diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/znode/groupacl/X509ZNodeGroupAclProvider.java b/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/znode/groupacl/X509ZNodeGroupAclProvider.java index 20bcbe61ced..291ef6a54d6 100644 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/znode/groupacl/X509ZNodeGroupAclProvider.java +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/znode/groupacl/X509ZNodeGroupAclProvider.java @@ -19,8 +19,10 @@ package org.apache.zookeeper.server.auth.znode.groupacl; import java.util.Collections; +import java.util.stream.Collectors; import java.util.HashSet; import java.util.Set; +import java.util.List; import javax.net.ssl.X509KeyManager; import javax.net.ssl.X509TrustManager; import javax.security.auth.x500.X500Principal; @@ -216,9 +218,19 @@ private void assignAuthInfo(ServerCnxn cnxn, String clientId, Set domain String superUser = X509AuthenticationConfig.getInstance().getZnodeGroupAclSuperUserId(); Set newAuthIds = new HashSet<>(); + + // Find interesecting super user domains/cross domains from provided domains list + List commonSuperUserDomains = + superUserDomainNames.stream().filter(domains::contains).collect(Collectors.toList()); + // Check if user belongs to super user group if (clientId.equals(superUser)) { newAuthIds.add(new Id(X509AuthenticationUtil.SUPERUSER_AUTH_SCHEME, clientId)); + } else if (!commonSuperUserDomains.isEmpty()) { + // For cross domain components, add (super:domainName) in authInfo + // "super" scheme gives access to all znodes without checking znode ACL vs authorized domain name + commonSuperUserDomains.stream().forEach(d -> + newAuthIds.add(new Id(X509AuthenticationUtil.SUPERUSER_AUTH_SCHEME, d))); } else if (X509AuthenticationConfig.getInstance().isZnodeGroupAclDedicatedServerEnabled()) { // If connection filtering feature is turned on, use connection filtering instead of normal authorization String serverNamespace = X509AuthenticationConfig.getInstance().getZnodeGroupAclServerDedicatedDomain(); @@ -235,16 +247,8 @@ private void assignAuthInfo(ServerCnxn cnxn, String clientId, Set domain cnxn.close(ServerCnxn.DisconnectReason.SSL_AUTH_FAILURE); } } else { - domains.forEach(d -> { - // For cross domain components, add (super:domainName) in authInfo - // "super" scheme gives access to all znodes without checking znode ACL vs authorized domain name - if (superUserDomainNames.contains(d)) { - newAuthIds.add(new Id(X509AuthenticationUtil.SUPERUSER_AUTH_SCHEME, d)); - } else { - // For other cases, add (x509:domainName) in authInfo - newAuthIds.add(new Id(getScheme(), d)); - } - }); + // For other cases, add (x509:domainName) in authInfo + domains.stream().forEach(d -> newAuthIds.add(new Id(getScheme(), d))); } // Update the existing connection AuthInfo accordingly. diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/server/auth/znode/groupacl/X509ZNodeGroupAclProviderTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/server/auth/znode/groupacl/X509ZNodeGroupAclProviderTest.java index 2fcea1e21f4..e0005bee678 100644 --- a/zookeeper-server/src/test/java/org/apache/zookeeper/server/auth/znode/groupacl/X509ZNodeGroupAclProviderTest.java +++ b/zookeeper-server/src/test/java/org/apache/zookeeper/server/auth/znode/groupacl/X509ZNodeGroupAclProviderTest.java @@ -60,7 +60,7 @@ public class X509ZNodeGroupAclProviderTest extends ZKTestCase { private TestNIOServerCnxnFactory serverCnxnFactory; private ZooKeeper admin; private static final String AUTH_PROVIDER_PROPERTY_NAME = "zookeeper.authProvider.x509"; - private static final String CLIENT_URI_DOMAIN_MAPPING_ROOT_PATH = "/_CLIENT_URI_DOMAIN_MAPPING"; + private static final String CLIENT_URI_DOMAIN_MAPPING_ROOT_PATH = "/zookeeper/uri-domain-map"; private static final String[] MAPPING_PATHS = {CLIENT_URI_DOMAIN_MAPPING_ROOT_PATH, CLIENT_URI_DOMAIN_MAPPING_ROOT_PATH + "/CrossDomain", CLIENT_URI_DOMAIN_MAPPING_ROOT_PATH + "/CrossDomain/CrossDomainUser", @@ -264,6 +264,17 @@ public void testConnectionFiltering() { Assert.assertEquals("super", authInfo.get(0).getScheme()); Assert.assertEquals("SuperUser", authInfo.get(0).getId()); System.clearProperty(X509AuthenticationConfig.DEDICATED_DOMAIN); + + // Cross domain components + provider = createProvider(crossDomainCert); + cnxn = new MockServerCnxn(); + cnxn.clientChain = new X509Certificate[]{crossDomainCert}; + Assert.assertEquals(KeeperException.Code.OK, provider + .handleAuthentication(new ServerAuthenticationProvider.ServerObjs(zks, cnxn), new byte[0])); + authInfo = cnxn.getAuthInfo(); + Assert.assertEquals(1, authInfo.size()); + Assert.assertEquals("super", authInfo.get(0).getScheme()); + Assert.assertEquals("CrossDomain", authInfo.get(0).getId()); } private X509ZNodeGroupAclProvider createProvider(X509Certificate trustedCert) { diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/server/auth/znode/groupacl/ZkClientUriDomainMappingHelperTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/server/auth/znode/groupacl/ZkClientUriDomainMappingHelperTest.java index a63fb0257bd..f2063fa770b 100644 --- a/zookeeper-server/src/test/java/org/apache/zookeeper/server/auth/znode/groupacl/ZkClientUriDomainMappingHelperTest.java +++ b/zookeeper-server/src/test/java/org/apache/zookeeper/server/auth/znode/groupacl/ZkClientUriDomainMappingHelperTest.java @@ -49,7 +49,7 @@ public class ZkClientUriDomainMappingHelperTest extends ZKTestCase { private static final Logger LOG = LoggerFactory.getLogger(ZkClientUriDomainMappingHelperTest.class); private static final String HOSTPORT = "127.0.0.1:" + PortAssignment.unique(); - private static final String CLIENT_URI_DOMAIN_MAPPING_ROOT_PATH = "/_CLIENT_URI_DOMAIN_MAPPING"; + private static final String CLIENT_URI_DOMAIN_MAPPING_ROOT_PATH = "/zookeeper/uri-domain-map"; private static final int CONNECTION_TIMEOUT = 300000; private static final String[] MAPPING_PATHS = { CLIENT_URI_DOMAIN_MAPPING_ROOT_PATH, @@ -108,16 +108,6 @@ public void cleanUp() throws InterruptedException, IOException, KeeperException ClientBase.waitForServerDown(HOSTPORT, CONNECTION_TIMEOUT)); } - /** - * Mapping root path hasn't been created - should create the node automatically - */ - @Test - public void testA_ZkClientUriDomainMappingHelper() { - new ZkClientUriDomainMappingHelper(zookeeperServer); - Assert.assertNotNull( - zookeeperServer.getZKDatabase().getNode(CLIENT_URI_DOMAIN_MAPPING_ROOT_PATH)); - } - /** * Create a dummy mapping and verify that the helper correctly updates changes to the mapping * stored in ZNodes.