From 2646f013429f13a861702b8eb01ddfda0e2ea9be Mon Sep 17 00:00:00 2001 From: Harald Musum Date: Tue, 23 Oct 2018 15:20:41 +0200 Subject: No need for restricting access to zookeeper in hosted vespa Access restrictions handled by other means --- .../zookeeper/RestrictedServerCnxnFactory.java | 8 ++++---- .../com/yahoo/vespa/zookeeper/ZooKeeperServer.java | 22 +++------------------- .../yahoo/vespa/zookeeper/ZooKeeperServerTest.java | 3 +-- 3 files changed, 8 insertions(+), 25 deletions(-) (limited to 'zkfacade/src') diff --git a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java index d7f42c7e6e9..dab9ddb243b 100644 --- a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java +++ b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/RestrictedServerCnxnFactory.java @@ -16,7 +16,8 @@ import java.util.Set; import java.util.logging.Logger; /** - * This class is created by zookeeper by reflection, see the ZooKeeperServer constructor. + * This class is created by zookeeper by reflection, see the ZooKeeperServer constructor. It will only work + * when using ZooKeeper 3.4 * * @author bratseth */ @@ -66,9 +67,8 @@ public class RestrictedServerCnxnFactory extends NIOServerCnxnFactory { String environmentAllowedZooKeeperClients = System.getenv("vespa_zkfacade__restrict"); if (environmentAllowedZooKeeperClients != null) return ImmutableSet.copyOf(toHostnameSet(environmentAllowedZooKeeperClients)); - - // No environment setting -> use static field - return ZooKeeperServer.getAllowedClientHostnames(); + else + return ImmutableSet.of(); } private Set toHostnameSet(String hostnamesString) { diff --git a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java index 405afcd3c39..fc0b8d35d9e 100644 --- a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java +++ b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperServer.java @@ -1,9 +1,7 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.zookeeper; -import com.google.common.collect.ImmutableSet; import com.google.inject.Inject; -import com.yahoo.cloud.config.ConfigserverConfig; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.component.AbstractComponent; import com.yahoo.log.LogLevel; @@ -23,29 +21,18 @@ import java.util.stream.Collectors; */ public class ZooKeeperServer extends AbstractComponent implements Runnable { - /** - * The set of hosts which can access the ZooKeeper server in this VM, or empty - * to allow access from anywhere. - * This belongs logically to the server instance and is final, but must be static to make it accessible - * from RestrictedServerCnxnFactory, which is created by ZK through reflection. - */ - private static ImmutableSet allowedClientHostnames = ImmutableSet.of(); - private static final java.util.logging.Logger log = java.util.logging.Logger.getLogger(ZooKeeperServer.class.getName()); private static final String ZOOKEEPER_JMX_LOG4J_DISABLE = "zookeeper.jmx.log4j.disable"; static final String ZOOKEEPER_JUTE_MAX_BUFFER = "jute.maxbuffer"; private final Thread zkServerThread; private final ZookeeperServerConfig zookeeperServerConfig; - ZooKeeperServer(ZookeeperServerConfig zookeeperServerConfig, ConfigserverConfig configserverConfig, boolean startServer) { + ZooKeeperServer(ZookeeperServerConfig zookeeperServerConfig, boolean startServer) { this.zookeeperServerConfig = zookeeperServerConfig; System.setProperty("zookeeper.jmx.log4j.disable", "true"); System.setProperty(ZOOKEEPER_JUTE_MAX_BUFFER, "" + zookeeperServerConfig.juteMaxBuffer()); System.setProperty("zookeeper.serverCnxnFactory", "com.yahoo.vespa.zookeeper.RestrictedServerCnxnFactory"); - if (configserverConfig.hostedVespa()) // restrict access to config servers only - allowedClientHostnames = ImmutableSet.copyOf(zookeeperServerHostnames(zookeeperServerConfig)); - writeConfigToDisk(zookeeperServerConfig); zkServerThread = new Thread(this, "zookeeper server"); if (startServer) { @@ -54,13 +41,10 @@ public class ZooKeeperServer extends AbstractComponent implements Runnable { } @Inject - public ZooKeeperServer(ZookeeperServerConfig zookeeperServerConfig, ConfigserverConfig configserverConfig) { - this(zookeeperServerConfig, configserverConfig, true); + public ZooKeeperServer(ZookeeperServerConfig zookeeperServerConfig) { + this(zookeeperServerConfig, true); } - /** Returns the hosts which are allowed to access this ZooKeeper server, or empty to allow access from anywhere */ - public static ImmutableSet getAllowedClientHostnames() { return allowedClientHostnames; } - private void writeConfigToDisk(ZookeeperServerConfig config) { String configFilePath = getDefaults().underVespaHome(config.zooKeeperConfigFile()); new File(configFilePath).getParentFile().mkdirs(); diff --git a/zkfacade/src/test/java/com/yahoo/vespa/zookeeper/ZooKeeperServerTest.java b/zkfacade/src/test/java/com/yahoo/vespa/zookeeper/ZooKeeperServerTest.java index 626e5bf0627..c0df238c1f4 100644 --- a/zkfacade/src/test/java/com/yahoo/vespa/zookeeper/ZooKeeperServerTest.java +++ b/zkfacade/src/test/java/com/yahoo/vespa/zookeeper/ZooKeeperServerTest.java @@ -1,7 +1,6 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.zookeeper; -import com.yahoo.cloud.config.ConfigserverConfig; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.io.IOUtils; import org.junit.Rule; @@ -54,7 +53,7 @@ public class ZooKeeperServerTest { } private void createServer(ZookeeperServerConfig.Builder builder) { - new ZooKeeperServer(new ZookeeperServerConfig(builder), new ConfigserverConfig(new ConfigserverConfig.Builder()), false); + new ZooKeeperServer(new ZookeeperServerConfig(builder), false); } @Test(expected = RuntimeException.class) -- cgit v1.2.3