ACL Support

exhibitor-core/src/main/java/com/netflix/exhibitor/core/Exhibitor.java

@@ -33,6 +33,7 @@
 import com.netflix.exhibitor.core.config.ConfigProvider;
 import com.netflix.exhibitor.core.config.IntConfigs;
 import com.netflix.exhibitor.core.config.JQueryStyle;
+import com.netflix.exhibitor.core.config.StringConfigs;
 import com.netflix.exhibitor.core.controlpanel.ControlPanelValues;
 import com.netflix.exhibitor.core.controlpanel.FileBasedPreferences;
 import com.netflix.exhibitor.core.index.IndexCache;
@@ -309,6 +310,11 @@ public synchronized CuratorFramework getLocalConnection() throws IOException
                 .connectionTimeoutMs(arguments.connectionTimeOutMs)
                 .retryPolicy(new ExponentialBackoffRetry(1000, 3));
 
+            String zkSuperUserPassword = configManager.getConfig().getString(StringConfigs.ZK_SUPER_USER_PASSWORD);
+            if (zkSuperUserPassword != null && !zkSuperUserPassword.equals("")) {
+                builder.authorization("digest", ("super:" + zkSuperUserPassword).getBytes());
+            }
+
             if ( arguments.aclProvider != null )
             {
                 builder = builder.aclProvider(arguments.aclProvider);

exhibitor-core/src/main/java/com/netflix/exhibitor/core/config/DefaultProperties.java

@@ -159,6 +159,16 @@ public int getInt(IntConfigs config)
                         return 1;
                     }
 
+                    case ENABLE_ACLS:
+                    {
+                        return 0;
+                    }
+
+                    case ENABLE_TRACKING:
+                    {
+                        return 1;
+                    }
+
                 }
                 return 0;
             }

exhibitor-core/src/main/java/com/netflix/exhibitor/core/config/IntConfigs.java

@@ -176,6 +176,26 @@ public boolean isRestartSignificant()
         {
             return false;
         }
+    },
+
+    /**
+     * true/false (0 or 1) - this will enable the viewing and modification of znode ACLs. The default is disabled.
+     */
+    ENABLE_ACLS {
+        @Override
+        public boolean isRestartSignificant() {
+            return false;
+        }
+    },
+
+    /**
+     * true/false (0 or 1) - this will enable the tracking fields on the modifiy dialog box. The default is enabled.
+     */
+    ENABLE_TRACKING {
+        @Override
+        public boolean isRestartSignificant() {
+            return false;
+        }
     }
     ;
 

exhibitor-core/src/main/java/com/netflix/exhibitor/core/config/StringConfigs.java

@@ -121,6 +121,13 @@ public boolean isRestartSignificant()
         {
             return true;
         }
+    },
+
+    ZK_SUPER_USER_PASSWORD {
+        @Override
+        public boolean isRestartSignificant() {
+            return true;
+        }
     }
     ;
 

exhibitor-core/src/main/java/com/netflix/exhibitor/core/rest/ConfigResource.java

@@ -46,6 +46,7 @@
 import javax.ws.rs.core.Response;
 import javax.ws.rs.ext.ContextResolver;
 import java.io.IOException;
+import java.util.Arrays;
 import java.util.Iterator;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
@@ -57,6 +58,13 @@ public class ConfigResource
 
     private static final String CANT_UPDATE_CONFIG_MESSAGE = "It appears that another process has updated the config. Your change was not committed.";
 
+    /**
+     * Contains a list of all those properties that we don't want returned in the 'get-state' method.
+     */
+    private static final List<StringConfigs> EXCLUSIONS = Arrays.asList(
+            StringConfigs.ZK_SUPER_USER_PASSWORD
+    );
+
     public ConfigResource(@Context ContextResolver<UIContext> resolver)
     {
         context = resolver.getContext(UIContext.class);
@@ -92,7 +100,9 @@ public Response getSystemState(@Context Request request) throws Exception
         configNode.put("serverId", (us != null) ? us.getServerId() : -1);
         for ( StringConfigs c : StringConfigs.values() )
         {
-            configNode.put(fixName(c), config.getString(c));
+            if ( !EXCLUSIONS.contains(c) ) {
+                configNode.put(fixName(c), config.getString(c));
+            }
         }
         for ( IntConfigs c : IntConfigs.values() )
         {

exhibitor-core/src/main/java/com/netflix/exhibitor/core/rest/ExplorerResource.java

@@ -25,6 +25,7 @@
 import com.netflix.exhibitor.core.analyze.PathAndMax;
 import com.netflix.exhibitor.core.analyze.PathComplete;
 import com.netflix.exhibitor.core.analyze.UsageListing;
+import com.netflix.exhibitor.core.config.IntConfigs;
 import com.netflix.exhibitor.core.entities.IdList;
 import com.netflix.exhibitor.core.entities.PathAnalysis;
 import com.netflix.exhibitor.core.entities.PathAnalysisNode;
@@ -34,7 +35,10 @@
 import org.apache.curator.utils.CloseableUtils;
 import org.apache.curator.utils.ZKPaths;
 import org.apache.zookeeper.KeeperException;
+import org.apache.zookeeper.data.ACL;
+import org.apache.zookeeper.data.Id;
 import org.apache.zookeeper.data.Stat;
+import org.apache.zookeeper.ZooDefs;
 import org.codehaus.jackson.map.ObjectMapper;
 import org.codehaus.jackson.node.ArrayNode;
 import org.codehaus.jackson.node.JsonNodeFactory;
@@ -44,10 +48,12 @@
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.ext.ContextResolver;
+import javax.xml.bind.DatatypeConverter;
 import java.io.PipedInputStream;
 import java.io.PipedOutputStream;
 import java.io.PrintStream;
 import java.lang.reflect.Field;
+import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Set;
@@ -61,10 +67,12 @@ public class ExplorerResource
     private final ExecutorService   executorService = Executors.newCachedThreadPool();
 
     private static final String         ERROR_KEY = "*";
+    private final boolean aclsEnabled;
 
     public ExplorerResource(@Context ContextResolver<UIContext> resolver)
     {
         context = resolver.getContext(UIContext.class);
+        aclsEnabled = context.getExhibitor().getConfigManager().getConfig().getInt(IntConfigs.ENABLE_ACLS) == 1;
     }
 
     public static String bytesToString(byte[] bytes)
@@ -139,6 +147,7 @@ private void recursivelyDelete(String path) throws Exception
             @HeaderParam("netflix-user-name") String trackingUserName,
             @HeaderParam("netflix-ticket-number") String trackingTicketNumber,
             @HeaderParam("netflix-reason") String trackingReason,
+            @HeaderParam("acls") String aclsJsonArray,
             String binaryDataStr
         )
     {
@@ -156,6 +165,18 @@ private void recursivelyDelete(String path) throws Exception
 
             try
             {
+                List<ACL> acls = new ArrayList<ACL>();
+                boolean processAcls = (aclsEnabled && (aclsJsonArray != null && !aclsJsonArray.equals("")));
+
+                if (processAcls) {
+                    ObjectMapper mapper = new ObjectMapper();
+                    List<ObjectNode> aclsInJson = mapper.readValue(DatatypeConverter.parseBase64Binary(aclsJsonArray), new TypeReference<List<ObjectNode>>() {});
+                    for (ObjectNode aclInJson : aclsInJson) {
+                        Id id = new Id(aclInJson.get("scheme").getTextValue(), aclInJson.get("id").getTextValue());
+                        acls.add(new ACL(aclInJson.get("bitmask").getIntValue(), id));
+                    }
+                }
+
                 binaryDataStr = binaryDataStr.replace(" ", "");
                 byte[]      data = new byte[binaryDataStr.length() / 2];
                 for ( int i = 0; i < data.length; ++i )
@@ -169,11 +190,21 @@ private void recursivelyDelete(String path) throws Exception
                 {
                     context.getExhibitor().getLocalConnection().setData().forPath(path, data);
                     context.getExhibitor().getLog().add(ActivityLog.Type.INFO, String.format("createNode() updated node [%s] to data [%s]", path, binaryDataStr));
+
+                    if (processAcls) {
+                        context.getExhibitor().getLocalConnection().setACL().withACL(acls).forPath(path);
+                        context.getExhibitor().getLog().add(ActivityLog.Type.INFO, String.format("createNode() updated acls for node [%s]", path));
+                    }
                 }
                 catch ( KeeperException.NoNodeException dummy )
                 {
                     context.getExhibitor().getLocalConnection().create().creatingParentsIfNeeded().forPath(path, data);
                     context.getExhibitor().getLog().add(ActivityLog.Type.INFO, String.format("createNode() created node [%s] with data [%s]", path, binaryDataStr));
+
+                    if (processAcls) {
+                        context.getExhibitor().getLocalConnection().setACL().withACL(acls).forPath(path);
+                        context.getExhibitor().getLog().add(ActivityLog.Type.INFO, String.format("createNode() updated acls for node [%s]" , path));
+                    }
                 }
             }
             catch ( Exception e )
@@ -199,6 +230,21 @@ public String   getNodeData(@QueryParam("key") String key) throws Exception
             Stat stat = context.getExhibitor().getLocalConnection().checkExists().forPath(key);
             byte[]          bytes = context.getExhibitor().getLocalConnection().getData().storingStatIn(stat).forPath(key);
 
+            if (aclsEnabled) {
+                List<ACL> acls = context.getExhibitor().getLocalConnection().getACL().forPath(key);
+                ArrayNode aclsNode = node.putArray("acls");
+                StringBuilder aclsAsString = new StringBuilder();
+
+                for (ACL acl : acls) {
+                    aclsAsString.append(encodeAclToString(acl));
+                    aclsAsString.append("<br/>");
+
+                    aclsNode.add(encodeAclToJson(acl));
+                }
+                node.put("aclsArray", aclsNode);
+                node.put("acls", aclsAsString.toString());
+            }
+
             if (bytes != null) {
                 node.put("bytes", bytesToString(bytes));
                 node.put("str", new String(bytes, "UTF-8"));
@@ -223,6 +269,30 @@ public String   getNodeData(@QueryParam("key") String key) throws Exception
         return node.toString();
     }
 
+    private String encodeAclToString(ACL acl) {
+        String scheme = acl.getId().getScheme();
+        String id = acl.getId().getId();
+
+        StringBuilder perms = new StringBuilder();
+        if ((acl.getPerms() & ZooDefs.Perms.READ) > 0) perms.append("R");
+        if ((acl.getPerms() & ZooDefs.Perms.WRITE) > 0) perms.append("W");
+        if ((acl.getPerms() & ZooDefs.Perms.CREATE) > 0) perms.append("C");
+        if ((acl.getPerms() & ZooDefs.Perms.DELETE) > 0) perms.append("D");
+        if ((acl.getPerms() & ZooDefs.Perms.ADMIN) > 0) perms.append("A");
+
+        return scheme + ":" + id + "=" + perms.toString();
+    }
+
+    private ObjectNode encodeAclToJson(ACL acl) {
+        ObjectNode node = JsonNodeFactory.instance.objectNode();
+
+        node.put("scheme", acl.getId().getScheme());
+        node.put("id", acl.getId().getId());
+        node.put("perms", acl.getPerms());
+
+        return node;
+    }
+
     @GET
     @Path("node")
     @Produces("application/json")

exhibitor-core/src/main/resources/com/netflix/exhibitor/core/ui/css/exhibitor.css

@@ -143,7 +143,7 @@ label
     border: 1px solid gray;
 }
 
-#path, #stat, #data-bytes, #data-str
+#path, #stat, #data-bytes, #data-str, #node-acl
 {
     font-family: monospace;
     font-size: 125%;
@@ -558,6 +558,21 @@ fieldset
     font-style: italic;
 }
 
+#node-acls-table
+{
+    width: 480px;
+}
+
+.acl-element
+{
+    text-align: left;
+}
+
+.acl-checkbox
+{
+    text-align: center;
+}
+
 .open-window
 {
     position: absolute;

exhibitor-core/src/main/resources/com/netflix/exhibitor/core/ui/index.html

@@ -114,6 +114,9 @@
                         <tr valign="top">
                             <td nowrap><strong>Data as String</strong></td> <td><span id="data-str"></span></td>
                         </tr>
+                        <tr valign="top" class="acl-component">
+                            <td nowrap><strong>ACLs</strong></td> <td><span id="node-acl"></span></td>
+                        </tr>
                     </table>
                 </div>
 
@@ -209,6 +212,14 @@
                         <label for="config-check-ms">Live Check (ms)</label><input type="text" id="config-check-ms" class="mask-pint" name="config-check-ms" size="8" title="The number of milliseconds between live-ness checks on the ZooKeeper server"><br clear="all"/>
                         <label for="config-cleanup-ms">Cleanup Period (ms)</label><input type="text" id="config-cleanup-ms" class="mask-pint" name="config-cleanup-ms" size="8" title="The number of milliseconds between ZooKeeper log file cleanups"><br clear="all"/>
                         <label for="config-cleanup-max-files">Cleanup: Max Log Files</label><input type="text" id="config-cleanup-max-files" class="mask-pint" name="config-cleanup-max-files" size="2" title="The max number of ZooKeeper log files to keep when cleaning up"><br clear="all"/>
+                        <label for="config-enable-acls">Enable ACLs</label><select type="text" id="config-enable-acls" class="mask-pint" name="config-enable-acls" size="1" title="If set to 'yes', then Exhibitor will allow viewing and modification of ACLs.">
+                            <option value="0">No</option>
+                            <option value="1">Yes</option>
+                        </select><br clear="all"/>
+                        <label for="config-enable-tracking-fields">Enable Tracking Fields</label><select type="text" id="config-enable-tracking-fields" class="mask-pint" name="config-enable-tracking-fields" size="1" title="If set to 'yes', then Exhibitor will allow viewing and modification of ACLs.">
+                             <option value="0">No</option>
+                             <option value="1">Yes</option>
+                        </select><br clear="all"/>
                     </fieldset>
 
                     <fieldset id="config-backups-fieldset">
@@ -337,6 +348,32 @@
             rollback to the previous configuration or force commit to the updated configuration.
         </div>
 
+        <div id="get-node-data-acls-table-row" class="ui-helper-hidden">
+            <table>
+                <tr id="node-acls-table-headers">
+                    <th class="acl-checkbox"></th>
+                    <th class="acl-element">Scheme</th>
+                    <th class="acl-element">ID</th>
+                    <th class="acl-checkbox">R</th>
+                    <th class="acl-checkbox">W</th>
+                    <th class="acl-checkbox">C</th>
+                    <th class="acl-checkbox">D</th>
+                    <th class="acl-checkbox">A</th>
+                </tr>
+
+                <tr name="aclrow">
+                    <td class="acl-checkbox"><input type="checkbox" name="deleteacl"/></td>
+                    <td class="acl-element"><input type="text" class="acl-element" name="schemeinput"/><span class="acl-element" name="schemeinputtext"></span></td>
+                    <td class="acl-element"><input type="text" class="acl-element" name="idinput"/><span class="acl-element" name="idinputtext"></span></td>
+                    <td class="acl-checkbox"><input type="checkbox" name="readperm" data-bitmask="1"/></td>
+                    <td class="acl-checkbox"><input type="checkbox" name="writeperm" data-bitmask="2"/></td>
+                    <td class="acl-checkbox"><input type="checkbox" name="createperm" data-bitmask="4"/></td>
+                    <td class="acl-checkbox"><input type="checkbox" name="deleteperm" data-bitmask="8"/></td>
+                    <td class="acl-checkbox"><input type="checkbox" name="adminperm" data-bitmask="16"/></td>
+                </tr>
+            </table>
+        </div>
+
         <div id="get-node-data-dialog" class="ui-helper-hidden">
             <div>
                 <label for="node-action">Type </label><select name="node-action" id="node-action">
@@ -348,13 +385,25 @@
                 <label for="node-name">Path </label><input type="text" id="node-name" name="node-name" size="40"><br clear="all"/>
             </div>
             <div id="node-data-container">
-                <label for="node-data">Data </label><textarea id="node-data" name="node-data" cols="45" rows="3"></textarea><select name="node-data-type" id="node-data-type">
-                <option value="string">String</option>
-                <option value="binary">Binary</option>
-            </select><br clear="all"/>
+                <label for="node-data">Data </label><textarea id="node-data" name="node-data" cols="45" rows="3"></textarea>
+                <select name="node-data-type" id="node-data-type">
+                    <option value="string">String</option>
+                    <option value="binary">Binary</option>
+                </select>
+                <fieldset class="acl-component">
+                    <legend>ACLs</legend>
+
+                    <table id="node-acls-table" class="ui-helper-hidden">
+                    </table>
+
+                    <button id="add-acl">Add ACL</button>
+                    <button id="remove-acls">Remove ACLs</button>
+                </fieldset>
+
+                <br clear="all"/>
             </div>
 
-            <fieldset>
+            <fieldset class="tracking-fields-component">
                 <legend>Tracking</legend>
                 <label for="node-data-user">Username</label><input type="text" id="node-data-user" name="node-data-user" size="20" title="Your username"><br clear="all"/>
                 <label for="node-data-ticket">Ticket/Code</label><input type="text" id="node-data-ticket" name="node-data-ticket" size="20" title="Ticket/tag number for this operation"><br clear="all"/>