diff options
Diffstat (limited to 'zkfacade')
-rw-r--r-- | zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java | 15 | ||||
-rw-r--r-- | zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java | 19 |
2 files changed, 26 insertions, 8 deletions
diff --git a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java index 51c9ef681a1..1c60587b6e4 100644 --- a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java +++ b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java @@ -1,5 +1,6 @@ package com.yahoo.vespa.zookeeper; +import com.google.common.collect.ImmutableSet; import org.apache.zookeeper.server.NIOServerCnxn; import org.apache.zookeeper.server.NIOServerCnxnFactory; @@ -8,6 +9,7 @@ import java.net.InetSocketAddress; import java.nio.channels.SelectionKey; import java.nio.channels.SocketChannel; import java.util.HashSet; +import java.util.Optional; import java.util.Set; import java.util.logging.Logger; @@ -29,16 +31,15 @@ public class RestrictedServerCnxnFactory extends NIOServerCnxnFactory { protected NIOServerCnxn createConnection(SocketChannel socket, SelectionKey selection) throws IOException { String remoteHost = ((InetSocketAddress)socket.getRemoteAddress()).getHostName(); - String zookeeperClients = System.getProperty(ZooKeeperServer.ZOOKEEPER_VESPA_CLIENTS_PROPERTY); - if (zookeeperClients == null || zookeeperClients.isEmpty()) { - log.fine("On " + Runtime.getRuntime().toString() + ": Allowing connection to ZooKeeper from " + remoteHost + ", as " + ZooKeeperServer.ZOOKEEPER_VESPA_CLIENTS_PROPERTY + " is not set"); + Optional<ImmutableSet<String>> allowedZooKeeperClients = ZooKeeperServer.getAllowedClientHostnames(); + if ( ! allowedZooKeeperClients.isPresent()) { + log.fine("Allowing connection to ZooKeeper from " + remoteHost + ", as allowed zooKeeper clients is not set"); return super.createConnection(socket, selection); // client checking is not activated } - Set<String> zooKeeperClients = toHostnameSet(zookeeperClients); - if ( ! remoteHost.equals("localhost") && ! zooKeeperClients.contains(remoteHost)) { + if ( ! remoteHost.equals("localhost") && ! allowedZooKeeperClients.get().contains(remoteHost)) { String errorMessage = "Rejecting connection to ZooKeeper from " + remoteHost + - ": This cluster only allow connection from hosts in: " + zooKeeperClients; + ": This cluster only allow connection from hosts in: " + allowedZooKeeperClients.get(); if ("true".equals(System.getenv("vespa_zkfacade__restrict"))) { log.info(errorMessage); throw new IllegalArgumentException(errorMessage); @@ -47,7 +48,7 @@ public class RestrictedServerCnxnFactory extends NIOServerCnxnFactory { log.fine("Would reject if activated: " + errorMessage); } } - log.fine("On " + Runtime.getRuntime().toString()+ ": Allowing connection to ZooKeeper from " + remoteHost + ", as it is in " + zookeeperClients); + log.fine("Allowing connection to ZooKeeper from " + remoteHost + ", as it is in " + allowedZooKeeperClients.get()); return super.createConnection(socket, selection); } diff --git a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java index f037e3c9265..f6219877f5e 100644 --- a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java +++ b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java @@ -1,6 +1,7 @@ // Copyright 2016 Yahoo Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.zookeeper; +import com.google.common.collect.ImmutableSet; import com.google.inject.Inject; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.component.AbstractComponent; @@ -9,7 +10,9 @@ import com.yahoo.vespa.defaults.Defaults; import java.io.FileWriter; import java.io.IOException; +import java.util.Collection; import java.util.List; +import java.util.Optional; /** * Writes zookeeper config and starts zookeeper server. @@ -19,7 +22,13 @@ import java.util.List; */ public class ZooKeeperServer extends AbstractComponent implements Runnable { - public static final String ZOOKEEPER_VESPA_CLIENTS_PROPERTY = "zookeeper.vespa.clients"; + /** + * The set of hosts which can access the ZooKeeper server in this VM, or empty + * to allow access from anywhere. + * This belongs logically to the server instance but must be static to make it accessible + * from RestrictedServerCnxnFactory, which is created by ZK through reflection. + */ + private static volatile Optional<ImmutableSet<String>> allowedClientHostnames = Optional.empty(); private static final java.util.logging.Logger log = java.util.logging.Logger.getLogger(ZooKeeperServer.class.getName()); private static final String ZOOKEEPER_JMX_LOG4J_DISABLE = "zookeeper.jmx.log4j.disable"; @@ -45,6 +54,14 @@ public class ZooKeeperServer extends AbstractComponent implements Runnable { this(config, true); } + /** Restrict access to this ZooKeeper server to the given client hosts */ + public static void setAllowedClientHostnames(Collection<String> hostnames) { + allowedClientHostnames = Optional.of(ImmutableSet.copyOf(hostnames)); + } + + /** Returns the hosts which are allowed to access this ZooKeeper server, or empty to allow access from anywhere */ + public static Optional<ImmutableSet<String>> getAllowedClientHostnames() { return allowedClientHostnames; } + private void writeConfigToDisk(ZookeeperServerConfig config) { String cfg = transformConfigToString(config); try (FileWriter writer = new FileWriter(Defaults.getDefaults().underVespaHome(config.zooKeeperConfigFile()))) { |