refactor: optimize zookeeper client init for sasl (apache#1914)

Reference: zookeeper 3.7 client https://github.com/apache/zookeeper/blob/branch-3.7/zookeeper-client/zookeeper-client-c/src/cli.c Notes: If you want to use kerberos zookeeper before, you just need to set [security] enable_zookeeper_kerberos to "true" and do some kerberos configurations. After this commit, you also need to set [zookeeper] sasl_mechanisms_type to "GSSAPI". Otherwise, you'll get an error log prompting you to make changes. Some configurations are added: ```diff [zookeeper] sasl_service_name = zookeeper sasl_service_fqdn = sasl_mechanisms_type = sasl_user_name = sasl_realm = sasl_password_file = ```
GehaFearless · Feb 28, 2024 · 4aa80ab · 4aa80ab
1 parent e875142
commit 4aa80ab
Showing 1 changed file with 77 additions and 22 deletions.
diff --git a/src/rdsn/src/zookeeper/zookeeper_session.cpp b/src/rdsn/src/zookeeper/zookeeper_session.cpp
@@ -50,6 +50,32 @@ DSN_DEFINE_string("security",
 } // namespace security
 } // namespace dsn
 
+DSN_DEFINE_string(zookeeper, sasl_service_name, "zookeeper", "");
+DSN_DEFINE_string(zookeeper,
+                  sasl_service_fqdn,
+                  "",
+                  "SASL server name ('zk-sasl-md5' for DIGEST-MD5; default: reverse DNS lookup)");
+DSN_DEFINE_string(zookeeper,
+                  sasl_mechanisms_type,
+                  "",
+                  "SASL mechanisms (GSSAPI and/or DIGEST-MD5)");
+DSN_DEFINE_string(zookeeper, sasl_user_name, "", "");
+DSN_DEFINE_string(zookeeper, sasl_realm, "", "Realm (for SASL/GSSAPI)");
+DSN_DEFINE_string(zookeeper,
+                  sasl_password_file,
+                  "",
+                  "File containing the password (recommended for SASL/DIGEST-MD5)");
+DSN_DEFINE_group_validator(enable_zookeeper_kerberos, [](std::string &message) -> bool {
+    if (FLAGS_enable_zookeeper_kerberos &&
+        !dsn::utils::equals(FLAGS_sasl_mechanisms_type, "GSSAPI")) {
+        message = "Please set [zookeeper] sasl_mechanisms_type to GSSAPI if [security] "
+                  "enable_zookeeper_kerberos is true.";
+        return false;
+    }
+
+    return true;
+});
+
 namespace dsn {
 namespace dist {
 
@@ -153,29 +179,58 @@ zookeeper_session::zookeeper_session(const service_app_info &node) : _handle(nul
 int zookeeper_session::attach(void *callback_owner, const state_callback &cb)
 {
     utils::auto_write_lock l(_watcher_lock);
-    if (nullptr == _handle) {
-        if (dsn::security::FLAGS_enable_zookeeper_kerberos) {
-            zoo_sasl_params_t sasl_params = {0};
-            sasl_params.service = dsn::security::FLAGS_zookeeper_kerberos_service_name;
-            sasl_params.mechlist = "GSSAPI";
-            _handle = zookeeper_init_sasl(zookeeper_session_mgr::instance().zoo_hosts(),
-                                          global_watcher,
-                                          zookeeper_session_mgr::instance().timeout(),
-                                          nullptr,
-                                          this,
-                                          0,
-                                          NULL,
-                                          &sasl_params);
-        } else {
-            _handle = zookeeper_init(zookeeper_session_mgr::instance().zoo_hosts(),
-                                     global_watcher,
-                                     zookeeper_session_mgr::instance().timeout(),
-                                     nullptr,
-                                     this,
-                                     0);
+
+    do {
+        if (nullptr != _handle) {
+            break;
         }
-        dassert(_handle != nullptr, "zookeeper session init failed");
-    }
+        if (utils::is_empty(FLAGS_sasl_mechanisms_type)) {
+            _handle = zookeeper_init(
+                zookeeper_session_mgr::instance().zoo_hosts(), global_watcher, zookeeper_session_mgr::instance().timeout(), nullptr, this, 0);
+            break;
+        }
+        int err = sasl_client_init(nullptr);
+        CHECK_EQ_MSG(err,
+                     SASL_OK,
+                     "Unable to initialize SASL library {}",
+                     sasl_errstring(err, nullptr, nullptr));
+
+        if (!utils::is_empty(FLAGS_sasl_password_file)) {
+            CHECK(utils::filesystem::file_exists(FLAGS_sasl_password_file),
+                  "sasl_password_file {} not exist!",
+                  FLAGS_sasl_password_file);
+        }
+
+        auto param_host = "";
+        if (!utils::is_empty(FLAGS_sasl_service_fqdn)) {
+            CHECK(dsn::rpc_address::from_host_port(FLAGS_sasl_service_fqdn),
+                  "sasl_service_fqdn '{}' is invalid",
+                  FLAGS_sasl_service_fqdn);
+            param_host = FLAGS_sasl_service_fqdn;
+        }
+        // DIGEST-MD5 requires '--server-fqdn zk-sasl-md5' for historical reasons on zk c client
+        if (dsn::utils::equals(FLAGS_sasl_mechanisms_type, "DIGEST-MD5")) {
+            param_host = "zk-sasl-md5";
+        }
+
+        zoo_sasl_params_t sasl_params = {0};
+        sasl_params.service = FLAGS_sasl_service_name;
+        sasl_params.mechlist = FLAGS_sasl_mechanisms_type;
+        sasl_params.host = param_host;
+        sasl_params.callbacks = zoo_sasl_make_basic_callbacks(
+            FLAGS_sasl_user_name, FLAGS_sasl_realm, FLAGS_sasl_password_file);
+
+        _handle = zookeeper_init_sasl(zookeeper_session_mgr::instance().zoo_hosts(),
+                                      global_watcher,
+                                      zookeeper_session_mgr::instance().timeout(),
+                                      nullptr,
+                                      this,
+                                      0,
+                                      nullptr,
+                                      &sasl_params);
+    } while (false);
+
+    dassert(_handle != nullptr, "zookeeper session init failed");
 
     _watchers.push_back(watcher_object());
     _watchers.back().watcher_path = "";