Example 1 with WorkerTokenServiceType
use of org.apache.storm.generated.WorkerTokenServiceType in project storm by apache.
the class StormClusterStateImpl method removeAllPrivateWorkerKeys.
@Override
public void removeAllPrivateWorkerKeys(String topologyId) {
for (WorkerTokenServiceType type : WorkerTokenServiceType.values()) {
String path = ClusterUtils.secretKeysPath(type, topologyId);
try {
LOG.info("Removing worker keys under {}", path);
stateStorage.delete_node(path);
} catch (RuntimeException e) {
// declare the race safe, even if we lose it.
if (!Utils.exceptionCauseIsInstanceOf(KeeperException.NoNodeException.class, e)) {
throw e;
}
}
}
}
Also used :
WorkerTokenServiceType(org.apache.storm.generated.WorkerTokenServiceType)
KeeperException(org.apache.storm.shade.org.apache.zookeeper.KeeperException)
Example 2 with WorkerTokenServiceType
use of org.apache.storm.generated.WorkerTokenServiceType in project storm by apache.
the class WorkerTokenTest method testBasicGenerateAndAuthorize.
@Test
public void testBasicGenerateAndAuthorize() {
final AtomicReference<PrivateWorkerKey> privateKey = new AtomicReference<>();
final String topoId = "topo-1";
final String userName = "user";
final WorkerTokenServiceType type = WorkerTokenServiceType.NIMBUS;
final long versionNumber = 0L;
// Simulate time starts out at 0, so we are going to just leave it here.
try (Time.SimulatedTime sim = new Time.SimulatedTime()) {
IStormClusterState mockState = mock(IStormClusterState.class);
Map<String, Object> conf = new HashMap<>();
WorkerTokenManager wtm = new WorkerTokenManager(conf, mockState);
when(mockState.getNextPrivateWorkerKeyVersion(type, topoId)).thenReturn(versionNumber);
doAnswer((invocation) -> {
// Save the private worker key away so we can test it too.
privateKey.set(invocation.getArgument(3));
return null;
}).when(mockState).addPrivateWorkerKey(eq(type), eq(topoId), eq(versionNumber), any(PrivateWorkerKey.class));
// Answer when we ask for a private key...
when(mockState.getPrivateWorkerKey(type, topoId, versionNumber)).thenAnswer((invocation) -> privateKey.get());
WorkerToken wt = wtm.createOrUpdateTokenFor(type, userName, topoId);
verify(mockState).addPrivateWorkerKey(eq(type), eq(topoId), eq(versionNumber), any(PrivateWorkerKey.class));
assertTrue(wt.is_set_serviceType());
assertEquals(type, wt.get_serviceType());
assertTrue(wt.is_set_info());
assertTrue(wt.is_set_signature());
PrivateWorkerKey pwk = privateKey.get();
assertNotNull(pwk);
assertTrue(pwk.is_set_expirationTimeMillis());
assertEquals(ONE_DAY_MILLIS, pwk.get_expirationTimeMillis());
WorkerTokenInfo info = ClientAuthUtils.getWorkerTokenInfo(wt);
assertTrue(info.is_set_topologyId());
assertTrue(info.is_set_userName());
assertTrue(info.is_set_expirationTimeMillis());
assertTrue(info.is_set_secretVersion());
assertEquals(topoId, info.get_topologyId());
assertEquals(userName, info.get_userName());
assertEquals(ONE_DAY_MILLIS, info.get_expirationTimeMillis());
assertEquals(versionNumber, info.get_secretVersion());
try (WorkerTokenAuthorizer wta = new WorkerTokenAuthorizer(type, mockState)) {
// Verify the signature...
byte[] signature = wta.getSignedPasswordFor(wt.get_info(), info);
assertArrayEquals(wt.get_signature(), signature);
}
}
}
Also used :
WorkerToken(org.apache.storm.generated.WorkerToken)
HashMap(java.util.HashMap)
WorkerTokenServiceType(org.apache.storm.generated.WorkerTokenServiceType)
PrivateWorkerKey(org.apache.storm.generated.PrivateWorkerKey)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
Time(org.apache.storm.utils.Time)
WorkerTokenInfo(org.apache.storm.generated.WorkerTokenInfo)
IStormClusterState(org.apache.storm.cluster.IStormClusterState)
Test(org.junit.Test)
Example 3 with WorkerTokenServiceType
use of org.apache.storm.generated.WorkerTokenServiceType in project storm by apache.
the class WorkerTokenClientCallbackHandler method findWorkerTokenInSubject.
/**
* Look in the current subject for a WorkerToken. This should really only happen when we are in a worker, because the tokens will not
* be placed in anything else.
*
* @param type the type of connection we need a token for.
* @return the found token or null.
*/
public static WorkerToken findWorkerTokenInSubject(ThriftConnectionType type) {
WorkerTokenServiceType serviceType = type.getWtType();
WorkerToken ret = null;
if (serviceType != null) {
Subject subject = Subject.getSubject(AccessController.getContext());
if (subject != null) {
ret = ClientAuthUtils.findWorkerToken(subject, serviceType);
}
}
return ret;
}
Also used :
WorkerToken(org.apache.storm.generated.WorkerToken)
WorkerTokenServiceType(org.apache.storm.generated.WorkerTokenServiceType)
Subject(javax.security.auth.Subject)
Example 4 with WorkerTokenServiceType
use of org.apache.storm.generated.WorkerTokenServiceType in project storm by apache.
the class ClientAuthUtils method insertWorkerTokens.
// Support for worker tokens Similar to an IAutoCredentials implementation
private static Subject insertWorkerTokens(Subject subject, Map<String, String> credentials) {
if (credentials == null) {
return subject;
}
for (WorkerTokenServiceType type : WorkerTokenServiceType.values()) {
WorkerToken token = readWorkerToken(credentials, type);
if (token != null) {
Set<Object> creds = subject.getPrivateCredentials();
synchronized (creds) {
WorkerToken previous = findWorkerToken(subject, type);
boolean notAlreadyContained = creds.add(token);
if (notAlreadyContained) {
if (previous != null) {
// this means token is not equal to previous so we should remove previous
creds.remove(previous);
LOG.info("Replaced WorkerToken for service type {}", type);
} else {
LOG.info("Added new WorkerToken for service type {}", type);
}
} else {
LOG.info("The new WorkerToken for service type {} is the same as the previous token", type);
}
}
}
}
return subject;
}
Also used :
WorkerToken(org.apache.storm.generated.WorkerToken)
WorkerTokenServiceType(org.apache.storm.generated.WorkerTokenServiceType)
Example 5 with WorkerTokenServiceType
use of org.apache.storm.generated.WorkerTokenServiceType in project storm by apache.
the class StormClusterStateImpl method removeExpiredPrivateWorkerKeys.
@Override
public void removeExpiredPrivateWorkerKeys(String topologyId) {
for (WorkerTokenServiceType type : WorkerTokenServiceType.values()) {
String basePath = ClusterUtils.secretKeysPath(type, topologyId);
try {
for (String version : stateStorage.get_children(basePath, false)) {
String fullPath = basePath + ClusterUtils.ZK_SEPERATOR + version;
try {
PrivateWorkerKey key = ClusterUtils.maybeDeserialize(stateStorage.get_data(fullPath, false), PrivateWorkerKey.class);
if (Time.currentTimeMillis() > key.get_expirationTimeMillis()) {
LOG.info("Removing expired worker key {}", fullPath);
stateStorage.delete_node(fullPath);
}
} catch (RuntimeException e) {
// declare the race safe, even if we lose it.
if (!Utils.exceptionCauseIsInstanceOf(KeeperException.NoNodeException.class, e)) {
throw e;
}
}
}
} catch (RuntimeException e) {
// No node for basePath is OK, nothing to remove
if (!Utils.exceptionCauseIsInstanceOf(KeeperException.NoNodeException.class, e)) {
throw e;
}
}
}
}
Also used :
WorkerTokenServiceType(org.apache.storm.generated.WorkerTokenServiceType)
PrivateWorkerKey(org.apache.storm.generated.PrivateWorkerKey)
KeeperException(org.apache.storm.shade.org.apache.zookeeper.KeeperException)
Aggregations
WorkerTokenServiceType (org.apache.storm.generated.WorkerTokenServiceType)6
WorkerToken (org.apache.storm.generated.WorkerToken)4
PrivateWorkerKey (org.apache.storm.generated.PrivateWorkerKey)3
HashMap (java.util.HashMap)2
AtomicReference (java.util.concurrent.atomic.AtomicReference)2
IStormClusterState (org.apache.storm.cluster.IStormClusterState)2
WorkerTokenInfo (org.apache.storm.generated.WorkerTokenInfo)2
KeeperException (org.apache.storm.shade.org.apache.zookeeper.KeeperException)2
Time (org.apache.storm.utils.Time)2
Test (org.junit.Test)2
Subject (javax.security.auth.Subject)1
