From 1ddfcfc14fcc6cfe918bb2ea996bbbcfbecd6d8b Mon Sep 17 00:00:00 2001 From: Bitnami Bot Date: Mon, 13 Jun 2022 23:27:29 +0000 Subject: [PATCH] 3.7.1-debian-11-r5 release --- .../opt/bitnami/scripts/libcomponent.sh | 4 +- .../opt/bitnami/scripts/libzookeeper.sh | 111 ++++++++++++++---- .../opt/bitnami/scripts/zookeeper-env.sh | 14 ++- bitnami/zookeeper/README.md | 2 +- 4 files changed, 105 insertions(+), 26 deletions(-) diff --git a/bitnami/zookeeper/3.7/debian-11/prebuildfs/opt/bitnami/scripts/libcomponent.sh b/bitnami/zookeeper/3.7/debian-11/prebuildfs/opt/bitnami/scripts/libcomponent.sh index e3098a93b7c0..a7b60696daa6 100644 --- a/bitnami/zookeeper/3.7/debian-11/prebuildfs/opt/bitnami/scripts/libcomponent.sh +++ b/bitnami/zookeeper/3.7/debian-11/prebuildfs/opt/bitnami/scripts/libcomponent.sh @@ -58,8 +58,8 @@ component_unpack() { fi if [ -n "$package_sha256" ]; then echo "Verifying package integrity" - echo "$package_sha256 ${base_name}.tar.gz" | sha256sum --check - || exit "$?" + echo "$package_sha256 ${base_name}.tar.gz" | sha256sum --check - || return "$?" fi - tar --directory "${directory}" --extract --gunzip --file "${base_name}.tar.gz" --no-same-owner --strip-components=2 + tar --directory "${directory}" --extract --gunzip --file "${base_name}.tar.gz" --no-same-owner --strip-components=2 || return "$?" rm "${base_name}.tar.gz" } diff --git a/bitnami/zookeeper/3.7/debian-11/rootfs/opt/bitnami/scripts/libzookeeper.sh b/bitnami/zookeeper/3.7/debian-11/rootfs/opt/bitnami/scripts/libzookeeper.sh index b27955875179..36623e3b8075 100644 --- a/bitnami/zookeeper/3.7/debian-11/rootfs/opt/bitnami/scripts/libzookeeper.sh +++ b/bitnami/zookeeper/3.7/debian-11/rootfs/opt/bitnami/scripts/libzookeeper.sh @@ -33,13 +33,6 @@ zookeeper_validate() { error_code=1 } - # ZooKeeper authentication validations - if is_boolean_yes "$ALLOW_ANONYMOUS_LOGIN"; then - warn "You have set the environment variable ALLOW_ANONYMOUS_LOGIN=${ALLOW_ANONYMOUS_LOGIN}. For safety reasons, do not use this flag in a production environment." - elif ! is_boolean_yes "$ZOO_ENABLE_AUTH"; then - print_validation_error "The ZOO_ENABLE_AUTH environment variable does not configure authentication. Set the environment variable ALLOW_ANONYMOUS_LOGIN=yes to allow unauthenticated users to connect to ZooKeeper." - fi - # ZooKeeper port validations check_conflicting_ports() { local -r total="$#" @@ -75,6 +68,30 @@ zookeeper_validate() { is_boolean_yes "$ZOO_ENABLE_ADMIN_SERVER" && check_allowed_port ZOO_ADMIN_SERVER_PORT_NUMBER is_boolean_yes "$ZOO_ENABLE_ADMIN_SERVER" && check_conflicting_ports ZOO_PORT_NUMBER ZOO_PROMETHEUS_METRICS_PORT_NUMBER ZOO_ADMIN_SERVER_PORT_NUMBER + # ZooKeeper client-server authentication validations + if is_boolean_yes "$ALLOW_ANONYMOUS_LOGIN"; then + warn "You have set the environment variable ALLOW_ANONYMOUS_LOGIN=${ALLOW_ANONYMOUS_LOGIN}. For safety reasons, do not use this flag in a production environment." + elif ! is_boolean_yes "$ZOO_ENABLE_AUTH"; then + print_validation_error "The ZOO_ENABLE_AUTH environment variable does not configure authentication. Set the environment variable ALLOW_ANONYMOUS_LOGIN=yes to allow unauthenticated users to connect to ZooKeeper." + fi + + # ZooKeeper server-server authentication validations + if is_boolean_yes "$ZOO_ENABLE_QUORUM_AUTH"; then + if is_empty_value "$ZOO_QUORUM_LEARNER_USER" || is_empty_value "$ZOO_QUORUM_LEARNER_PASSWORD"; then + print_validation_error "The ZOO_QUORUM_LEARNER_USER and ZOO_QUORUM_LEARNER_USER environment variables are not set. They are required if using ZOO_ENABLE_QUORUM_AUTH=yes." + fi + + if is_empty_value "$ZOO_QUORUM_SERVER_USERS" || is_empty_value "$ZOO_QUORUM_SERVER_PASSWORDS"; then + print_validation_error "The ZOO_QUORUM_SERVER_USERS and ZOO_QUORUM_SERVER_PASSWORDS environment variables are not set. They are required if using ZOO_ENABLE_QUORUM_AUTH=yes." + fi + + read -r -a quorum_server_users_list <<<"${ZOO_QUORUM_SERVER_USERS//[;, ]/ }" + read -r -a quorum_server_passwords_list <<<"${ZOO_QUORUM_SERVER_PASSWORDS//[;, ]/ }" + if [[ ${#quorum_server_users_list[@]} -ne ${#quorum_server_passwords_list[@]} ]]; then + print_validation_error "ZOO_QUORUM_SERVER_USERS and ZOO_QUORUM_SERVER_PASSWORDS lists should have the same length" + fi + fi + # ZooKeeper server users validations read -r -a server_users_list <<<"${ZOO_SERVER_USERS//[;, ]/ }" read -r -a server_passwords_list <<<"${ZOO_SERVER_PASSWORDS//[;, ]/ }" @@ -123,7 +140,12 @@ zookeeper_initialize() { zookeeper_generate_conf zookeeper_configure_heap_size "$ZOO_HEAP_SIZE" if is_boolean_yes "$ZOO_ENABLE_AUTH"; then - zookeeper_enable_authentication "$ZOO_CONF_FILE" + zookeeper_enable_client_server_authentication "$ZOO_CONF_FILE" + fi + if is_boolean_yes "$ZOO_ENABLE_QUORUM_AUTH"; then + zookeeper_enable_server_server_authentication "$ZOO_CONF_FILE" + fi + if is_boolean_yes "$ZOO_ENABLE_QUORUM_AUTH" || is_boolean_yes "$ZOO_ENABLE_AUTH"; then zookeeper_create_jaas_file fi if is_boolean_yes "$ZOO_ENABLE_PROMETHEUS_METRICS"; then @@ -266,7 +288,7 @@ zookeeper_configure_heap_size() { } ######################## -# Enable authentication for ZooKeeper +# Enable authentication for ZooKeeper client-server communications # Globals: # None # Arguments: @@ -274,7 +296,7 @@ zookeeper_configure_heap_size() { # Returns: # None ######################### -zookeeper_enable_authentication() { +zookeeper_enable_client_server_authentication() { local -r filename="${1:?filename is required}" info "Enabling authentication..." @@ -282,6 +304,26 @@ zookeeper_enable_authentication() { zookeeper_conf_set "$filename" requireClientAuthScheme sasl } +######################## +# Enable authentication for ZooKeeper server-server communications +# Globals: +# None +# Arguments: +# $1 - filename +# Returns: +# None +######################### +zookeeper_enable_server_server_authentication() { + local -r filename="${1:?filename is required}" + + info "Enabling authentication..." + zookeeper_conf_set "$filename" quorum.auth.enableSasl true + zookeeper_conf_set "$filename" quorum.auth.learnerRequireSasl true + zookeeper_conf_set "$filename" quorum.auth.serverRequireSasl true + zookeeper_conf_set "$filename" quorum.auth.learner.saslLoginContext QuorumLearner + zookeeper_conf_set "$filename" quorum.auth.server.saslLoginContext QuorumServer +} + ######################## # Enable Prometheus metrics for ZooKeeper # Globals: @@ -334,27 +376,52 @@ zookeeper_conf_set() { ######################### zookeeper_create_jaas_file() { info "Creating jaas file..." - read -r -a server_users_list <<<"${ZOO_SERVER_USERS//[;, ]/ }" - read -r -a server_passwords_list <<<"${ZOO_SERVER_PASSWORDS//[;, ]/ }" + local jaas_content + if is_boolean_yes "$ZOO_ENABLE_AUTH"; then + read -r -a server_users_list <<<"${ZOO_SERVER_USERS//[;, ]/ }" + read -r -a server_passwords_list <<<"${ZOO_SERVER_PASSWORDS//[;, ]/ }" - local zookeeper_server_user_passwords="" - for i in $(seq 0 $((${#server_users_list[@]} - 1))); do - zookeeper_server_user_passwords="${zookeeper_server_user_passwords}\n user_${server_users_list[i]}=\"${server_passwords_list[i]}\"" - done - zookeeper_server_user_passwords="${zookeeper_server_user_passwords#\\n };" + local zookeeper_server_user_passwords="" + for i in $(seq 0 $((${#server_users_list[@]} - 1))); do + zookeeper_server_user_passwords="${zookeeper_server_user_passwords}\n user_${server_users_list[i]}=\"${server_passwords_list[i]}\"" + done + zookeeper_server_user_passwords="${zookeeper_server_user_passwords#\\n };" - # TODO: Indent properly - cat >"${ZOO_CONF_DIR}/zoo_jaas.conf" < "${ZOO_CONF_DIR}/zoo_jaas.conf" zookeeper_export_jvmflags "-Djava.security.auth.login.config=${ZOO_CONF_DIR}/zoo_jaas.conf" # Restrict file permissions diff --git a/bitnami/zookeeper/3.7/debian-11/rootfs/opt/bitnami/scripts/zookeeper-env.sh b/bitnami/zookeeper/3.7/debian-11/rootfs/opt/bitnami/scripts/zookeeper-env.sh index 9ddce8b0970d..614ddfe3b410 100644 --- a/bitnami/zookeeper/3.7/debian-11/rootfs/opt/bitnami/scripts/zookeeper-env.sh +++ b/bitnami/zookeeper/3.7/debian-11/rootfs/opt/bitnami/scripts/zookeeper-env.sh @@ -65,6 +65,11 @@ zookeeper_env_vars=( ZOO_SERVER_USERS ZOO_CLIENT_PASSWORD ZOO_SERVER_PASSWORDS + ZOO_ENABLE_QUORUM_AUTH + ZOO_QUORUM_LEARNER_USER + ZOO_QUORUM_LEARNER_PASSWORD + ZOO_QUORUM_SERVER_USERS + ZOO_QUORUM_SERVER_PASSWORDS ) for env_var in "${zookeeper_env_vars[@]}"; do file_env_var="${env_var}_FILE" @@ -139,7 +144,7 @@ export ZOO_TLS_QUORUM_CLIENT_AUTH="${ZOO_TLS_QUORUM_CLIENT_AUTH:-need}" export JVMFLAGS="${JVMFLAGS:-}" export ZOO_HEAP_SIZE="${ZOO_HEAP_SIZE:-1024}" -# Authentication +# Client-server authentication export ALLOW_ANONYMOUS_LOGIN="${ALLOW_ANONYMOUS_LOGIN:-no}" export ZOO_ENABLE_AUTH="${ZOO_ENABLE_AUTH:-no}" export ZOO_CLIENT_USER="${ZOO_CLIENT_USER:-}" @@ -147,4 +152,11 @@ export ZOO_SERVER_USERS="${ZOO_SERVER_USERS:-}" export ZOO_CLIENT_PASSWORD="${ZOO_CLIENT_PASSWORD:-}" export ZOO_SERVER_PASSWORDS="${ZOO_SERVER_PASSWORDS:-}" +# Server-server authentication +export ZOO_ENABLE_QUORUM_AUTH="${ZOO_ENABLE_QUORUM_AUTH:-no}" +export ZOO_QUORUM_LEARNER_USER="${ZOO_QUORUM_LEARNER_USER:-}" +export ZOO_QUORUM_LEARNER_PASSWORD="${ZOO_QUORUM_LEARNER_PASSWORD:-}" +export ZOO_QUORUM_SERVER_USERS="${ZOO_QUORUM_SERVER_USERS:-}" +export ZOO_QUORUM_SERVER_PASSWORDS="${ZOO_QUORUM_SERVER_PASSWORDS:-}" + # Custom environment variables may be defined below diff --git a/bitnami/zookeeper/README.md b/bitnami/zookeeper/README.md index b53ed2d9cf55..45587ae28a49 100644 --- a/bitnami/zookeeper/README.md +++ b/bitnami/zookeeper/README.md @@ -51,7 +51,7 @@ Learn more about the Bitnami tagging policy and the difference between rolling t * [`3.8`, `3.8-debian-11`, `3.8.0`, `3.8.0-debian-11-r5`, `latest` (3.8/debian-11/Dockerfile)](https://github.com/bitnami/bitnami-docker-zookeeper/blob/3.8.0-debian-11-r5/3.8/debian-11/Dockerfile) -* [`3.7`, `3.7-debian-11`, `3.7.1`, `3.7.1-debian-11-r4` (3.7/debian-11/Dockerfile)](https://github.com/bitnami/bitnami-docker-zookeeper/blob/3.7.1-debian-11-r4/3.7/debian-11/Dockerfile) +* [`3.7`, `3.7-debian-11`, `3.7.1`, `3.7.1-debian-11-r5` (3.7/debian-11/Dockerfile)](https://github.com/bitnami/bitnami-docker-zookeeper/blob/3.7.1-debian-11-r5/3.7/debian-11/Dockerfile) * [`3.6`, `3.6-debian-11`, `3.6.3`, `3.6.3-debian-11-r5` (3.6/debian-11/Dockerfile)](https://github.com/bitnami/bitnami-docker-zookeeper/blob/3.6.3-debian-11-r5/3.6/debian-11/Dockerfile) * [`3.5`, `3.5-debian-11`, `3.5.10`, `3.5.10-debian-11-r5` (3.5/debian-11/Dockerfile)](https://github.com/bitnami/bitnami-docker-zookeeper/blob/3.5.10-debian-11-r5/3.5/debian-11/Dockerfile)