Conversation
The testOutstandingHandshakeLimit is flaky, I tried to fix it in this commit. - I added extra comments and did some restructuring in the code. - Avoiding to start unnecessary ZooKeeper servers for tests don't require it - Decreasing the number of client connections the test tries to initiate - Increasing the timeout to make sure the connections get established - Filtering the 'SyncConnected' events in the client watcher to make sure the given connection is really established before counting it I think the last two points above should fix the flakiness. I tried to run the test in docker, and before the fix it failed for me once in every 4-5 execution. After applying these changes I re-executed it 100 times without failure. If these fixes are not enough, then we can introduce some only-visible-by-test method to add sleep in the SSLHandshake process in the production code to force to have handshakes in parallel. However, it would be nice to avoid that. Let's hope that these fixes will be enough. Author: Mate Szalay-Beko <szalay.beko.mate@gmail.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Norbert Kalmar <nkalmar@cloudera.com> Closes apache#1184 from symat/ZOOKEEPER-3651 (cherry picked from commit 20daae7) Signed-off-by: Enrico Olivelli <eolivelli@apache.org>
Author: sujithsimon22 <sujith.abraham.simon@huawei.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>,Mohammad Arshad <arshad@apache.org> Closes apache#1185 from sujithsimon22/master (cherry picked from commit 7c9a1e4) Signed-off-by: Mohammad Arshad <arshad@apache.org>
I have removed hadoop logo from header.html present in zookeeper-documentation and also the image hadoop-logo.jpg from images. Please do let me know if I have missed anything. Author: ravowlga123 <ravowlga@gmail.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Justin Ling Mao <maoling199210191@sina.com> Closes apache#1179 from ravowlga123/ZOOKEEPER-3648 (cherry picked from commit 56f508f) Signed-off-by: Enrico Olivelli <enrico.olivelli@diennea.com>
snapshot.trust.empty can be used in both zoo.cfg file (with name snapshot.trust.empty), and as a system property (with name zookeeper.snapshot.trust.empty). Author: Michael Han <lhan@twitter.com> Reviewers: Enrico Olivelli <eolivelli@apache.org> Closes apache#1178 from hanm/ZOOKEEPER-3056 (cherry picked from commit 04e91c3) Signed-off-by: Enrico Olivelli <enrico.olivelli@diennea.com>
This is the 2nd part of data consistency based on digest, it checks the DataTree digest on every txn during broadcast time. Author: Fangmin Lyu <fangmin@apache.org> Author: Enrico Olivelli <eolivelli@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Andor Molnar <andor@apache.org>, Michael Han <hanm@apache.org> Closes apache#1059 from lvfangmin/ZOOKEEPER-3512 (cherry picked from commit 2805e89) Signed-off-by: Enrico Olivelli <eolivelli@apache.org>
- add LICENSE files for Snappy and Metrics core - update Copyright year - copy airlift reference to the NOTICE file of the binary packages - copy the Java 8 disclaimer from branch-3.5 Author: Enrico Olivelli <eolivelli@apache.org> Reviewers: Andor Molnar <anmolnar@apache.org> Closes apache#1196 from eolivelli/fix/license-stuff
Batch mode never was implemented in `cli_mt`. This patch seems to work, but: 1. There may be a cleaner way of waiting for the completion; 2. ~~`nanosleep` is POSIX; the Windows path should probably use `Sleep`~~ (DONE). symat: Comments welcome. Author: Damien Diederen <dd@crosstwine.com> Reviewers: andor@apache.org Closes apache#1173 from ztzg/ZOOKEEPER-3640-implement-batch-mode-in-cli-mt (cherry picked from commit d7bc7b1) Signed-off-by: Andor Molnar <andor@apache.org>
Author: Colm O hEigeartaigh <coheigea@apache.org> Reviewers: eolivelli@apache.org, andor@apache.org Closes apache#1165 from coheigea/ZOOKEEPER-3638 (cherry picked from commit 178e8de) Signed-off-by: Andor Molnar <andor@apache.org>
As per [ZOOKEEPER-2083](https://jira.apache.org/jira/browse/ZOOKEEPER-2083) we need to remove class AuthFastLeaderElection.java so I made changes in Quorumpeer.java by removing two cases 1 and 2 present in createElectionAlgorithm as QuorumPeerconfig.electioalg is always 3. Please do let me know if anything additional needs to be done. Author: ravowlga123 <ravowlga@gmail.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Andor Molnar <anmolnar@apache.org>, Patrick Hunt <phunt@apache.org> Closes apache#1171 from ravowlga123/ZOOKEEPER-2083 (cherry picked from commit 590e3cb) Signed-off-by: Enrico Olivelli <enrico.olivelli@diennea.com>
As per the ticket [ZOOKEEEPER-3649](https://issues.apache.org/jira/browse/ZOOKEEPER-3649) we need to add line break ls -s command. To achieve the desired behavior I have added new line character in option.add of LsCommand.printChildren(). Please do let me know if made changes gives us the desired behavior or if anything else needs to be changed. Author: ravowlga123 <ravowlga@gmail.com> Reviewers: eolivelli@apache.org, andor@apache.org Closes apache#1183 from ravowlga123/ZOOKEEPER-3649 and squashes the following commits: f2e1997 [ravowlga123] ZOOKEEPER-3649 Removed additional new line from printChildren b36d636 [ravowlga123] ZOOKEEPER-3649 Add a line break in ls -s CLI (cherry picked from commit 570285a) Signed-off-by: Andor Molnar <andor@apache.org>
Removed Ls2Command.java, DeleteAllCommand.printdeprecatedwarning(), statements creating new objects for ls2 and rmr in ZookeeperMain.java. Updated zookeeperCLI.md and ZookeeperTest.java. Please do let me know if any additional changes are needed Author: ravowlga123 <ravowlga@gmail.com> Reviewers: andor@apache.org Closes apache#1175 from ravowlga123/ZOOKEEPER-3411 (cherry picked from commit 27b92ca) Signed-off-by: Andor Molnar <andor@apache.org>
….6.0 - use the same configuration as in Apache Parent Pom to generate the source tarball - drop the custom made configuration for the source tarball Author: Enrico Olivelli <enrico.olivelli@diennea.com> Reviewers: andor@apache.org Closes apache#1226 from eolivelli/fix/ZOOKEEPER-3695-source-tarball and squashes the following commits: 781d95e [Enrico Olivelli] Fix typo 21eac30 [Enrico Olivelli] Fix formatting and add comment 7eca978 [Enrico Olivelli] ZOOKEEPER-3695 Source release tarball does not match repository in 3.6.0 - use the same configuration as in Apache Parent Pom to generate the source tarball - drop the custom made configuration for the source tarball (cherry picked from commit 9053f7c) Signed-off-by: Andor Molnar <andor@apache.org>
…4j 1.2 deserialization of untrusted data in SocketServer Suppress error for CVE-2019-17571 as it does not affect us. We are not running the log4j server. Author: Enrico Olivelli <eolivelli@apache.org> Reviewers: phunt@apache.org Closes apache#1209 from eolivelli/fix/ZOOKEEPER-3677-owasp-log4j Change-Id: I0ef24a7b142cd32ccf4f5c18f9e0c0132a413d6c (cherry picked from commit 3bd6b19) Signed-off-by: Patrick Hunt <phunt@apache.org>
…ception Author: sujithsimon22 <sujith.abraham.simon@huawei.com> Reviewers: Mohammad Arshad <arshad@apache.org> Closes apache#1222 from sujithsimon22/3667 (cherry picked from commit 49ad75b) Signed-off-by: Mohammad Arshad <arshad@apache.org>
…when user accidentally includes spaces at the end of the value Author: sujithsimon22 <sujith.abraham.simon@huawei.com> Reviewers: Allan Lyu <fangmin@apache.org>,Justin Mao Ling <maoling199210191@sina.com>,Mohammad Arshad <arshad@apache.org> Closes apache#1190 from sujithsimon22/3613 (cherry picked from commit dcef1a6) Signed-off-by: Mohammad Arshad <arshad@apache.org>
Author: David Mollitor <dmollitor@apache.org> Reviewers: fangmin@apache.org, andor@apache.org Closes apache#1197 from belugabehr/ZOOKEEPER-3669 (cherry picked from commit 517ecde) Signed-off-by: Andor Molnar <andor@apache.org>
We had some issues about configuring Kerberos authentication with SSL, so I created some unit tests to verify that these features work together. The problem was originally reported on 3.5.5. There was some conflicts to backport the tests to 3.5, I will prepare a separate PR on that branch. Author: Mate Szalay-Beko <szalay.beko.mate@gmail.com> Author: Mate Szalay-Beko <mszalay@cloudera.com> Reviewers: eolivelli@apache.org, andor@apache.org Closes apache#1204 from symat/ZOOKEEPER-3482-master and squashes the following commits: 53194f5 [Mate Szalay-Beko] ZOOKEEPER-3482: update SASL related documentation 576ac0b [Mate Szalay-Beko] Merge remote-tracking branch 'apache/master' into ZOOKEEPER-3482-master 28da105 [Mate Szalay-Beko] ZOOKEEPER-3482: reload SASL and Kerberos configs before executing the tests 396c73e [Mate Szalay-Beko] ZOOKEEPER-3482: add unit tests for client SASL authentication over SSL (cherry picked from commit b7dd0e4) Signed-off-by: Andor Molnar <andor@apache.org>
Latest version of jackson-databind is 2.9.10.2. Change-Id: Id2b0f17c2dfa9a9765fd4893643007b49f06816d Author: Patrick Hunt <phunt@apache.org> Reviewers: Norbert Kalmar <nkalmar@apache.org> Closes apache#1232 from phunt/ZOOKEEPER-3699 (cherry picked from commit 2d29c56) Signed-off-by: Norbert Kalmar <nkalmar@apache.org>
…ster locally When we tested RC 3.6.0, we had a problem of starting ZooKeeper cluster with large number (11+) of ensemble members locally on mac. We found exceptions in the logs when the new MultiAddress feature tries to filter the unreachable hosts from the address list. This involves the calling of the InetAddress.isReachable method with a default timeout of 500ms, which goes down to a native call in java and basically try to do a ping (an ICMP echo request) to the host. Naturally, the localhost should be always reachable. The problem was that on mac we have the ICMP rate limit set to 250 by default. In this patch we: - changed the reachability check behavior by disabling the check if there is only a single address provided (so we wouldn't be able to filter the unreachable addresses anyway). - added and documented a configuration parameter to disable the reachability check for testing. (default: enabled) - added and documented a configuration parameter to set the timeout for the reachability checks. (default: 1000ms) Author: Mate Szalay-Beko <szalay.beko.mate@gmail.com> Reviewers: eolivelli@apache.org, andor@apache.org Closes apache#1228 from symat/ZOOKEEPER-3698-branch-3.6
… to race Resurrecting an ancient ticket which could be fixed with a simple patch. Jira mentions a scenario when auto purging tool is in use and Zookeeper server could have a race condition when creating snapshot and data directories. (directory auto creating is enabled by default) Double checking the directory existence might help with it. Author: Andor Molnar <andor@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org> Closes apache#1225 from anmolnar/ZOOKEEPER-1936 (cherry picked from commit 689c8b2) Signed-off-by: Enrico Olivelli <enrico.olivelli@diennea.com>
Upgrade to the latest version of maven dependency checker. Change-Id: I5ac9c77bb02f54784ff3ed4bb668fe38fd88ee11 Author: Patrick Hunt <phunt@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org> Closes apache#1231 from phunt/ZOOKEEPER-3704 (cherry picked from commit 1fbaa26) Signed-off-by: Enrico Olivelli <enrico.olivelli@diennea.com>
This PR is about adding SSL support for zkPython, based on the C-binding. I also fixed the zkpython ant build to work with the current maven top-level build. I also added a new python test case to try to connect to ZooKeeper with SSL. You can test this patch in the following way: ``` # cleanup everything, just to be on the safe side: git clean -xdf # on ubuntu 16.4 make sure you have the following packages installed apt-get install -y libcppunit-dev openssl libssl-dev python-setuptools python2.7 python2.7-dev # make a full build (incl. C-client) mvn clean install -DskipTests -Pfull-build # we only support python2, so e.g. on ubuntu 18.4 you need to switch to python2 update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 # compile and test zkpython cd zookeeper-contrib/zookeeper-contrib-zkpython/ ant compile ant test ``` Author: Mate Szalay-Beko <szalay.beko.mate@gmail.com> Reviewers: andor@apache.org Closes apache#1121 from symat/ZOOKEEPER-3567 and squashes the following commits: a5839cb [Mate Szalay-Beko] Merge remote-tracking branch 'apache/master' into ZOOKEEPER-3567 d25d610 [Mate Szalay-Beko] ZOOKEEPER-3567: fix build issues after top-level ant removal a8869c9 [Mate Szalay-Beko] Merge remote-tracking branch 'apache/master' into HEAD b92f686 [Mate Szalay-Beko] ZOOKEEPER-3567: fix license check issue 0150986 [Mate Szalay-Beko] ZOOKEEPER-3567: removing code duplication: re-use test SSL certificate generator from C-client tests 7d91359 [Mate Szalay-Beko] ZOOKEEPER-3567: add SSL support for zkpython (cherry picked from commit e4758ba) Signed-off-by: Andor Molnar <andor@apache.org>
**Thanks for Lincoln Lee for the original fix!**
In the current implementation, we always get a WARN in server side
("EndOfStreamException: Unable to read additional data from client")
whenever we close a zookeeper handler from the C client. This also happens
in the end of every execution of the command line C client.
The reason is that currently we don't wait for the response from the server
when we initiate the closing of the client connection, and we terminate
the socket on the client side too early.
I tested the patch both on linux and windows. I also tested it both with
NIO and Netty server side socket implementations.
Author: Mate Szalay-Beko <szalay.beko.mate@gmail.com>
Reviewers: Andor Molnar <andor@apache.org>, Norbert Kalmar <nkalmar@apache.org>
Closes apache#1176 from symat/ZOOKEEPER-1105
(cherry picked from commit 57be7ae)
Signed-off-by: Norbert Kalmar <nkalmar@apache.org>
Issue described here: https://issues.apache.org/jira/browse/ZOOKEEPER-3701 Proposing a fix with catching `IOException` within the truncate method to properly return with `false` if truncate fails. Author: Andor Molnar <andor@apache.org> Author: Andor Molnar <andor@cloudera.com> Reviewers: Ivan Kelly <ivank@apache.org>, Enrico Olivelli <eolivelli@apache.org>, Norbert Kalmar <nkalmar@apache.org> Closes apache#1233 from anmolnar/ZOOKEEPER-3701 (cherry picked from commit a4bc985) Signed-off-by: Norbert Kalmar <nkalmar@apache.org>
…e all invalid - Purge task uses `FileTxnSnapLog#findNRecentSnapshot`, which's likely to lost data when the recent 3 snapshots are all invalid(a new valid snapshot has not generated yet) and at the same time, Purge task(`e.g ./zkCleanup.sh -n 3`) has started a new round work to clean up the preceding snapshots. we will lose all the data.that's a small probability events, but it's reproducible. - Overall, using `snaplog.findNValidSnapshots` to make sure the purge task tries to retain N valid snapshots(rather than N snapshots) to avoid a risk of data loss. - For the unit test, it's not easy to use the `mock` way for the following reasons: - when we want to test the `dataDir` which some Snapshots are valid, others not.Just writing a little data contents to the snapshot to make it valid/invalid has a better flexibility. - too much code changes in the `PurgeTxnTest.java`(pass the original UT) and `FileTxnSnapLog.java`(have some handles) - more details in the [ZOOKEEPER-3231](https://issues.apache.org/jira/browse/ZOOKEEPER-3231) Author: maoling <maoling199210191@sina.com> Reviewers: enixon@apache.org, andor@apache.org Closes apache#1079 from maoling/ZOOKEEPER-3231 and squashes the following commits: 674175b [maoling] setUp() & tearDown(). 472dfd3 [maoling] ZOOKEEPER-3231:Purge task may lost data when the recent snapshots are all invalid (cherry picked from commit 2abdfbc) Signed-off-by: Andor Molnar <andor@apache.org>
….6.0 - part2 - upgrade to Apache Parent 23 - disable maven remote plugin - move source assembly execution before sources generation - move git properties resolution to the correct phase Author: Enrico Olivelli <eolivelli@apache.org> Reviewers: Norbert Kalmar <nkalmar@apache.org> Closes apache#1238 from eolivelli/fix/ZOOKEEPER-3695-part2 (cherry picked from commit d3ce1fa) Signed-off-by: Enrico Olivelli <eolivelli@apache.org>
Author: David Mollitor <dmollitor@apache.org> Reviewers: eolivelli@apache.org, andor@apache.org Closes apache#1240 from belugabehr/ZOOKEEPER-3708 (cherry picked from commit 68e1f7d) Signed-off-by: Andor Molnar <andor@apache.org>
The backup status file stored in statusDir for ZooKeeper backup is used to coordinate between snapshot and TxLog backup processes. It is used in case of failure or restart so that the respective threads can pick up where they left off before restarting. This commit adds timetable to the status file so that in case of restart, the timetable backup process will also pick up where it left off and retry any temporary timetable backup files on the backup server.
This commit adds a tool called RestoreFromBackupTool to allow restoration of snapshots and transaction logs to a certain zxid restoration point. This tool is going to be used together with a ZK CLI where user can input commands to restore.
The previous build was erroneously merged into master without rebasing, which caused a build failure. This commit fixes this.
Timetable backup is supported as part of ZooRestore in order to enable users to restore to a point in time using a timestamp value. Since the timetable backup process is similar to snapshot and transaction log backups, we need metrics to monitor whether the backup of timetable metadata is working correctly. This commit adds the necessary metrics. test3_TimetableBackupMBean has been added to the existing BackupBeanTest class.
Namespace is not necessary in the backup bean's name because each application will have a host-level isolation when backup is enabled; in other words, we shouldn't see logically isolated hosts serving backup for multiple apps/namespaces/ZK quorums. Therefore, it is possible to do a hostname-based lookup to identify which app (namespace) an emitted metric stands for. So this commit removes the namespace string from the metric name.
The log in initialize() had the names mixed up between BackupBean and TimetableBackupBean. This commit fixes this.
This commit adds a CLI command to ZooKeeperMain, and it will allow zk admin to run commands on a machine to restore the backed-up zk snapshot and transaction log files up until a specified zxid or timestamp from backup storage to a local path. This enables the offline restoration of a zk server node to a desired time/zxid.
This commit includes several improvements on loggings for the zk restoration tool to enhance the restoration user experience. 1. Add an option -h to CLI that displays all command options and descriptions 2. Differentiate between insufficient backup files and IO errors, only retry for IO errors 3. Clearly display which timestamp we actually restore to. The message looks like "Restoring to 04/13/2021 14:29:09, original request was to restore to 04/13/2021 14:29:09". 4. Improve log message when given timestamp is out of range. The new error message looks like "TimetableUtil::findLastZxidFromTimestamp(): timestamp given 55 is not in the timestamp range [10 ,50] given in the backup files!"
…pache#48) ZOOKEEPER-4281: Allow packet of max packet length to be deserialized ### Problem Resolves https://issues.apache.org/jira/browse/ZOOKEEPER-4281 There are sanity checks for packet size when deserializing a packet. One place has the inclusion: len >= packetLen. It rejects to deserialize the bytes that are exactly sized jute.maxbuffer. It's confusing. This check should use ">" so the maxbuffer length packet can still be deserialized, like the other checks. ``` if (len < 0 || len >= packetLen) { throw new IOException("Packet len " + len + " is out of range!"); } ``` ### Solution Change: `len >= packetLen` -> `len > packetLen` ``` if (len < 0 || len > packetLen) { ``` Author: Huizhi Lu <5187721+pkuwm@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mohammad Arshad <arshad@apache.org>, Michael Han <hanm@apache.org> Closes apache#1683 from pkuwm/maxPacketLength
This commit adds a check on wether the restoration destination directories specified by the user are empty or not, and adds a "-f" overwrite option to zk CLI "restore" command to enable restoration to be done while they are not empty. A. If the destination directories are empty -> restoration will be run. B. If the destination directories are not empty (a) If "-f" option is specified -> Prompt to user to confirm if they want to overwrite the directories by typing "yes" or "no" (1) User types "yes" -> restoration will be run. Destination directories are cleared out and restored files will be written to the directories. A list of file names of files existing inside the destination directories before restoration will be logged for reference. (2) User types "no" -> exit the program, restoration will not be run (3) User types responses other than "yes" or "no" -> Keep prompting to user asking for confirmation (b) If "-f" option is not specified -> exit the program, restoration will not be run
Changelist: 1. Bintray is deprecated and will no longer work as an artifact management service. This commit replaces Bintray-related workflows and settings with JFrog. 2. Change the id for maven jar plugin's execution so that the test JAR doesn't get published twice. 3. Update dist-management.diff with JFrog credentials
…e#50) ZooSave & ZooRestore, a new feature that enables server-side ZooKeeper snapshot backup, has its own naming scheme for naming backup files (mostly adding an ending ZXID interval). However, this naming scheme was not compatible with the newly-introduced feature to the upstream ZooKeeper main branch for snapshot compression. This is because snapshot compression appends a StreamMode extension if it is enabled. This commit modifies the backup naming logic so that it considers the case where snapshot compression is enabled and thus the snapshot files on the server have a StreamMode extension. It also updates the BackupFileInfo initialization logic so that when the backed up snapshots are read back in, their standard names are populated correctly. A test is added in BackupManagerTest: testBackupFileNamingOnStreamingMode().
This commit adds a spot restoration tool which does the following: 1. Construct a zk data tree from a provided collection of snapshot and transaction log files 2. Restore the value of a znode with user specified path, and its sub data tree as well if requested by user
This commit integrates the SpotRestorationTool to RestoreFromBackupTool: when user triggers a restore command using ZK CLI, if a znode path is specific, it will run spot restoration on top of an offline restoration of backup files, the spot restoration will use the restored backup files.
This commit adds an optional logic path that allows the ZK server to populate ServerCnxn.authInfo using a field from SAN instead of using the vanilla Subject DN of the client x509 certificate. 4 JVM property fields have been added and can be used to enable SAN-based authentication using regex for matching and extracting from the matched SAN field. A test case has been added to X509AuthTest that specifically tests the SAN-based client ID extraction.
…9 auth provider (apache#56) In order to allow for greater flexibility in extracting a part of the string given in the SAN in the client certificate in X509AuthenticationProvider, this commit adds another JVM parameter for specifying Java regex Matcher Group index. X509AuthTest still has coverage of this logic. Also, 1) internal enum names have been renamed for better readability (spaced with underscores), and 2) the test case has been enhanced with a more complicated regex with a Matcher group index.
This is because the upstream (open-source) ZK has explicitly excluded the use of commons-lang3. No logical change.
…e#57) This commit adds a helper class for looking up the domain name for the client connection. It uses the client's Uniform Resource Identifier (URI) to look up the application domain it belongs to. It also implements a ZK-based helper where the mapping is stored within ZKDatabase itself so that the owners can read it from ZK and update as needed. This commit also includes relevant unit tests.
For znode group acl, the znodes created by authenticated clients will almost always be given the acl with a scheme x509 and their client Id (resolved in the authentication provider). This feature allows these znodes to be created with that scheme on the server-side if enabled, so that the clients do not have to explicitly set it using ZooDefs.Ids.CREATOR_ALL_ACL.
New class: X509ZNodeGroupAclProvider, X509AuthenticationUtil Added test: X509ZNodeGroupAclProviderTest Added an x509-based ServerAuthenticationProvider implementation that does both authentication and authorization for protecting znodes from unauthorized access. Znodes are grouped into domains according to their ownership, and clients are granted access permission to domains.
…dated. (apache#61) This PR aims to introduce an automatic AuthInfo update logic which is triggered on ZNodeGroupAcl domain information change. The update method relies on the internal watcher that listens on the ZNodeGroupAcl domain znode. The additional authorization (as well as the automatic update) logic is executed on top of the authentication logic. Authorization failure won't impact the authentication result. The new change is covered by X509ZNodeGroupAclProviderTest.testAuthInfoAutoUpdate.
This commit add one more test for super user case for X509ZnodeGroupAclProvider. There are two cases where a user is granted as super user: (1) User URI matches with the super user URI (2) User URI is mapped to a super user domain. The previous test only covers (2), this commits add test for (1).
This commits adds an optional feature defined by configuration property "zookeeper.ssl.znodeGroupAcl.dedicatedDomain". If the server is a dedicated server that only serves one domain, the name of the resource is made the "dedicatedDomain" of the server. The server will decline the connection requests from client who belongs to a domain that does not match with the server's dedicated domain, only allow connection to be established with client belong to the dedicated domain. Usually this feature is combined with "auto-set ACL" to be false, so all the znodes created on dedicated server will be getting OPEN_ACL_UNSAFE ACL, meaning that read/write access to these znodes is open to all the clients connected to this server. Added test X509ZNodeGroupAclProviderTest.testConnectionFiltering
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.