summaryrefslogtreecommitdiffstats
path: root/zkfacade
diff options
context:
space:
mode:
Diffstat (limited to 'zkfacade')
-rw-r--r--zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java33
1 files changed, 23 insertions, 10 deletions
diff --git a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java
index 4c30e125d74..bababa9a25c 100644
--- a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java
+++ b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java
@@ -29,18 +29,31 @@ public class RestrictedServerCnxnFactory extends NIOServerCnxnFactory {
@Override
protected NIOServerCnxn createConnection(SocketChannel socket, SelectionKey selection) throws IOException {
- ImmutableSet<String> allowedZooKeeperClients = findAllowedZooKeeperClients();
- String remoteHost = ((InetSocketAddress)socket.getRemoteAddress()).getHostName();
+ NIOServerCnxn ret = super.createConnection(socket, selection);
+ validateRemoteOrClose(socket);
+ return ret;
+ }
+
+ private void validateRemoteOrClose(SocketChannel socket) {
+ try {
+ String remoteHost = ((InetSocketAddress)socket.getRemoteAddress()).getHostName();
+
+ if (isLocalHost(remoteHost)) return; // always allow localhost
- if (isLocalHost(remoteHost)) return super.createConnection(socket, selection); // always allow localhost
- if (allowedZooKeeperClients.isEmpty()) return super.createConnection(socket, selection); // inactive: allow all
- if (allowedZooKeeperClients.contains(remoteHost)) return super.createConnection(socket, selection); // allowed
+ ImmutableSet<String> allowedZooKeeperClients = findAllowedZooKeeperClients();
- // Not allowed: Reject connection
- String errorMessage = "Rejecting connection to ZooKeeper from " + remoteHost +
- ": This cluster only allow connection from hosts in: " + allowedZooKeeperClients;
- log.info(errorMessage);
- throw new IllegalArgumentException(errorMessage); // log and throw as this exception will be suppressed by zk
+ if (allowedZooKeeperClients.isEmpty()) return; // inactive: allow all
+ if (allowedZooKeeperClients.contains(remoteHost)) return; // allowed
+
+ // Not allowed: Reject connection
+ String errorMessage = "Rejecting connection to ZooKeeper from " + remoteHost +
+ ": This cluster only allow connection from hosts in: " + allowedZooKeeperClients;
+ log.info(errorMessage);
+ socket.shutdownInput();
+ socket.shutdownOutput();
+ } catch (Exception e) {
+ log.warning("Unexpected exception: "+e);
+ }
}
/** Returns the allowed client host names. If the list is empty any host is allowed. */