From 8573912ed6776dd90a42a696a51a610f84633897 Mon Sep 17 00:00:00 2001 From: "ning.yougang" Date: Mon, 13 Jan 2020 12:56:08 +0800 Subject: [PATCH] Pass controller/invoker credentials use env --- ansible/roles/controller/tasks/deploy.yml | 15 ++-------- ansible/roles/invoker/tasks/deploy.yml | 14 ++------- ansible/templates/controllerauth.password.j2 | 1 - ansible/templates/controllerauth.username.j2 | 1 - ansible/templates/invokerauth.password.j2 | 1 - ansible/templates/invokerauth.username.j2 | 1 - .../scala/src/main/resources/reference.conf | 2 +- .../common/ComponentCredentials.scala | 22 ++++++++++++++ .../apache/openwhisk/core/WhiskConfig.scala | 3 ++ .../core/controller/Controller.scala | 24 +++++++-------- ...erver.scala => DefaultInvokerServer.scala} | 29 ++++++++----------- .../src/main/resources/standalone.conf | 7 +++++ 12 files changed, 61 insertions(+), 59 deletions(-) delete mode 100644 ansible/templates/controllerauth.password.j2 delete mode 100644 ansible/templates/controllerauth.username.j2 delete mode 100644 ansible/templates/invokerauth.password.j2 delete mode 100644 ansible/templates/invokerauth.username.j2 create mode 100644 common/scala/src/main/scala/org/apache/openwhisk/common/ComponentCredentials.scala rename core/invoker/src/main/scala/org/apache/openwhisk/core/invoker/{InvokerServer.scala => DefaultInvokerServer.scala} (77%) diff --git a/ansible/roles/controller/tasks/deploy.yml b/ansible/roles/controller/tasks/deploy.yml index f376052048e..85ea915bb57 100644 --- a/ansible/roles/controller/tasks/deploy.yml +++ b/ansible/roles/controller/tasks/deploy.yml @@ -71,18 +71,6 @@ dest: "{{ controller.confdir }}/{{ controller_name }}/jmxremote.access" mode: 0777 -- name: copy controller auth username file - template: - src: "controllerauth.username.j2" - dest: "{{ controller.confdir }}/{{ controller_name }}/controllerauth.username" - mode: 0777 - -- name: copy controller auth password file - template: - src: "controllerauth.password.j2" - dest: "{{ controller.confdir }}/{{ controller_name }}/controllerauth.password" - mode: 0777 - - name: "copy kafka truststore/keystore" when: kafka.protocol == 'SSL' copy: @@ -215,6 +203,9 @@ "CONFIG_whisk_db_activationsFilterDdoc": "{{ db_whisk_activations_filter_ddoc | default() }}" "CONFIG_whisk_userEvents_enabled": "{{ user_events | default(false) | lower }}" + "CONFIG_whisk_credentials_controller_username": "{{ controller.username }}" + "CONFIG_whisk_credentials_controller_password": "{{ controller.password }}" + "LIMITS_ACTIONS_INVOKES_PERMINUTE": "{{ limits.invocationsPerMinute }}" "LIMITS_ACTIONS_INVOKES_CONCURRENT": "{{ limits.concurrentInvocations }}" "LIMITS_TRIGGERS_FIRES_PERMINUTE": "{{ limits.firesPerMinute }}" diff --git a/ansible/roles/invoker/tasks/deploy.yml b/ansible/roles/invoker/tasks/deploy.yml index c2aa1eab81a..0561722ca23 100644 --- a/ansible/roles/invoker/tasks/deploy.yml +++ b/ansible/roles/invoker/tasks/deploy.yml @@ -183,18 +183,6 @@ dest: "{{ invoker.confdir }}/{{ invoker_name }}/jmxremote.access" mode: 0777 -- name: copy invoker auth username file - template: - src: "invokerauth.username.j2" - dest: "{{ invoker.confdir }}/invoker{{ groups['invokers'].index(inventory_hostname) }}/invokerauth.username" - mode: 0777 - -- name: copy invoker auth password file - template: - src: "invokerauth.password.j2" - dest: "{{ invoker.confdir }}/invoker{{ groups['invokers'].index(inventory_hostname) }}/invokerauth.password" - mode: 0777 - - name: add additional jvm params if jmxremote is enabled when: jmx.enabled set_fact: @@ -278,6 +266,8 @@ "CONFIG_whisk_timeLimit_min": "{{ limit_action_time_min | default() }}" "CONFIG_whisk_timeLimit_max": "{{ limit_action_time_max | default() }}" "CONFIG_whisk_timeLimit_std": "{{ limit_action_time_std | default() }}" + "CONFIG_whisk_credentials_invoker_username": "{{ invoker.username }}" + "CONFIG_whisk_credentials_invoker_password": "{{ invoker.password }}" "CONFIG_whisk_concurrencyLimit_min": "{{ limit_action_concurrency_min | default() }}" "CONFIG_whisk_concurrencyLimit_max": "{{ limit_action_concurrency_max | default() }}" "CONFIG_whisk_concurrencyLimit_std": "{{ limit_action_concurrency_std | default() }}" diff --git a/ansible/templates/controllerauth.password.j2 b/ansible/templates/controllerauth.password.j2 deleted file mode 100644 index 46e7f119989..00000000000 --- a/ansible/templates/controllerauth.password.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ controller.password }} diff --git a/ansible/templates/controllerauth.username.j2 b/ansible/templates/controllerauth.username.j2 deleted file mode 100644 index 7739661801f..00000000000 --- a/ansible/templates/controllerauth.username.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ controller.username }} diff --git a/ansible/templates/invokerauth.password.j2 b/ansible/templates/invokerauth.password.j2 deleted file mode 100644 index 2d31b481cd3..00000000000 --- a/ansible/templates/invokerauth.password.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ invoker.password }} diff --git a/ansible/templates/invokerauth.username.j2 b/ansible/templates/invokerauth.username.j2 deleted file mode 100644 index cd915356156..00000000000 --- a/ansible/templates/invokerauth.username.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ invoker.username }} diff --git a/common/scala/src/main/resources/reference.conf b/common/scala/src/main/resources/reference.conf index 4cd73f290c0..51779cd31f6 100644 --- a/common/scala/src/main/resources/reference.conf +++ b/common/scala/src/main/resources/reference.conf @@ -27,7 +27,7 @@ whisk.spi { EntitlementSpiProvider = org.apache.openwhisk.core.entitlement.LocalEntitlementProvider AuthenticationDirectiveProvider = org.apache.openwhisk.core.controller.BasicAuthenticationDirective InvokerProvider = org.apache.openwhisk.core.invoker.InvokerReactive - InvokerServerProvider = org.apache.openwhisk.core.invoker.InvokerServer + InvokerServerProvider = org.apache.openwhisk.core.invoker.DefaultInvokerServer } dispatchers { diff --git a/common/scala/src/main/scala/org/apache/openwhisk/common/ComponentCredentials.scala b/common/scala/src/main/scala/org/apache/openwhisk/common/ComponentCredentials.scala new file mode 100644 index 00000000000..8be202392bd --- /dev/null +++ b/common/scala/src/main/scala/org/apache/openwhisk/common/ComponentCredentials.scala @@ -0,0 +1,22 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.openwhisk.common + +case class ControllerCredentials(username: String, password: String) + +case class InvokerCredentials(username: String, password: String) diff --git a/common/scala/src/main/scala/org/apache/openwhisk/core/WhiskConfig.scala b/common/scala/src/main/scala/org/apache/openwhisk/core/WhiskConfig.scala index b6fa765b27c..4701f94879a 100644 --- a/common/scala/src/main/scala/org/apache/openwhisk/core/WhiskConfig.scala +++ b/common/scala/src/main/scala/org/apache/openwhisk/core/WhiskConfig.scala @@ -265,4 +265,7 @@ object ConfigKeys { val swaggerUi = "whisk.swagger-ui" val apacheClientConfig = "whisk.apache-client" + + val controllerCredentials = "whisk.credentials.controller" + val invokerCredentials = "whisk.credentials.invoker" } diff --git a/core/controller/src/main/scala/org/apache/openwhisk/core/controller/Controller.scala b/core/controller/src/main/scala/org/apache/openwhisk/core/controller/Controller.scala index 87d7614ad11..1e4da2a9ac9 100644 --- a/core/controller/src/main/scala/org/apache/openwhisk/core/controller/Controller.scala +++ b/core/controller/src/main/scala/org/apache/openwhisk/core/controller/Controller.scala @@ -31,8 +31,15 @@ import pureconfig.generic.auto._ import spray.json.DefaultJsonProtocol._ import spray.json._ import org.apache.openwhisk.common.Https.HttpsConfig -import org.apache.openwhisk.common.{AkkaLogging, ConfigMXBean, Logging, LoggingMarkers, TransactionId} -import org.apache.openwhisk.core.WhiskConfig +import org.apache.openwhisk.common.{ + AkkaLogging, + ConfigMXBean, + ControllerCredentials, + Logging, + LoggingMarkers, + TransactionId +} +import org.apache.openwhisk.core.{ConfigKeys, WhiskConfig} import org.apache.openwhisk.core.connector.MessagingProvider import org.apache.openwhisk.core.containerpool.logging.LogStoreProvider import org.apache.openwhisk.core.database.{ActivationStoreProvider, CacheChangeNotification, RemoteCacheInvalidation} @@ -165,16 +172,7 @@ class Controller(val instance: ControllerInstanceId, runtimes, List(apiV1.basepath())) - private val controllerUsername = { - val source = scala.io.Source.fromFile("/conf/controllerauth.username"); - try source.mkString.replaceAll("\r|\n", "") - finally source.close() - } - private val controllerPassword = { - val source = scala.io.Source.fromFile("/conf/controllerauth.password"); - try source.mkString.replaceAll("\r|\n", "") - finally source.close() - } + private val controllerCredentials = loadConfigOrThrow[ControllerCredentials](ConfigKeys.controllerCredentials) /** * config runtime @@ -184,7 +182,7 @@ class Controller(val instance: ControllerInstanceId, (path("config" / "runtime") & post) { extractCredentials { case Some(BasicHttpCredentials(username, password)) => - if (username == controllerUsername && password == controllerPassword) { + if (username == controllerCredentials.username && password == controllerCredentials.password) { entity(as[String]) { runtime => val execManifest = ExecManifest.initialize(runtime) if (execManifest.isFailure) { diff --git a/core/invoker/src/main/scala/org/apache/openwhisk/core/invoker/InvokerServer.scala b/core/invoker/src/main/scala/org/apache/openwhisk/core/invoker/DefaultInvokerServer.scala similarity index 77% rename from core/invoker/src/main/scala/org/apache/openwhisk/core/invoker/InvokerServer.scala rename to core/invoker/src/main/scala/org/apache/openwhisk/core/invoker/DefaultInvokerServer.scala index 0a4c307e197..404b7937ef8 100644 --- a/core/invoker/src/main/scala/org/apache/openwhisk/core/invoker/InvokerServer.scala +++ b/core/invoker/src/main/scala/org/apache/openwhisk/core/invoker/DefaultInvokerServer.scala @@ -21,38 +21,33 @@ import akka.actor.ActorSystem import akka.http.scaladsl.model.StatusCodes import akka.http.scaladsl.model.headers.BasicHttpCredentials import akka.http.scaladsl.server.Route -import org.apache.openwhisk.common.{Logging, TransactionId} +import org.apache.openwhisk.common.{InvokerCredentials, Logging, TransactionId} +import org.apache.openwhisk.core.ConfigKeys import org.apache.openwhisk.core.containerpool.PrewarmingConfig import org.apache.openwhisk.core.entity.{CodeExecAsString, ExecManifest} import org.apache.openwhisk.http.BasicRasService +import pureconfig._ +import pureconfig.generic.auto._ + import scala.concurrent.ExecutionContext /** * Implements web server to handle certain REST API calls. */ -class InvokerServer(val invoker: InvokerCore)(implicit val ec: ExecutionContext, - val actorSystem: ActorSystem, - val logger: Logging) +class DefaultInvokerServer(val invoker: InvokerCore)(implicit val ec: ExecutionContext, + val actorSystem: ActorSystem, + val logger: Logging) extends BasicRasService { - val invokerUsername = { - val source = scala.io.Source.fromFile("/conf/invokerauth.username"); - try source.mkString.replaceAll("\r|\n", "") - finally source.close() - } - val invokerPassword = { - val source = scala.io.Source.fromFile("/conf/invokerauth.password"); - try source.mkString.replaceAll("\r|\n", "") - finally source.close() - } + private val invokerCredentials = loadConfigOrThrow[InvokerCredentials](ConfigKeys.invokerCredentials) override def routes(implicit transid: TransactionId): Route = { super.routes ~ { (path("config" / "runtime") & post) { extractCredentials { case Some(BasicHttpCredentials(username, password)) => - if (username == invokerUsername && password == invokerPassword) { + if (username == invokerCredentials.username && password == invokerCredentials.password) { entity(as[String]) { prewarmRuntime => val execManifest = ExecManifest.initialize(prewarmRuntime) if (execManifest.isFailure) { @@ -82,8 +77,8 @@ class InvokerServer(val invoker: InvokerCore)(implicit val ec: ExecutionContext, } } -object InvokerServer extends InvokerServerProvider { +object DefaultInvokerServer extends InvokerServerProvider { override def instance( invoker: InvokerCore)(implicit ec: ExecutionContext, actorSystem: ActorSystem, logger: Logging): BasicRasService = - new InvokerServer(invoker) + new DefaultInvokerServer(invoker) } diff --git a/core/standalone/src/main/resources/standalone.conf b/core/standalone/src/main/resources/standalone.conf index dd2d203597b..ff36f109929 100644 --- a/core/standalone/src/main/resources/standalone.conf +++ b/core/standalone/src/main/resources/standalone.conf @@ -58,6 +58,13 @@ whisk { interface = localhost } + credentials { + controller.username = controller.user + controller.password = controller.pass + } + + + # Default set of users which are bootstrapped upon start users { whisk-system = "789c46b1-71f6-4ed5-8c54-816aa4f8c502:abczO3xZCLrMN6v2BKK1dXYFpXlPkccOFqm12CdAsMgRU4VrNZ9lyGVCGuMDGIwP"