Google Git
Sign in
gerrit/plugins/zookeeper-refdb/049b63cfff4263867fe6a94abe871087f3e7a2c9^!/.
commit
049b63cfff4263867fe6a94abe871087f3e7a2c9
[log]
author
Daniele Sassoli <danielesassoli@gmail.com>
Thu May 23 14:38:43 2024 +0100
committer
Daniele Sassoli <danielesassoli@gmail.com>
Fri Jun 14 11:21:25 2024 +0000
tree
0b5936512b9c3fd0efd8e664cb6e47c64eade13b
parent
9fdff28bb5741636b4a9fedb91616733e81657bc [diff]
Allow configuring Zookeeper authentication

This change enables authentication when the plugin connects to
Zookeeper cluster.

Bug: Issue 340582184
Change-Id: I4f15a73dbdfbe87b6e887d64e702755260e15f05

diff --git a/src/main/java/com/googlesource/gerrit/plugins/validation/dfsrefdb/zookeeper/ZookeeperConfig.java b/src/main/java/com/googlesource/gerrit/plugins/validation/dfsrefdb/zookeeper/ZookeeperConfig.java
index aa62862..b6abb40 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/validation/dfsrefdb/zookeeper/ZookeeperConfig.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/validation/dfsrefdb/zookeeper/ZookeeperConfig.java

@@ -20,12 +20,16 @@
 import com.google.gerrit.extensions.annotations.PluginName;
 import com.google.gerrit.server.config.PluginConfigFactory;
 import com.google.inject.Inject;
+import java.util.List;
 import java.util.Optional;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.curator.RetryPolicy;
 import org.apache.curator.framework.CuratorFramework;
 import org.apache.curator.framework.CuratorFrameworkFactory;
+import org.apache.curator.framework.api.ACLProvider;
 import org.apache.curator.retry.BoundedExponentialBackoffRetry;
+import org.apache.zookeeper.ZooDefs;
+import org.apache.zookeeper.data.ACL;
 import org.eclipse.jgit.lib.Config;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -52,6 +56,8 @@
 
   public static final String SUBSECTION = "zookeeper";
   public static final String KEY_CONNECT_STRING = "connectString";
+  public static final String KEY_USERNAME = "username";
+  public static final String KEY_PASSWORD = "password";
   public static final String KEY_SESSION_TIMEOUT_MS = "sessionTimeoutMs";
   public static final String KEY_CONNECTION_TIMEOUT_MS = "connectionTimeoutMs";
   public static final String KEY_RETRY_POLICY_BASE_SLEEP_TIME_MS = "retryPolicyBaseSleepTimeMs";
@@ -69,8 +75,9 @@
   public final String KEY_CAS_RETRY_POLICY_MAX_SLEEP_TIME_MS = "casRetryPolicyMaxSleepTimeMs";
   public final String KEY_CAS_RETRY_POLICY_MAX_RETRIES = "casRetryPolicyMaxRetries";
   public final String TRANSACTION_LOCK_TIMEOUT_KEY = "transactionLockTimeoutMs";
-
   private final String connectionString;
+  private Optional<String> zkUsername;
+  private Optional<String> zkPassword;
   private final String root;
   private final int sessionTimeoutMs;
   private final int connectionTimeoutMs;
@@ -100,6 +107,8 @@
   public ZookeeperConfig(Config zkConfig) {
     connectionString =
         getString(zkConfig, SECTION, SUBSECTION, KEY_CONNECT_STRING, DEFAULT_ZK_CONNECT);
+    zkUsername = getOptionalString(zkConfig, SECTION, SUBSECTION, KEY_USERNAME);
+    zkPassword = getOptionalString(zkConfig, SECTION, SUBSECTION, KEY_PASSWORD);
     root = getString(zkConfig, SECTION, SUBSECTION, KEY_ROOT_NODE, "gerrit/multi-site");
     sessionTimeoutMs =
         getInt(zkConfig, SECTION, SUBSECTION, KEY_SESSION_TIMEOUT_MS, defaultSessionTimeoutMs);
@@ -200,21 +209,45 @@
     }
 
     if (build == null) {
-      this.build =
+      CuratorFrameworkFactory.Builder builder =
           CuratorFrameworkFactory.builder()
               .connectString(connectionString)
               .sessionTimeoutMs(sessionTimeoutMs)
               .connectionTimeoutMs(connectionTimeoutMs)
               .retryPolicy(
                   new BoundedExponentialBackoffRetry(baseSleepTimeMs, maxSleepTimeMs, maxRetries))
-              .namespace(root)
-              .build();
+              .namespace(root);
+      if (zkUsername.isPresent() != zkPassword.isPresent()) {
+        throw new IllegalArgumentException(
+            "Only one between password or username for Zookeeper was set, please set both to successfully authenticate");
+      } else {
+        zkUsername
+            .flatMap(usr -> zkPassword.map(pwd -> usr + ":" + pwd))
+            .ifPresent(auth -> configureAuth(builder, auth));
+      }
+      this.build = builder.build();
       this.build.start();
     }
-
     return this.build;
   }
 
+  private void configureAuth(CuratorFrameworkFactory.Builder builder, String authString) {
+    builder
+        .authorization("digest", authString.getBytes())
+        .aclProvider(
+            new ACLProvider() {
+              @Override
+              public List<ACL> getDefaultAcl() {
+                return ZooDefs.Ids.CREATOR_ALL_ACL;
+              }
+
+              @Override
+              public List<ACL> getAclForPath(String path) {
+                return ZooDefs.Ids.CREATOR_ALL_ACL;
+              }
+            });
+  }
+
   public Long getZkInterProcessLockTimeOut() {
     return transactionLockTimeOut;
   }

diff --git a/src/main/resources/Documentation/config.md b/src/main/resources/Documentation/config.md
index 00a2468..fadf623 100644
--- a/src/main/resources/Documentation/config.md
+++ b/src/main/resources/Documentation/config.md

@@ -112,3 +112,11 @@
 
 ```ref-database.zookeeper.sslTrustStorePassword```
 :   Optional configuration for the password to the ssl trust store.
+
+```ref-database.zookeeper.username```
+:   Optional, if authentication is required, configuration for the username to the zookeeper node.
+
+```ref-database.zookeeper.password```
+:   Optional, if authentication is required, configuration for the password to the zookeeper node.
+
+