/** * This method checks out the acl making sure it isn't null or empty, it has valid schemes and * ids, and expanding any relative ids that depend on the requestor's authentication information. * * @param authInfo list of ACL IDs associated with the client connection * @param acl list of ACLs being assigned to the node (create or setACL operation) * @return */ private boolean fixupACL(List<Id> authInfo, List<ACL> acl) { if (skipACL) { return true; } if (acl == null || acl.size() == 0) { return false; } Iterator<ACL> it = acl.iterator(); LinkedList<ACL> toAdd = null; while (it.hasNext()) { ACL a = it.next(); Id id = a.getId(); if (id.getScheme().equals("world") && id.getId().equals("anyone")) { // wide open } else if (id.getScheme().equals("auth")) { // This is the "auth" id, so we have to expand it to the // authenticated ids of the requestor it.remove(); if (toAdd == null) { toAdd = new LinkedList<ACL>(); } boolean authIdValid = false; for (Id cid : authInfo) { AuthenticationProvider ap = ProviderRegistry.getProvider(cid.getScheme()); if (ap == null) { LOG.error("Missing AuthenticationProvider for " + cid.getScheme()); } else if (ap.isAuthenticated()) { authIdValid = true; toAdd.add(new ACL(a.getPerms(), cid)); } } if (!authIdValid) { return false; } } else { AuthenticationProvider ap = ProviderRegistry.getProvider(id.getScheme()); if (ap == null) { return false; } if (!ap.isValid(id.getId())) { return false; } } } if (toAdd != null) { for (ACL a : toAdd) { acl.add(a); } } return acl.size() > 0; }
static void checkACL(ZooKeeperServer zks, List<ACL> acl, int perm, List<Id> ids) throws KeeperException.NoAuthException { if (skipACL) { return; } if (acl == null || acl.size() == 0) { return; } for (Id authId : ids) { if (authId.getScheme().equals("super")) { return; } } for (ACL a : acl) { Id id = a.getId(); if ((a.getPerms() & perm) != 0) { if (id.getScheme().equals("world") && id.getId().equals("anyone")) { return; } AuthenticationProvider ap = ProviderRegistry.getProvider(id.getScheme()); if (ap != null) { for (Id authId : ids) { if (authId.getScheme().equals(id.getScheme()) && ap.matches(authId.getId(), id.getId())) { return; } } } } } throw new KeeperException.NoAuthException(); }