super.createConnection(socket, selection);
     }
 
diff --git a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java
index f037e3c9265..f6219877f5e 100644
--- a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java
+++ b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java
@@ -1,6 +1,7 @@
 // Copyright 2016 Yahoo Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.zookeeper;
 
+import com.google.common.collect.ImmutableSet;
 import com.google.inject.Inject;
 import com.yahoo.cloud.config.ZookeeperServerConfig;
 import com.yahoo.component.AbstractComponent;
@@ -9,7 +10,9 @@ import com.yahoo.vespa.defaults.Defaults;
 
 import java.io.FileWriter;
 import java.io.IOException;
+import java.util.Collection;
 import java.util.List;
+import java.util.Optional;
 
 /**
  * Writes zookeeper config and starts zookeeper server.
@@ -19,7 +22,13 @@ import java.util.List;
  */
 public class ZooKeeperServer extends AbstractComponent implements Runnable {
 
-    public static final String ZOOKEEPER_VESPA_CLIENTS_PROPERTY = "zookeeper.vespa.clients";
+    /** 
+     * The set of hosts which can access the ZooKeeper server in this VM, or empty
+     * to allow access from anywhere.
+     * This belongs logically to the server instance but must be static to make it accessible
+     * from RestrictedServerCnxnFactory, which is created by ZK through reflection.
+     */
+    private static volatile Optional<ImmutableSet<String>> allowedClientHostnames = Optional.empty();
 
     private static final java.util.logging.Logger log = java.util.logging.Logger.getLogger(ZooKeeperServer.class.getName());
     private static final String ZOOKEEPER_JMX_LOG4J_DISABLE = "zookeeper.jmx.log4j.disable";
@@ -45,6 +54,14 @@ public class ZooKeeperServer extends AbstractComponent implements Runnable {
         this(config, true);
     }
     
+    /** Restrict access to this ZooKeeper server to the given client hosts */
+    public static void setAllowedClientHostnames(Collection<String> hostnames) {
+        allowedClientHostnames = Optional.of(ImmutableSet.copyOf(hostnames));
+    }
+    
+    /** Returns the hosts which are allowed to access this ZooKeeper server, or empty to allow access from anywhere */
+    public static Optional<ImmutableSet<String>> getAllowedClientHostnames() { return allowedClientHostnames; }
+    
     private void writeConfigToDisk(ZookeeperServerConfig config) {
        String cfg = transformConfigToString(config);
        try (FileWriter writer = new FileWriter(Defaults.getDefaults().underVespaHome(config.zooKeeperConfigFile()))) {