PrepRequestProcessor: Now load & apply ACL constraints in 'fixupACL'

ztzg · Sep 18, 2024 · 36b271d · 36b271d
1 parent 1055ab9
commit 36b271d
Showing 1 changed file with 63 additions and 0 deletions.
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/server/PrepRequestProcessor.java b/zookeeper-server/src/main/java/org/apache/zookeeper/server/PrepRequestProcessor.java
@@ -31,6 +31,7 @@
 import java.util.Set;
 import java.util.concurrent.LinkedBlockingQueue;
 import org.apache.jute.Record;
+import org.apache.zookeeper.ACLs;
 import org.apache.zookeeper.CreateMode;
 import org.apache.zookeeper.DeleteContainerRequest;
 import org.apache.zookeeper.KeeperException;
@@ -988,6 +989,35 @@ private void validateCreateRequest(String path, CreateMode createMode, Request r
      * @throws KeeperException.InvalidACLException
      */
     public static List<ACL> fixupACL(ZKDatabase zkDb, String path, List<Id> authInfo, List<ACL> acls) throws KeeperException.InvalidACLException {
+        boolean applyConstraints = true;
+
+        for (Id authId : authInfo) {
+            if (authId.getScheme().equals("super")) {
+                applyConstraints = false;
+                break;
+            }
+        }
+
+        if (applyConstraints && acls != null) {
+            List<ACLs.Constraint> constraints = loadAclConstraints(zkDb, path);
+            if (!constraints.isEmpty()) {
+                List<ACL> newAcl = new ArrayList<>(acls);
+                int n = newAcl.size();
+                for (int i = 0; i < n; i++) {
+                    for (ACLs.Constraint constraint : constraints) {
+                        // TODO: node-bound-acl-masks: use list result
+                        ACL newAclEntry = constraint.apply(path, newAcl.get(i));
+                        if (newAclEntry != null) {
+                            newAcl.set(i, newAclEntry);
+                            // Stop processing constraints on this ACL entry.
+                            break;
+                        }
+                    }
+                }
+                acls = newAcl;
+            }
+        }
+
         // check for well formed ACLs
         // This resolves https://issues.apache.org/jira/browse/ZOOKEEPER-1877
         List<ACL> uniqacls = removeDuplicates(acls);
@@ -1033,6 +1063,39 @@ public static List<ACL> fixupACL(ZKDatabase zkDb, String path, List<Id> authInfo
         return rv;
     }
 
+    public static List<ACLs.Constraint> loadAclConstraints(ZKDatabase zkDb, String path) throws KeeperException.InvalidACLException {
+        String prefix = zkDb.getDataTree().getMaxPrefixWithAclConstraints(path);
+        if (StringUtils.isEmpty(prefix)) {
+            return Collections.emptyList();
+        }
+
+        String cpath = ACLs.constraintsPath(prefix);
+        DataNode cnode = zkDb.getNode(cpath);
+        if (cnode == null) {
+            // should not happen
+            LOG.error("Missing constraint node for ACLs {}", cpath);
+            throw new KeeperException.InvalidACLException(path);
+        }
+
+        byte[] encodedConstraints = null;
+        synchronized (cnode) {
+            encodedConstraints = cnode.data;
+        }
+        if (encodedConstraints == null) {
+            // should not happen
+            LOG.error("Null constraint node for ACLs {}", cpath);
+            throw new KeeperException.InvalidACLException(path);
+        }
+
+        try {
+            // TODO: node-bound-acl-masks: LRU cache?
+            return ACLs.parseConstraints(encodedConstraints);
+        } catch (Exception e) {
+            LOG.error("Error parsing constraint node {}", cpath, e);
+            throw new KeeperException.InvalidACLException(path);
+        }
+    }
+
     public void processRequest(Request request) {
         request.prepQueueStartTime = Time.currentElapsedTime();
         submittedRequests.add(request);