def process(self, opt, arg, cli):
path = arg[1]
# FIXME duplicate code
acl_info = arg[2].split(':')
if len(acl_info) == 4:
scheme, username, password, perm = acl_info
id = f'{username}:{password}'
elif len(acl_info) == 3:
scheme, id, perm = acl_info
scheme = scheme.lower()
perm = perm.lower()
if opt.unencrypted and scheme == 'digest':
username, password = id.split(":")
id = make_digest_acl_credential(username, password)
try:
perm_kw = {
'all': perm == 'all',
'read': 'r' in perm,
'write': 'w' in perm,
'create': 'c' in perm,
'delete': 'd' in perm,
'admin': 'a' in perm,
}
cli.client.set_acls(path, [make_acl(scheme, id, **perm_kw)],
opt.version)
except NoAuthError as e:
raise ValueError(f"Authentication is not valid, '{path}'")
except NoNodeError as e:
raise ValueError(f"Path '{path}' not exists")
except Exception as e:
import traceback
raise ValueError(f"Illegal arguments! {traceback.format_exc()}")
return PlainViewModel(content='setAcl successfully', color='info')
def to_acl(access):
cred = access.credential().get()
if access.scheme().get() == 'digest':
cred_parts = access.credential().get().split(':')
if len(cred_parts) != 2:
app.error('Digest credential should be of the form <user>:<password>')
cred = make_digest_acl_credential(cred_parts[0], cred_parts[1])
return make_acl(access.scheme().get(),
cred,
read=access.permissions().read().get(),
write=access.permissions().write().get(),
create=access.permissions().create().get(),
delete=access.permissions().delete().get(),
admin=access.permissions().admin().get())
def test_create_makepath_incompatible_acls(self):
from kazoo.client import KazooClient
from kazoo.security import make_digest_acl_credential, CREATOR_ALL_ACL
credential = make_digest_acl_credential("username", "password")
alt_client = KazooClient(self.cluster[0].address + self.client.chroot,
max_retries=5, auth_data=[("digest", credential)])
alt_client.start()
alt_client.create("/1/2", b"val2", makepath=True, acl=CREATOR_ALL_ACL)
try:
self.assertRaises(NoAuthError, self.client.create, "/1/2/3/4/5",
b"val2", makepath=True)
finally:
alt_client.delete('/', recursive=True)
alt_client.stop()
def test_create_makepath_incompatible_acls(self):
from kazoo.client import KazooClient
from kazoo.security import make_digest_acl_credential, CREATOR_ALL_ACL
credential = make_digest_acl_credential("username", "password")
alt_client = KazooClient(self.cluster[0].address + self.client.chroot,
max_retries=5, auth_data=[("digest", credential)])
alt_client.start()
alt_client.create("/1/2", b"val2", makepath=True, acl=CREATOR_ALL_ACL)
try:
self.assertRaises(NoAuthError, self.client.create, "/1/2/3/4/5",
b"val2", makepath=True)
finally:
alt_client.delete('/', recursive=True)
alt_client.stop()
def to_acl(access):
cred = access.credential().get()
if access.scheme().get() == 'digest':
cred_parts = access.credential().get().split(':')
if len(cred_parts) != 2:
app.error(
'Digest credential should be of the form <user>:<password>')
cred = make_digest_acl_credential(cred_parts[0], cred_parts[1])
return make_acl(access.scheme().get(),
cred,
read=access.permissions().read().get(),
write=access.permissions().write().get(),
create=access.permissions().create().get(),
delete=access.permissions().delete().get(),
admin=access.permissions().admin().get())
def generate_acl_list(module, acl_a):
acl_list = []
for acl in [a.replace(';', '') for a in acl_a.split(';') if a is not '' and a is not None]:
acl_data = [a.replace(':', '') for a in acl.split(':') if a is not '']
acl_access_type = acl_data[0]
# generate public or ip acl
if acl_access_type == 'world' or acl_access_type == 'ip':
acl_list.append(get_acl(acl_access_type, acl_data[1], acl_data[2]))
# generate acl from username and password
elif acl_access_type == 'digest':
acl_list.append(get_acl('digest', make_digest_acl_credential(acl_data[1], acl_data[2]), acl_data[3]))
else:
module.fail_json(msg='Unknown acl type: {0}'.format(acl_access_type))
return acl_list
from jones import Jones
import zkutil
import jonesconfig
app = Flask(__name__)
app.wsgi_app = ProxyFix(app.wsgi_app)
app.config.from_object(jonesconfig)
app.config.from_envvar('JONES_SETTINGS', silent=True)
if 'SENTRY_DSN' in app.config:
sentry = Sentry(app)
jones_credential = make_digest_acl_credential(
'Jones', app.config['ZK_DIGEST_PASSWORD']
)
zk = KazooClient(
app.config['ZK_CONNECTION_STRING'],
default_acl=(
# grants read permissions to anyone.
make_acl('world', 'anyone', read=True),
# grants all permissions to the creator of the node.
make_acl('auth', '', all=True)
)
)
zk.connect()
zk.add_auth('digest', jones_credential)
zk.ensure_path('/services')
from werkzeug.contrib.fixers import ProxyFix
import json
from jones import Jones, Env
import zkutil
import jonesconfig
app = Flask(__name__)
app.wsgi_app = ProxyFix(app.wsgi_app)
app.config.from_object(jonesconfig)
app.config.from_envvar('JONES_SETTINGS', silent=True)
if 'SENTRY_DSN' in app.config:
sentry = Sentry(app)
jones_credential = make_digest_acl_credential('Jones',
app.config['ZK_DIGEST_PASSWORD'])
zk = KazooClient(
app.config['ZK_CONNECTION_STRING'],
default_acl=(
# grants read permissions to anyone.
make_acl('world', 'anyone', read=True),
# grants all permissions to the creator of the node.
make_acl('auth', '', all=True)))
zk.start()
zk.add_auth('digest', jones_credential)
@zk.DataWatch('/services')
def ensure_root(data, stat):
if not data:
zk.ensure_path('/services')
