Examples with WorkerToken org.apache.storm.generated.WorkerToken used on opensource projects

Example 6 with WorkerToken

use of org.apache.storm.generated.WorkerToken in project storm by apache.

the class DigestSaslTransportPlugin method connect.

@Override
public TTransport connect(TTransport transport, String serverHost, String asUser) throws TTransportException, IOException {
    CallbackHandler clientCallbackHandler;
    WorkerToken token = WorkerTokenClientCallbackHandler.findWorkerTokenInSubject(type);
    if (token != null) {
        clientCallbackHandler = new WorkerTokenClientCallbackHandler(token);
    } else {
        Configuration loginConf = ClientAuthUtils.getConfiguration(conf);
        if (loginConf == null) {
            throw new IOException("Could not find any way to authenticate with the server.");
        }
        AppConfigurationEntry[] configurationEntries = loginConf.getAppConfigurationEntry(ClientAuthUtils.LOGIN_CONTEXT_CLIENT);
        if (configurationEntries == null) {
            String errorMessage = "Could not find a '" + ClientAuthUtils.LOGIN_CONTEXT_CLIENT + "' entry in this configuration: Client cannot start.";
            throw new IOException(errorMessage);
        }
        String username = "";
        String password = "";
        for (AppConfigurationEntry entry : configurationEntries) {
            Map options = entry.getOptions();
            username = (String) options.getOrDefault("username", username);
            password = (String) options.getOrDefault("password", password);
        }
        clientCallbackHandler = new SimpleSaslClientCallbackHandler(username, password);
    }
    TSaslClientTransport wrapperTransport = new TSaslClientTransport(DIGEST, null, ClientAuthUtils.SERVICE, serverHost, null, clientCallbackHandler, transport);
    wrapperTransport.open();
    LOG.debug("SASL DIGEST-MD5 client transport has been established");
    return wrapperTransport;
}

Example 7 with WorkerToken

use of org.apache.storm.generated.WorkerToken in project storm by apache.

the class WorkerTokenManager method createOrUpdateTokenFor.

/**
 * Create or update an existing key.
 *
 * @param serviceType the type of service to create a token for
 * @param user        the user the token is for
 * @param topologyId  the topology the token is for
 * @return a newly generated token that should be good to start using form now until it expires.
 */
public WorkerToken createOrUpdateTokenFor(WorkerTokenServiceType serviceType, String user, String topologyId) {
    long nextVersion = state.getNextPrivateWorkerKeyVersion(serviceType, topologyId);
    SecretKey topoSecret = getCurrentSecret();
    long expirationTimeMillis = Time.currentTimeMillis() + tokenLifetimeMillis;
    WorkerTokenInfo info = new WorkerTokenInfo(user, topologyId, nextVersion, expirationTimeMillis);
    byte[] serializedInfo = ClientAuthUtils.serializeWorkerTokenInfo(info);
    byte[] signature = WorkerTokenSigner.createPassword(serializedInfo, topoSecret);
    WorkerToken ret = new WorkerToken(serviceType, ByteBuffer.wrap(serializedInfo), ByteBuffer.wrap(signature));
    PrivateWorkerKey key = new PrivateWorkerKey(ByteBuffer.wrap(topoSecret.getEncoded()), user, expirationTimeMillis);
    state.addPrivateWorkerKey(serviceType, topologyId, nextVersion, key);
    LOG.info("Created new WorkerToken for user {} topology {} on service {}", user, topologyId, serviceType);
    return ret;
}

Example 8 with WorkerToken

use of org.apache.storm.generated.WorkerToken in project storm by apache.

the class WorkerTokenManager method shouldRenewWorkerToken.

@VisibleForTesting
public boolean shouldRenewWorkerToken(Map<String, String> creds, WorkerTokenServiceType type) {
    boolean shouldAdd = true;
    WorkerToken oldToken = ClientAuthUtils.readWorkerToken(creds, type);
    if (oldToken != null) {
        try {
            WorkerTokenInfo info = ClientAuthUtils.getWorkerTokenInfo(oldToken);
            if (!info.is_set_expirationTimeMillis() || info.get_expirationTimeMillis() - Time.currentTimeMillis() > (tokenLifetimeMillis / 2)) {
                // Found an existing token and it is not going to expire any time soon, so don't bother adding in a new
                // token.
                shouldAdd = false;
            }
        } catch (Exception e) {
            // The old token could not be deserialized.  This is bad, but we are going to replace it anyways so just keep going.
            LOG.error("Could not deserialize token info", e);
        }
    }
    return shouldAdd;
}

Example 9 with WorkerToken

use of org.apache.storm.generated.WorkerToken in project storm by apache.

the class WorkerTokenTest method testExpiration.

@Test
public void testExpiration() {
    final AtomicReference<PrivateWorkerKey> privateKey = new AtomicReference<>();
    final String topoId = "topo-1";
    final String userName = "user";
    final WorkerTokenServiceType type = WorkerTokenServiceType.NIMBUS;
    final long versionNumber = 5L;
    // Simulate time starts out at 0, so we are going to just leave it here.
    try (Time.SimulatedTime sim = new Time.SimulatedTime()) {
        IStormClusterState mockState = mock(IStormClusterState.class);
        Map<String, Object> conf = new HashMap<>();
        WorkerTokenManager wtm = new WorkerTokenManager(conf, mockState);
        when(mockState.getNextPrivateWorkerKeyVersion(type, topoId)).thenReturn(versionNumber);
        doAnswer((invocation) -> {
            // Save the private worker key away so we can test it too.
            privateKey.set(invocation.getArgument(3));
            return null;
        }).when(mockState).addPrivateWorkerKey(eq(type), eq(topoId), eq(versionNumber), any(PrivateWorkerKey.class));
        // Answer when we ask for a private key...
        when(mockState.getPrivateWorkerKey(type, topoId, versionNumber)).thenAnswer((invocation) -> privateKey.get());
        WorkerToken wt = wtm.createOrUpdateTokenFor(type, userName, topoId);
        verify(mockState).addPrivateWorkerKey(eq(type), eq(topoId), eq(versionNumber), any(PrivateWorkerKey.class));
        assertTrue(wt.is_set_serviceType());
        assertEquals(type, wt.get_serviceType());
        assertTrue(wt.is_set_info());
        assertTrue(wt.is_set_signature());
        PrivateWorkerKey pwk = privateKey.get();
        assertNotNull(pwk);
        assertTrue(pwk.is_set_expirationTimeMillis());
        assertEquals(ONE_DAY_MILLIS, pwk.get_expirationTimeMillis());
        WorkerTokenInfo info = ClientAuthUtils.getWorkerTokenInfo(wt);
        assertTrue(info.is_set_topologyId());
        assertTrue(info.is_set_userName());
        assertTrue(info.is_set_expirationTimeMillis());
        assertTrue(info.is_set_secretVersion());
        assertEquals(topoId, info.get_topologyId());
        assertEquals(userName, info.get_userName());
        assertEquals(ONE_DAY_MILLIS, info.get_expirationTimeMillis());
        assertEquals(versionNumber, info.get_secretVersion());
        // Expire the token
        Time.advanceTime(ONE_DAY_MILLIS + 1);
        try (WorkerTokenAuthorizer wta = new WorkerTokenAuthorizer(type, mockState)) {
            try {
                // Verify the signature...
                wta.getSignedPasswordFor(wt.get_info(), info);
                fail("Expected an expired token to not be signed!!!");
            } catch (IllegalArgumentException ia) {
            // What we want...
            }
        }
        // Verify if WorkerTokenManager recognizes the expired WorkerToken.
        Map<String, String> creds = new HashMap<>();
        ClientAuthUtils.setWorkerToken(creds, wt);
        assertTrue("Expired WorkerToken should be eligible for renewal", wtm.shouldRenewWorkerToken(creds, type));
    }
}

Example 10 with WorkerToken

use of org.apache.storm.generated.WorkerToken in project storm by apache.

the class AuthTest method testConnectWithTokenFor.

public static Subject testConnectWithTokenFor(WorkerTokenManager wtMan, Map<String, Object> conf, ThriftServer server, String user, String topoId) throws PrivilegedActionException {
    WorkerToken wt = wtMan.createOrUpdateTokenFor(WorkerTokenServiceType.NIMBUS, user, topoId);
    Subject subject = createSubjectWith(wt);
    tryConnectAs(conf, server, subject, topoId);
    return subject;
}