blob: d9c85f0cd1bf4a1e62ede512f45b31d96efd4c9b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
package com.yahoo.vespa.zookeeper;
import com.google.common.collect.ImmutableSet;
import org.apache.zookeeper.server.NIOServerCnxn;
import org.apache.zookeeper.server.NIOServerCnxnFactory;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.nio.channels.SelectionKey;
import java.nio.channels.SocketChannel;
import java.util.HashSet;
import java.util.Optional;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
/**
* This class is created by zookeeper by reflection, see the ZooKeeperServer constructor.
*
* @author bratseth
*/
@SuppressWarnings("unused")
public class RestrictedServerCnxnFactory extends NIOServerCnxnFactory {
private static final Logger log = Logger.getLogger(RestrictedServerCnxnFactory.class.getName());
public RestrictedServerCnxnFactory() throws IOException {
super();
}
@Override
protected NIOServerCnxn createConnection(SocketChannel socket, SelectionKey selection) throws IOException {
ImmutableSet<String> allowedZooKeeperClients = findAllowedZooKeeperClients();
String remoteHost = ((InetSocketAddress)socket.getRemoteAddress()).getHostName();
if (isLocalHost(remoteHost)) return super.createConnection(socket, selection); // always allow localhost
if (allowedZooKeeperClients.isEmpty()) return super.createConnection(socket, selection); // inactive: allow all
if (allowedZooKeeperClients.contains(remoteHost)) return super.createConnection(socket, selection); // allowed
// Not allowed: Reject connection
String errorMessage = "Rejecting connection to ZooKeeper from " + remoteHost +
": This cluster only allow connection from hosts in: " + allowedZooKeeperClients;
log.info(errorMessage);
throw new IllegalArgumentException(errorMessage); // log and throw as this exception will be suppressed by zk
}
/** Returns the allowed client host names. If the list is empty any host is allowed. */
private ImmutableSet<String> findAllowedZooKeeperClients() {
// Environment has precedence. Note that this allows setting restrict to "" to turn off client restriction
String environmentAllowedZooKeeperClients = System.getenv("vespa_zkfacade__restrict");
if (environmentAllowedZooKeeperClients != null)
return ImmutableSet.copyOf(toHostnameSet(environmentAllowedZooKeeperClients));
// No environment setting -> use static field
return ZooKeeperServer.getAllowedClientHostnames();
}
private Set<String> toHostnameSet(String commaSeparatedString) {
Set<String> hostnames = new HashSet<>();
for (String hostname : commaSeparatedString.split(",")) {
if ( ! hostname.trim().isEmpty())
hostnames.add(hostname.trim());
}
return hostnames;
}
private boolean isLocalHost(String remoteHost) {
if (remoteHost.equals("localhost")) return true;
if (remoteHost.equals("localhost.localdomain")) return true;
return false;
}
}
|
