Example 1 with PrivateWorkerKey
use of org.apache.storm.generated.PrivateWorkerKey in project storm by apache.
the class WorkerTokenTest method testBasicGenerateAndAuthorize.
@Test
public void testBasicGenerateAndAuthorize() {
final AtomicReference<PrivateWorkerKey> privateKey = new AtomicReference<>();
final String topoId = "topo-1";
final String userName = "user";
final WorkerTokenServiceType type = WorkerTokenServiceType.NIMBUS;
final long versionNumber = 0L;
// Simulate time starts out at 0, so we are going to just leave it here.
try (Time.SimulatedTime sim = new Time.SimulatedTime()) {
IStormClusterState mockState = mock(IStormClusterState.class);
Map<String, Object> conf = new HashMap<>();
WorkerTokenManager wtm = new WorkerTokenManager(conf, mockState);
when(mockState.getNextPrivateWorkerKeyVersion(type, topoId)).thenReturn(versionNumber);
doAnswer((invocation) -> {
// Save the private worker key away so we can test it too.
privateKey.set(invocation.getArgument(3));
return null;
}).when(mockState).addPrivateWorkerKey(eq(type), eq(topoId), eq(versionNumber), any(PrivateWorkerKey.class));
// Answer when we ask for a private key...
when(mockState.getPrivateWorkerKey(type, topoId, versionNumber)).thenAnswer((invocation) -> privateKey.get());
WorkerToken wt = wtm.createOrUpdateTokenFor(type, userName, topoId);
verify(mockState).addPrivateWorkerKey(eq(type), eq(topoId), eq(versionNumber), any(PrivateWorkerKey.class));
assertTrue(wt.is_set_serviceType());
assertEquals(type, wt.get_serviceType());
assertTrue(wt.is_set_info());
assertTrue(wt.is_set_signature());
PrivateWorkerKey pwk = privateKey.get();
assertNotNull(pwk);
assertTrue(pwk.is_set_expirationTimeMillis());
assertEquals(ONE_DAY_MILLIS, pwk.get_expirationTimeMillis());
WorkerTokenInfo info = ClientAuthUtils.getWorkerTokenInfo(wt);
assertTrue(info.is_set_topologyId());
assertTrue(info.is_set_userName());
assertTrue(info.is_set_expirationTimeMillis());
assertTrue(info.is_set_secretVersion());
assertEquals(topoId, info.get_topologyId());
assertEquals(userName, info.get_userName());
assertEquals(ONE_DAY_MILLIS, info.get_expirationTimeMillis());
assertEquals(versionNumber, info.get_secretVersion());
try (WorkerTokenAuthorizer wta = new WorkerTokenAuthorizer(type, mockState)) {
// Verify the signature...
byte[] signature = wta.getSignedPasswordFor(wt.get_info(), info);
assertArrayEquals(wt.get_signature(), signature);
}
}
}
Also used :
WorkerToken(org.apache.storm.generated.WorkerToken)
HashMap(java.util.HashMap)
WorkerTokenServiceType(org.apache.storm.generated.WorkerTokenServiceType)
PrivateWorkerKey(org.apache.storm.generated.PrivateWorkerKey)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
Time(org.apache.storm.utils.Time)
WorkerTokenInfo(org.apache.storm.generated.WorkerTokenInfo)
IStormClusterState(org.apache.storm.cluster.IStormClusterState)
Test(org.junit.Test)
Example 2 with PrivateWorkerKey
use of org.apache.storm.generated.PrivateWorkerKey in project storm by apache.
the class WorkerTokenManager method createOrUpdateTokenFor.
/**
* Create or update an existing key.
*
* @param serviceType the type of service to create a token for
* @param user the user the token is for
* @param topologyId the topology the token is for
* @return a newly generated token that should be good to start using form now until it expires.
*/
public WorkerToken createOrUpdateTokenFor(WorkerTokenServiceType serviceType, String user, String topologyId) {
long nextVersion = state.getNextPrivateWorkerKeyVersion(serviceType, topologyId);
SecretKey topoSecret = getCurrentSecret();
long expirationTimeMillis = Time.currentTimeMillis() + tokenLifetimeMillis;
WorkerTokenInfo info = new WorkerTokenInfo(user, topologyId, nextVersion, expirationTimeMillis);
byte[] serializedInfo = ClientAuthUtils.serializeWorkerTokenInfo(info);
byte[] signature = WorkerTokenSigner.createPassword(serializedInfo, topoSecret);
WorkerToken ret = new WorkerToken(serviceType, ByteBuffer.wrap(serializedInfo), ByteBuffer.wrap(signature));
PrivateWorkerKey key = new PrivateWorkerKey(ByteBuffer.wrap(topoSecret.getEncoded()), user, expirationTimeMillis);
state.addPrivateWorkerKey(serviceType, topologyId, nextVersion, key);
LOG.info("Created new WorkerToken for user {} topology {} on service {}", user, topologyId, serviceType);
return ret;
}
Also used :
SecretKey(javax.crypto.SecretKey)
WorkerToken(org.apache.storm.generated.WorkerToken)
WorkerTokenInfo(org.apache.storm.generated.WorkerTokenInfo)
PrivateWorkerKey(org.apache.storm.generated.PrivateWorkerKey)
Example 3 with PrivateWorkerKey
use of org.apache.storm.generated.PrivateWorkerKey in project storm by apache.
the class StormClusterStateImpl method removeExpiredPrivateWorkerKeys.
@Override
public void removeExpiredPrivateWorkerKeys(String topologyId) {
for (WorkerTokenServiceType type : WorkerTokenServiceType.values()) {
String basePath = ClusterUtils.secretKeysPath(type, topologyId);
try {
for (String version : stateStorage.get_children(basePath, false)) {
String fullPath = basePath + ClusterUtils.ZK_SEPERATOR + version;
try {
PrivateWorkerKey key = ClusterUtils.maybeDeserialize(stateStorage.get_data(fullPath, false), PrivateWorkerKey.class);
if (Time.currentTimeMillis() > key.get_expirationTimeMillis()) {
LOG.info("Removing expired worker key {}", fullPath);
stateStorage.delete_node(fullPath);
}
} catch (RuntimeException e) {
// declare the race safe, even if we lose it.
if (!Utils.exceptionCauseIsInstanceOf(KeeperException.NoNodeException.class, e)) {
throw e;
}
}
}
} catch (RuntimeException e) {
// No node for basePath is OK, nothing to remove
if (!Utils.exceptionCauseIsInstanceOf(KeeperException.NoNodeException.class, e)) {
throw e;
}
}
}
}
Also used :
WorkerTokenServiceType(org.apache.storm.generated.WorkerTokenServiceType)
PrivateWorkerKey(org.apache.storm.generated.PrivateWorkerKey)
KeeperException(org.apache.storm.shade.org.apache.zookeeper.KeeperException)
Example 4 with PrivateWorkerKey
use of org.apache.storm.generated.PrivateWorkerKey in project storm by apache.
the class WorkerTokenTest method testExpiration.
@Test
public void testExpiration() {
final AtomicReference<PrivateWorkerKey> privateKey = new AtomicReference<>();
final String topoId = "topo-1";
final String userName = "user";
final WorkerTokenServiceType type = WorkerTokenServiceType.NIMBUS;
final long versionNumber = 5L;
// Simulate time starts out at 0, so we are going to just leave it here.
try (Time.SimulatedTime sim = new Time.SimulatedTime()) {
IStormClusterState mockState = mock(IStormClusterState.class);
Map<String, Object> conf = new HashMap<>();
WorkerTokenManager wtm = new WorkerTokenManager(conf, mockState);
when(mockState.getNextPrivateWorkerKeyVersion(type, topoId)).thenReturn(versionNumber);
doAnswer((invocation) -> {
// Save the private worker key away so we can test it too.
privateKey.set(invocation.getArgument(3));
return null;
}).when(mockState).addPrivateWorkerKey(eq(type), eq(topoId), eq(versionNumber), any(PrivateWorkerKey.class));
// Answer when we ask for a private key...
when(mockState.getPrivateWorkerKey(type, topoId, versionNumber)).thenAnswer((invocation) -> privateKey.get());
WorkerToken wt = wtm.createOrUpdateTokenFor(type, userName, topoId);
verify(mockState).addPrivateWorkerKey(eq(type), eq(topoId), eq(versionNumber), any(PrivateWorkerKey.class));
assertTrue(wt.is_set_serviceType());
assertEquals(type, wt.get_serviceType());
assertTrue(wt.is_set_info());
assertTrue(wt.is_set_signature());
PrivateWorkerKey pwk = privateKey.get();
assertNotNull(pwk);
assertTrue(pwk.is_set_expirationTimeMillis());
assertEquals(ONE_DAY_MILLIS, pwk.get_expirationTimeMillis());
WorkerTokenInfo info = ClientAuthUtils.getWorkerTokenInfo(wt);
assertTrue(info.is_set_topologyId());
assertTrue(info.is_set_userName());
assertTrue(info.is_set_expirationTimeMillis());
assertTrue(info.is_set_secretVersion());
assertEquals(topoId, info.get_topologyId());
assertEquals(userName, info.get_userName());
assertEquals(ONE_DAY_MILLIS, info.get_expirationTimeMillis());
assertEquals(versionNumber, info.get_secretVersion());
// Expire the token
Time.advanceTime(ONE_DAY_MILLIS + 1);
try (WorkerTokenAuthorizer wta = new WorkerTokenAuthorizer(type, mockState)) {
try {
// Verify the signature...
wta.getSignedPasswordFor(wt.get_info(), info);
fail("Expected an expired token to not be signed!!!");
} catch (IllegalArgumentException ia) {
// What we want...
}
}
// Verify if WorkerTokenManager recognizes the expired WorkerToken.
Map<String, String> creds = new HashMap<>();
ClientAuthUtils.setWorkerToken(creds, wt);
assertTrue("Expired WorkerToken should be eligible for renewal", wtm.shouldRenewWorkerToken(creds, type));
}
}
Also used :
WorkerToken(org.apache.storm.generated.WorkerToken)
HashMap(java.util.HashMap)
WorkerTokenServiceType(org.apache.storm.generated.WorkerTokenServiceType)
PrivateWorkerKey(org.apache.storm.generated.PrivateWorkerKey)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
Time(org.apache.storm.utils.Time)
WorkerTokenInfo(org.apache.storm.generated.WorkerTokenInfo)
IStormClusterState(org.apache.storm.cluster.IStormClusterState)
Test(org.junit.Test)
Aggregations
PrivateWorkerKey (org.apache.storm.generated.PrivateWorkerKey)4
WorkerToken (org.apache.storm.generated.WorkerToken)3
WorkerTokenInfo (org.apache.storm.generated.WorkerTokenInfo)3
WorkerTokenServiceType (org.apache.storm.generated.WorkerTokenServiceType)3
HashMap (java.util.HashMap)2
AtomicReference (java.util.concurrent.atomic.AtomicReference)2
IStormClusterState (org.apache.storm.cluster.IStormClusterState)2
Time (org.apache.storm.utils.Time)2
Test (org.junit.Test)2
SecretKey (javax.crypto.SecretKey)1
KeeperException (org.apache.storm.shade.org.apache.zookeeper.KeeperException)1
