Example 16 with NimbusClient
use of org.apache.storm.utils.NimbusClient in project storm by apache.
the class AuthTest method workerTokenDigestAuthTest.
@Test
public void workerTokenDigestAuthTest() throws Exception {
LOG.info("\n\n\t\tworkerTokenDigestAuthTest - START\n\n");
Nimbus.Iface impl = mock(Nimbus.Iface.class);
final AtomicReference<ReqContext> user = new AtomicReference<>();
doAnswer((invocation) -> {
user.set(new ReqContext(ReqContext.context()));
return null;
}).when(impl).activate(anyString());
Map<String, Object> extraConfs = new HashMap<>();
// Let worker tokens work on insecure ZK...
extraConfs.put("TESTING.ONLY.ENABLE.INSECURE.WORKER.TOKENS", true);
try (InProcessZookeeper zk = new InProcessZookeeper()) {
withServer(MISSING_CLIENT, DigestSaslTransportPlugin.class, impl, zk, extraConfs, (ThriftServer server, Map<String, Object> conf) -> {
try (Time.SimulatedTime sim = new Time.SimulatedTime()) {
conf.put(Config.STORM_NIMBUS_RETRY_TIMES, 0);
// We cannot connect if there is no client section in the jaas conf...
try (NimbusClient client = new NimbusClient(conf, "localhost", server.getPort(), NIMBUS_TIMEOUT)) {
client.getClient().activate("bad_auth_test_topology");
fail("We should not be able to connect without a token...");
} catch (Exception e) {
assert (Utils.exceptionCauseIsInstanceOf(IOException.class, e));
}
// Now lets create a token and verify that we can connect...
IStormClusterState state = ClusterUtils.mkStormClusterState(conf, new ClusterStateContext(DaemonType.NIMBUS, conf));
WorkerTokenManager wtMan = new WorkerTokenManager(conf, state);
Subject bob = testConnectWithTokenFor(wtMan, conf, server, "bob", "topo-bob");
verifyUserIs(user, "bob");
Time.advanceTimeSecs(TimeUnit.HOURS.toSeconds(12));
// Alice has no digest jaas section at all...
Subject alice = testConnectWithTokenFor(wtMan, conf, server, "alice", "topo-alice");
verifyUserIs(user, "alice");
Time.advanceTimeSecs(TimeUnit.HOURS.toSeconds(13));
try {
tryConnectAs(conf, server, bob, "bad_auth_test_topology");
fail("We should not be able to connect with bad auth");
} catch (Exception e) {
assert (Utils.exceptionCauseIsInstanceOf(TTransportException.class, e));
}
tryConnectAs(conf, server, alice, "topo-alice");
verifyUserIs(user, "alice");
// Now see if we can create a new token for bob and try again.
bob = testConnectWithTokenFor(wtMan, conf, server, "bob", "topo-bob");
verifyUserIs(user, "bob");
tryConnectAs(conf, server, alice, "topo-alice");
verifyUserIs(user, "alice");
}
});
}
verify(impl, times(2)).activate("topo-bob");
verify(impl, times(3)).activate("topo-alice");
verify(impl, never()).activate("bad_auth_test_topology");
LOG.info("\n\n\t\tworkerTokenDigestAuthTest - END\n\n");
}
Also used :
InProcessZookeeper(org.apache.storm.testing.InProcessZookeeper)
HashMap(java.util.HashMap)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
Time(org.apache.storm.utils.Time)
NimbusClient(org.apache.storm.utils.NimbusClient)
PrivilegedActionException(java.security.PrivilegedActionException)
IOException(java.io.IOException)
TTransportException(org.apache.storm.thrift.transport.TTransportException)
Subject(javax.security.auth.Subject)
WorkerTokenManager(org.apache.storm.security.auth.workertoken.WorkerTokenManager)
Nimbus(org.apache.storm.generated.Nimbus)
IStormClusterState(org.apache.storm.cluster.IStormClusterState)
HashMap(java.util.HashMap)
Map(java.util.Map)
ClusterStateContext(org.apache.storm.cluster.ClusterStateContext)
Test(org.junit.Test)
Example 17 with NimbusClient
use of org.apache.storm.utils.NimbusClient in project storm by apache.
the class AuthTest method digestAuthTest.
@Test
public void digestAuthTest() throws Exception {
Nimbus.Iface impl = mock(Nimbus.Iface.class);
final AtomicReference<ReqContext> user = new AtomicReference<>();
doAnswer((invocation) -> {
user.set(new ReqContext(ReqContext.context()));
return null;
}).when(impl).activate(anyString());
withServer(DIGEST_JAAS_CONF, DigestSaslTransportPlugin.class, impl, (ThriftServer server, Map<String, Object> conf) -> {
try (NimbusClient client = new NimbusClient(conf, "localhost", server.getPort(), NIMBUS_TIMEOUT)) {
client.getClient().activate("security_auth_test_topology");
}
conf.put(Config.STORM_NIMBUS_RETRY_TIMES, 0);
// Verify simple is rejected...
Map<String, Object> badTransport = new HashMap<>(conf);
badTransport.put(Config.STORM_THRIFT_TRANSPORT_PLUGIN, SimpleTransportPlugin.class.getName());
try (NimbusClient client = new NimbusClient(badTransport, "localhost", server.getPort(), NIMBUS_TIMEOUT)) {
client.getClient().activate("bad_security_auth_test_topology");
fail("An exception should have been thrown trying to connect.");
} catch (Exception te) {
LOG.info("Got Exception...", te);
assert (Utils.exceptionCauseIsInstanceOf(TTransportException.class, te));
}
// The user here from the jaas conf is bob. No impersonation is done, so verify that
ReqContext found = user.get();
assertNotNull(found);
assertEquals("bob", found.principal().getName());
assertFalse(found.isImpersonating());
user.set(null);
verifyIncorrectJaasConf(server, conf, BAD_PASSWORD_CONF, TTransportException.class);
verifyIncorrectJaasConf(server, conf, WRONG_USER_CONF, TTransportException.class);
verifyIncorrectJaasConf(server, conf, "./nonexistent.conf", RuntimeException.class);
verifyIncorrectJaasConf(server, conf, MISSING_CLIENT, IOException.class);
});
verify(impl).activate("security_auth_test_topology");
verify(impl, never()).activate("bad_auth_test_topology");
}
Also used :
HashMap(java.util.HashMap)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
NimbusClient(org.apache.storm.utils.NimbusClient)
PrivilegedActionException(java.security.PrivilegedActionException)
IOException(java.io.IOException)
TTransportException(org.apache.storm.thrift.transport.TTransportException)
Nimbus(org.apache.storm.generated.Nimbus)
HashMap(java.util.HashMap)
Map(java.util.Map)
Test(org.junit.Test)
Example 18 with NimbusClient
use of org.apache.storm.utils.NimbusClient in project storm by apache.
the class StormApiResource method getTopologyMetrics.
/**
* /api/v1/topology/:id/metrics -> metrics.
*/
@GET
@Path("/topology/{id}/metrics")
@AuthNimbusOp(value = "getTopology", needsTopoId = true)
@Produces("application/json")
public Response getTopologyMetrics(@PathParam("id") String id, @DefaultValue(":all-time") @QueryParam("window") String window, @QueryParam("sys") boolean sys, @QueryParam(callbackParameterName) String callback) throws TException {
topologyMetricRequestMeter.mark();
String user = servletRequest.getRemoteUser();
try (NimbusClient nimbusClient = NimbusClient.getConfiguredClient(config)) {
return UIHelpers.makeStandardResponse(UIHelpers.getTopologySummary(nimbusClient.getClient().getTopologyPageInfo(id, window, sys), window, config, user), callback);
}
}
Also used :
NimbusClient(org.apache.storm.utils.NimbusClient)
Path(javax.ws.rs.Path)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
Example 19 with NimbusClient
use of org.apache.storm.utils.NimbusClient in project storm by apache.
the class StormSubmitter method submitTopologyAs.
/**
* Submits a topology to run on the cluster as a particular user. A topology runs forever or until explicitly killed.
*
* @param asUser The user as which this topology should be submitted.
* @throws IllegalArgumentException thrown if configs will yield an unschedulable topology. validateConfs validates confs
* @throws SubmitterHookException if any Exception occurs during initialization or invocation of registered {@link ISubmitterHook}
*/
public static void submitTopologyAs(String name, Map<String, Object> topoConf, StormTopology topology, SubmitOptions opts, ProgressListener progressListener, String asUser) throws AlreadyAliveException, InvalidTopologyException, AuthorizationException, IllegalArgumentException {
// validate topology name first; nothing else should be done if it's invalid.
Utils.validateTopologyName(name);
if (!Utils.isValidConf(topoConf)) {
throw new IllegalArgumentException("Storm conf is not valid. Must be json-serializable");
}
if (topology.get_spouts_size() == 0) {
throw new WrappedInvalidTopologyException("Topology " + name + " does not have any spout");
}
topoConf = new HashMap<>(topoConf);
topoConf.putAll(Utils.readCommandLineOpts());
Map<String, Object> conf = Utils.readStormConfig();
conf.putAll(topoConf);
topoConf.putAll(prepareZookeeperAuthentication(conf));
validateConfs(conf);
try {
Utils.validateCycleFree(topology, name);
} catch (InvalidTopologyException ex) {
LOG.warn("", ex);
}
Map<String, String> passedCreds = new HashMap<>();
if (opts != null) {
Credentials tmpCreds = opts.get_creds();
if (tmpCreds != null) {
passedCreds = tmpCreds.get_creds();
}
}
Map<String, String> fullCreds = populateCredentials(conf, passedCreds);
if (!fullCreds.isEmpty()) {
if (opts == null) {
opts = new SubmitOptions(TopologyInitialStatus.ACTIVE);
}
opts.set_creds(new Credentials(fullCreds));
}
try {
String serConf = JSONValue.toJSONString(topoConf);
try (NimbusClient client = NimbusClient.getConfiguredClientAs(conf, asUser)) {
if (!isTopologyNameAllowed(name, client)) {
throw new RuntimeException("Topology name " + name + " is either not allowed or it already exists on the cluster");
}
// Dependency uploading only makes sense for distributed mode
List<String> jarsBlobKeys = Collections.emptyList();
List<String> artifactsBlobKeys;
DependencyUploader uploader = new DependencyUploader();
try {
uploader.init();
jarsBlobKeys = uploadDependencyJarsToBlobStore(uploader);
artifactsBlobKeys = uploadDependencyArtifactsToBlobStore(uploader);
} catch (Throwable e) {
// remove uploaded jars blobs, not artifacts since they're shared across the cluster
uploader.deleteBlobs(jarsBlobKeys);
uploader.shutdown();
throw e;
}
try {
setDependencyBlobsToTopology(topology, jarsBlobKeys, artifactsBlobKeys);
submitTopologyInDistributeMode(name, topology, opts, progressListener, asUser, conf, serConf, client);
} catch (AlreadyAliveException | InvalidTopologyException | AuthorizationException e) {
// remove uploaded jars blobs, not artifacts since they're shared across the cluster
// Note that we don't handle TException to delete jars blobs
// because it's safer to leave some blobs instead of topology not running
uploader.deleteBlobs(jarsBlobKeys);
throw e;
} finally {
uploader.shutdown();
}
}
} catch (TException e) {
throw new RuntimeException(e);
}
invokeSubmitterHook(name, asUser, conf, topology);
}
Also used :
TException(org.apache.storm.thrift.TException)
HashMap(java.util.HashMap)
AuthorizationException(org.apache.storm.generated.AuthorizationException)
WrappedInvalidTopologyException(org.apache.storm.utils.WrappedInvalidTopologyException)
InvalidTopologyException(org.apache.storm.generated.InvalidTopologyException)
NimbusClient(org.apache.storm.utils.NimbusClient)
AlreadyAliveException(org.apache.storm.generated.AlreadyAliveException)
SubmitOptions(org.apache.storm.generated.SubmitOptions)
WrappedInvalidTopologyException(org.apache.storm.utils.WrappedInvalidTopologyException)
DependencyUploader(org.apache.storm.dependency.DependencyUploader)
IAutoCredentials(org.apache.storm.security.auth.IAutoCredentials)
Credentials(org.apache.storm.generated.Credentials)
Example 20 with NimbusClient
use of org.apache.storm.utils.NimbusClient in project storm by apache.
the class StormSubmitter method pushCredentials.
/**
* Push a new set of credentials to the running topology.
* Return false if push Creds map is empty, true otherwise.
*
* @param name the name of the topology to push credentials to.
* @param topoConf the topology-specific configuration, if desired. See {@link Config}.
* @param credentials the credentials to push.
* @param expectedUser the user you expect the topology to be owned by.
* @return whether the pushed credential collection is non-empty. Return false if empty.
* @throws AuthorizationException if you are not authorized ot push credentials.
* @throws NotAliveException if the topology is not alive
* @throws InvalidTopologyException if any other error happens
*/
public static boolean pushCredentials(String name, Map<String, Object> topoConf, Map<String, String> credentials, String expectedUser) throws AuthorizationException, NotAliveException, InvalidTopologyException {
topoConf = new HashMap<>(topoConf);
topoConf.putAll(Utils.readCommandLineOpts());
Map<String, Object> conf = Utils.readStormConfig();
conf.putAll(topoConf);
Map<String, String> fullCreds = populateCredentials(conf, credentials);
if (fullCreds.isEmpty()) {
LOG.warn("No credentials were found to push to " + name);
return false;
}
try {
try (NimbusClient client = NimbusClient.getConfiguredClient(conf)) {
LOG.info("Uploading new credentials to {}", name);
Credentials creds = new Credentials(fullCreds);
if (expectedUser != null) {
creds.set_topoOwner(expectedUser);
}
client.getClient().uploadNewCredentials(name, creds);
}
LOG.info("Finished pushing creds to topology: {}", name);
} catch (TException e) {
throw new RuntimeException(e);
}
return true;
}
Also used :
TException(org.apache.storm.thrift.TException)
NimbusClient(org.apache.storm.utils.NimbusClient)
IAutoCredentials(org.apache.storm.security.auth.IAutoCredentials)
Credentials(org.apache.storm.generated.Credentials)
Aggregations
NimbusClient (org.apache.storm.utils.NimbusClient)21
HashMap (java.util.HashMap)10
IOException (java.io.IOException)8
Map (java.util.Map)7
Nimbus (org.apache.storm.generated.Nimbus)6
TTransportException (org.apache.storm.thrift.transport.TTransportException)6
AuthorizationException (org.apache.storm.generated.AuthorizationException)5
TException (org.apache.storm.thrift.TException)5
PrivilegedActionException (java.security.PrivilegedActionException)4
CommandLine (org.apache.commons.cli.CommandLine)4
CommandLineParser (org.apache.commons.cli.CommandLineParser)4
DefaultParser (org.apache.commons.cli.DefaultParser)4
HelpFormatter (org.apache.commons.cli.HelpFormatter)4
Options (org.apache.commons.cli.Options)4
ParseException (org.apache.commons.cli.ParseException)4
Config (org.apache.storm.Config)4
IAutoCredentials (org.apache.storm.security.auth.IAutoCredentials)4
TopologySummary (org.apache.storm.generated.TopologySummary)3
Test (org.junit.Test)3
FileNotFoundException (java.io.FileNotFoundException)2
