TEST_F(ZooKeeperTest, Auth) { ZooKeeperTest::TestWatcher watcher; ZooKeeper authenticatedZk(server->connectString(), NO_TIMEOUT, &watcher); watcher.awaitSessionEvent(ZOO_CONNECTED_STATE); authenticatedZk.authenticate("digest", "creator:creator"); authenticatedZk.create("/test", "42", zookeeper::EVERYONE_READ_CREATOR_ALL, 0, NULL); ASSERT_ZK_GET("42", &authenticatedZk, "/test"); ZooKeeper unauthenticatedZk(server->connectString(), NO_TIMEOUT, &watcher); watcher.awaitSessionEvent(ZOO_CONNECTED_STATE); ASSERT_ZK_GET("42", &unauthenticatedZk, "/test"); ASSERT_EQ(ZNOAUTH, unauthenticatedZk.set("/test", "", -1)); ZooKeeper nonOwnerZk(server->connectString(), NO_TIMEOUT, &watcher); watcher.awaitSessionEvent(ZOO_CONNECTED_STATE); nonOwnerZk.authenticate("digest", "non-owner:non-owner"); ASSERT_ZK_GET("42", &nonOwnerZk, "/test"); ASSERT_EQ(ZNOAUTH, nonOwnerZk.set("/test", "", -1)); }
// Verifies that contender and detector operations fail when facing // non-retryable errors returned by ZooKeeper. TEST_F(ZooKeeperMasterContenderDetectorTest, NonRetryableFrrors) { // group1 creates a base directory in ZooKeeper and sets the // credential for the user. zookeeper::Group group1( server->connectString(), MASTER_CONTENDER_ZK_SESSION_TIMEOUT, "/mesos", zookeeper::Authentication("digest", "member:member")); AWAIT_READY(group1.join("data")); PID<Master> pid; pid.node.ip = 10000000; pid.node.port = 10000; MasterInfo master = internal::protobuf::createMasterInfo(pid); // group2's password is wrong and operations on it will fail. Owned<zookeeper::Group> group2(new Group( server->connectString(), MASTER_CONTENDER_ZK_SESSION_TIMEOUT, "/mesos", zookeeper::Authentication("digest", "member:wrongpass"))); ZooKeeperMasterContender contender(group2); contender.initialize(master); // Fails due to authentication error. AWAIT_FAILED(contender.contend()); // Subsequent call should also fail. AWAIT_FAILED(contender.contend()); // Now test non-retryable failures in detection. ZooKeeperTest::TestWatcher watcher; ZooKeeper authenticatedZk(server->connectString(), NO_TIMEOUT, &watcher); watcher.awaitSessionEvent(ZOO_CONNECTED_STATE); authenticatedZk.authenticate("digest", "creator:creator"); // Creator of the base path restricts the all accesses to be // itself. ::ACL onlyCreatorCanAccess[] = {{ ZOO_PERM_ALL, ZOO_AUTH_IDS }}; authenticatedZk.create("/test", "42", (ACL_vector) {1, onlyCreatorCanAccess}, 0, NULL); ASSERT_ZK_GET("42", &authenticatedZk, "/test"); // group3 cannot read the base path thus detector should fail. Owned<Group> group3(new Group( server->connectString(), MASTER_DETECTOR_ZK_SESSION_TIMEOUT, "/test", None())); ZooKeeperMasterDetector detector(group3); AWAIT_FAILED(detector.detect()); // Subsequent call should also fail. AWAIT_FAILED(detector.detect()); }
TEST_F(ZooKeeperTest, Create) { ZooKeeperTest::TestWatcher watcher; ZooKeeper authenticatedZk(server->connectString(), NO_TIMEOUT, &watcher); watcher.awaitSessionEvent(ZOO_CONNECTED_STATE); authenticatedZk.authenticate("digest", "creator:creator"); EXPECT_EQ(ZOK, authenticatedZk.create("/foo/bar", "", zookeeper::EVERYONE_READ_CREATOR_ALL, 0, NULL, true)); authenticatedZk.create("/foo/bar/baz", "43", zookeeper::EVERYONE_CREATE_AND_READ_CREATOR_ALL, 0, NULL); ASSERT_ZK_GET("43", &authenticatedZk, "/foo/bar/baz"); ZooKeeper nonOwnerZk(server->connectString(), NO_TIMEOUT, &watcher); watcher.awaitSessionEvent(ZOO_CONNECTED_STATE); nonOwnerZk.authenticate("digest", "non-owner:non-owner"); EXPECT_EQ(ZNODEEXISTS, nonOwnerZk.create("/foo/bar/baz", "", zookeeper::EVERYONE_READ_CREATOR_ALL, 0, NULL, true)); EXPECT_EQ(ZOK, nonOwnerZk.create("/foo/bar/baz/bam", "44", zookeeper::EVERYONE_READ_CREATOR_ALL, 0, NULL, true)); ASSERT_ZK_GET("44", &nonOwnerZk, "/foo/bar/baz/bam"); std::string result; EXPECT_EQ(ZOK, nonOwnerZk.create("/foo/bar/baz/", "", zookeeper::EVERYONE_READ_CREATOR_ALL, ZOO_SEQUENCE | ZOO_EPHEMERAL, &result, true)); EXPECT_TRUE(strings::startsWith(result, "/foo/bar/baz/0")); }
TEST_F(GroupTest, GroupPathWithRestrictivePerms) { ZooKeeperTest::TestWatcher watcher; ZooKeeper authenticatedZk(server->connectString(), NO_TIMEOUT, &watcher); watcher.awaitSessionEvent(ZOO_CONNECTED_STATE); authenticatedZk.authenticate("digest", "creator:creator"); authenticatedZk.create( "/read-only", "42", zookeeper::EVERYONE_READ_CREATOR_ALL, 0, NULL); ASSERT_ZK_GET("42", &authenticatedZk, "/read-only"); authenticatedZk.create( "/read-only/writable", "37", ZOO_OPEN_ACL_UNSAFE, 0, NULL); ASSERT_ZK_GET("37", &authenticatedZk, "/read-only/writable"); zookeeper::Authentication auth("digest", "non-creator:non-creator"); Group failedGroup1( server->connectString(), NO_TIMEOUT, "/read-only/", auth); AWAIT_FAILED(failedGroup1.join("fail")); Group failedGroup2( server->connectString(), NO_TIMEOUT, "/read-only/new", auth); AWAIT_FAILED(failedGroup2.join("fail")); Group successGroup( server->connectString(), NO_TIMEOUT, "/read-only/writable/", auth); AWAIT_READY(successGroup.join("succeed")); }
TEST_F(ZooKeeperTest, SessionTimeoutNegotiation) { server->setMinSessionTimeout(Seconds(8)); server->setMaxSessionTimeout(Seconds(20)); EXPECT_EQ(Seconds(8), server->getMinSessionTimeout()); EXPECT_EQ(Seconds(20), server->getMaxSessionTimeout()); ZooKeeperTest::TestWatcher watcher; ZooKeeper zk1(server->connectString(), Seconds(7), &watcher); watcher.awaitSessionEvent(ZOO_CONNECTED_STATE); // The requested timeout is less than server's min value so the // negotiated result is the sever's min value. EXPECT_EQ(Seconds(8), zk1.getSessionTimeout()); ZooKeeper zk2(server->connectString(), Seconds(22), &watcher); watcher.awaitSessionEvent(ZOO_CONNECTED_STATE); // The requested timeout is greater than server's max value so the // negotiated result is the sever's max value. EXPECT_EQ(Seconds(20), zk2.getSessionTimeout()); }