Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
apache
pulsar
提交
d4610109
pulsar
项目概览
apache
/
pulsar
通知
129
Star
40
Fork
3
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Wiki
1
Wiki
分析
仓库
DevOps
项目成员
Pages
pulsar
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Pages
分析
分析
仓库分析
DevOps
Wiki
1
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
提交
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
d4610109
编写于
2月 09, 2017
作者:
N
nkurihar
提交者:
Matteo Merli
2月 08, 2017
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Add Athenz authentication plugin (#178)
上级
d278601a
变更
8
隐藏空白更改
内联
并排
Showing
8 changed file
with
403 addition
and
0 deletion
+403
-0
conf/broker.conf
conf/broker.conf
+2
-0
conf/standalone.conf
conf/standalone.conf
+2
-0
pom.xml
pom.xml
+23
-0
pulsar-broker-auth-athenz/pom.xml
pulsar-broker-auth-athenz/pom.xml
+47
-0
pulsar-broker-auth-athenz/src/main/java/com/yahoo/pulsar/broker/authentication/AuthenticationProviderAthenz.java
...r/broker/authentication/AuthenticationProviderAthenz.java
+116
-0
pulsar-client-auth-athenz/pom.xml
pulsar-client-auth-athenz/pom.xml
+47
-0
pulsar-client-auth-athenz/src/main/java/com/yahoo/pulsar/client/impl/auth/AuthenticationAthenz.java
...m/yahoo/pulsar/client/impl/auth/AuthenticationAthenz.java
+107
-0
pulsar-client-auth-athenz/src/main/java/com/yahoo/pulsar/client/impl/auth/AuthenticationDataAthenz.java
...hoo/pulsar/client/impl/auth/AuthenticationDataAthenz.java
+59
-0
未找到文件。
conf/broker.conf
浏览文件 @
d4610109
...
...
@@ -122,6 +122,8 @@ superUserRoles=
brokerClientAuthenticationPlugin
=
brokerClientAuthenticationParameters
=
# Supported Athenz provider domain names(comma separated) for authentication
athenzDomainNames
=
### --- BookKeeper Client --- ###
...
...
conf/standalone.conf
浏览文件 @
d4610109
...
...
@@ -95,6 +95,8 @@ superUserRoles=
brokerClientAuthenticationPlugin
=
brokerClientAuthenticationParameters
=
# Supported Athenz provider domain names(comma separated) for authentication
athenzDomainNames
=
### --- BookKeeper Client --- ###
...
...
pom.xml
浏览文件 @
d4610109
...
...
@@ -81,6 +81,8 @@ flexible messaging model and an intuitive client API.</description>
<module>
pulsar-zookeeper-utils
</module>
<module>
pulsar-checksum
</module>
<module>
pulsar-testclient
</module>
<module>
pulsar-broker-auth-athenz
</module>
<module>
pulsar-client-auth-athenz
</module>
<module>
all
</module>
</modules>
...
...
@@ -388,6 +390,19 @@ flexible messaging model and an intuitive client API.</description>
<artifactId>
caffeine
</artifactId>
<version>
2.3.3
</version>
</dependency>
<dependency>
<groupId>
com.yahoo.athenz
</groupId>
<artifactId>
zts_java_client
</artifactId>
<version>
1.1.3
</version>
</dependency>
<dependency>
<groupId>
com.yahoo.athenz
</groupId>
<artifactId>
zpe_java_client
</artifactId>
<version>
1.1.3
</version>
</dependency>
</dependencies>
</dependencyManagement>
...
...
@@ -710,6 +725,14 @@ flexible messaging model and an intuitive client API.</description>
<id>
bookkeeper-yahoo-mvn-repo
</id>
<url>
https://raw.githubusercontent.com/yahoo/bookkeeper/mvn-repo
</url>
</repository>
<repository>
<snapshots>
<enabled>
false
</enabled>
</snapshots>
<id>
bintray-yahoo-maven
</id>
<name>
bintray
</name>
<url>
http://yahoo.bintray.com/maven
</url>
</repository>
</repositories>
<distributionManagement>
...
...
pulsar-broker-auth-athenz/pom.xml
0 → 100644
浏览文件 @
d4610109
<?xml version="1.0"?>
<!--
Copyright 2016 Yahoo Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<project
xsi:schemaLocation=
"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"
xmlns=
"http://maven.apache.org/POM/4.0.0"
xmlns:xsi=
"http://www.w3.org/2001/XMLSchema-instance"
>
<modelVersion>
4.0.0
</modelVersion>
<parent>
<groupId>
com.yahoo.pulsar
</groupId>
<artifactId>
pulsar
</artifactId>
<version>
1.17-SNAPSHOT
</version>
</parent>
<artifactId>
pulsar-broker-auth-athenz
</artifactId>
<packaging>
jar
</packaging>
<description>
Athenz authentication plugin for broker
</description>
<dependencies>
<dependency>
<groupId>
${project.groupId}
</groupId>
<artifactId>
pulsar-broker
</artifactId>
<version>
${project.version}
</version>
</dependency>
<dependency>
<groupId>
com.yahoo.athenz
</groupId>
<artifactId>
zpe_java_client
</artifactId>
</dependency>
</dependencies>
</project>
pulsar-broker-auth-athenz/src/main/java/com/yahoo/pulsar/broker/authentication/AuthenticationProviderAthenz.java
0 → 100644
浏览文件 @
d4610109
/**
* Copyright 2016 Yahoo Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package
com.yahoo.pulsar.broker.authentication
;
import
java.io.IOException
;
import
java.net.SocketAddress
;
import
java.util.List
;
import
java.security.PublicKey
;
import
javax.naming.AuthenticationException
;
import
org.slf4j.Logger
;
import
org.slf4j.LoggerFactory
;
import
com.google.common.collect.Lists
;
import
com.yahoo.athenz.auth.token.RoleToken
;
import
com.yahoo.athenz.zpe.AuthZpeClient
;
import
com.yahoo.pulsar.broker.ServiceConfiguration
;
import
com.yahoo.pulsar.broker.authentication.AuthenticationDataSource
;
import
com.yahoo.pulsar.broker.authentication.AuthenticationProvider
;
public
class
AuthenticationProviderAthenz
implements
AuthenticationProvider
{
private
static
final
String
DOMAIN_NAME_LIST
=
"athenzDomainNames"
;
private
List
<
String
>
domainNameList
=
null
;
@Override
public
void
initialize
(
ServiceConfiguration
config
)
throws
IOException
{
if
(
config
.
getProperty
(
DOMAIN_NAME_LIST
)
==
null
)
{
throw
new
IOException
(
"No athenz domain name specified"
);
}
String
domainNames
=
(
String
)
config
.
getProperty
(
DOMAIN_NAME_LIST
);
domainNameList
=
Lists
.
newArrayList
(
domainNames
.
split
(
","
));
log
.
info
(
"Supported domain names for athenz: {}"
,
domainNameList
);
}
@Override
public
String
getAuthMethodName
()
{
return
"athenz"
;
}
@Override
public
String
authenticate
(
AuthenticationDataSource
authData
)
throws
AuthenticationException
{
SocketAddress
clientAddress
;
String
roleToken
;
if
(
authData
.
hasDataFromPeer
())
{
clientAddress
=
authData
.
getPeerAddress
();
}
else
{
throw
new
AuthenticationException
(
"Authentication data source does not have a client address"
);
}
if
(
authData
.
hasDataFromCommand
())
{
roleToken
=
authData
.
getCommandData
();
}
else
if
(
authData
.
hasDataFromHttp
())
{
roleToken
=
authData
.
getHttpHeader
(
AuthZpeClient
.
ZPE_TOKEN_HDR
);
}
else
{
throw
new
AuthenticationException
(
"Authentication data source does not have a role token"
);
}
if
(
roleToken
==
null
)
{
throw
new
AuthenticationException
(
"Athenz token is null, can't authenticate"
);
}
if
(
roleToken
.
isEmpty
())
{
throw
new
AuthenticationException
(
"Athenz RoleToken is empty, Server is Using Athenz Authentication"
);
}
if
(
log
.
isDebugEnabled
())
{
log
.
debug
(
"Athenz RoleToken : [{}] received from Client: {}"
,
roleToken
,
clientAddress
);
}
RoleToken
token
=
new
RoleToken
(
roleToken
);
if
(!
domainNameList
.
contains
(
token
.
getDomain
()))
{
throw
new
AuthenticationException
(
String
.
format
(
"Athenz RoleToken Domain mismatch, Expected: %s, Found: %s"
,
domainNameList
.
toString
(),
token
.
getDomain
()));
}
// Synchronize for non-thread safe static calls inside athenz library
synchronized
(
this
)
{
PublicKey
ztsPublicKey
=
AuthZpeClient
.
getZtsPublicKey
(
token
.
getKeyId
());
int
allowedOffset
=
0
;
if
(
ztsPublicKey
==
null
)
{
throw
new
AuthenticationException
(
"Unable to retrieve ZTS Public Key"
);
}
if
(
token
.
validate
(
ztsPublicKey
,
allowedOffset
,
null
))
{
log
.
info
(
"Athenz Role Token : {}, Authorized for Client: {}"
,
roleToken
,
clientAddress
);
return
token
.
getPrincipal
();
}
else
{
throw
new
AuthenticationException
(
String
.
format
(
"Athenz Role Token Not Authorized from Client: %s"
,
clientAddress
));
}
}
}
@Override
public
void
close
()
throws
IOException
{
}
private
static
final
Logger
log
=
LoggerFactory
.
getLogger
(
AuthenticationProviderAthenz
.
class
);
}
pulsar-client-auth-athenz/pom.xml
0 → 100644
浏览文件 @
d4610109
<!--
Copyright 2016 Yahoo Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<project
xmlns=
"http://maven.apache.org/POM/4.0.0"
xmlns:xsi=
"http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=
"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"
>
<modelVersion>
4.0.0
</modelVersion>
<parent>
<groupId>
com.yahoo.pulsar
</groupId>
<artifactId>
pulsar
</artifactId>
<version>
1.17-SNAPSHOT
</version>
<relativePath>
..
</relativePath>
</parent>
<artifactId>
pulsar-client-auth-athenz
</artifactId>
<packaging>
jar
</packaging>
<description>
Athenz authentication plugin for java client
</description>
<dependencies>
<dependency>
<groupId>
${project.groupId}
</groupId>
<artifactId>
pulsar-client
</artifactId>
<version>
${project.parent.version}
</version>
</dependency>
<dependency>
<groupId>
com.yahoo.athenz
</groupId>
<artifactId>
zts_java_client
</artifactId>
</dependency>
</dependencies>
</project>
pulsar-client-auth-athenz/src/main/java/com/yahoo/pulsar/client/impl/auth/AuthenticationAthenz.java
0 → 100644
浏览文件 @
d4610109
/**
* Copyright 2016 Yahoo Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package
com.yahoo.pulsar.client.impl.auth
;
import
java.io.File
;
import
java.io.IOException
;
import
java.util.Map
;
import
java.util.concurrent.TimeUnit
;
import
java.security.PrivateKey
;
import
com.yahoo.athenz.zts.RoleToken
;
import
com.yahoo.athenz.zts.ZTSClient
;
import
com.yahoo.athenz.auth.ServiceIdentityProvider
;
import
com.yahoo.athenz.auth.impl.SimpleServiceIdentityProvider
;
import
com.yahoo.athenz.auth.util.Crypto
;
import
com.yahoo.pulsar.client.api.Authentication
;
import
com.yahoo.pulsar.client.api.AuthenticationDataProvider
;
import
com.yahoo.pulsar.client.api.PulsarClientException
;
import
com.yahoo.pulsar.client.api.PulsarClientException.GettingAuthenticationDataException
;
public
class
AuthenticationAthenz
implements
Authentication
{
private
transient
ZTSClient
ztsClient
=
null
;
private
String
tenantDomain
;
private
String
tenantService
;
private
String
providerDomain
;
private
String
privateKeyPath
;
private
String
keyId
=
"0"
;
private
long
cachedRoleTokenTimestamp
;
private
String
roleToken
;
private
final
int
minValidity
=
2
*
60
*
60
;
// athenz will only give this token if it's at least valid for 2hrs
private
final
int
maxValidity
=
24
*
60
*
60
;
// token has upto 24 hours validity
private
final
int
cacheDurationInHour
=
1
;
// we will cache role token for an hour then ask athenz lib again
public
AuthenticationAthenz
()
{
}
@Override
public
String
getAuthMethodName
()
{
return
"athenz"
;
}
@Override
synchronized
public
AuthenticationDataProvider
getAuthData
()
throws
PulsarClientException
{
if
(
cachedRoleTokenIsValid
())
{
return
new
AuthenticationDataAthenz
(
roleToken
,
getZtsClient
().
getHeader
());
}
try
{
// the following would set up the API call that requests tokens from the server
// that can only be used if they are 10 minutes from expiration and last twenty four hours
RoleToken
token
=
getZtsClient
().
getRoleToken
(
providerDomain
,
null
,
minValidity
,
maxValidity
,
false
);
roleToken
=
token
.
getToken
();
cachedRoleTokenTimestamp
=
System
.
nanoTime
();
return
new
AuthenticationDataAthenz
(
roleToken
,
getZtsClient
().
getHeader
());
}
catch
(
Throwable
t
)
{
throw
new
GettingAuthenticationDataException
(
t
);
}
}
private
boolean
cachedRoleTokenIsValid
()
{
if
(
roleToken
==
null
)
{
return
false
;
}
// Ensure we refresh the Athenz role token every hour to avoid using an expired role token
return
(
System
.
nanoTime
()
-
cachedRoleTokenTimestamp
)
<
TimeUnit
.
HOURS
.
toNanos
(
cacheDurationInHour
);
}
@Override
public
void
configure
(
Map
<
String
,
String
>
authParams
)
{
this
.
tenantDomain
=
authParams
.
get
(
"tenant_domain"
);
this
.
tenantService
=
authParams
.
get
(
"tenant_service"
);
this
.
providerDomain
=
authParams
.
get
(
"provider_domain"
);
this
.
privateKeyPath
=
authParams
.
get
(
"private_key_path"
);
this
.
keyId
=
authParams
.
getOrDefault
(
"key_id"
,
"0"
);
}
@Override
public
void
start
()
throws
PulsarClientException
{
}
@Override
public
void
close
()
throws
IOException
{
}
ZTSClient
getZtsClient
()
{
if
(
ztsClient
==
null
)
{
PrivateKey
privateKey
=
Crypto
.
loadPrivateKey
(
new
File
(
privateKeyPath
));
ServiceIdentityProvider
siaProvider
=
new
SimpleServiceIdentityProvider
(
tenantDomain
,
tenantService
,
privateKey
,
keyId
);
ztsClient
=
new
ZTSClient
(
null
,
tenantDomain
,
tenantService
,
siaProvider
);
}
return
ztsClient
;
}
}
pulsar-client-auth-athenz/src/main/java/com/yahoo/pulsar/client/impl/auth/AuthenticationDataAthenz.java
0 → 100644
浏览文件 @
d4610109
/**
* Copyright 2016 Yahoo Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package
com.yahoo.pulsar.client.impl.auth
;
import
java.util.HashMap
;
import
java.util.Map
;
import
java.util.Map.Entry
;
import
java.util.Set
;
import
com.yahoo.pulsar.client.api.AuthenticationDataProvider
;
public
class
AuthenticationDataAthenz
implements
AuthenticationDataProvider
{
protected
String
roleToken
;
protected
String
httpHeaderName
;
/**
* @param roleToken
*/
public
AuthenticationDataAthenz
(
String
roleToken
,
String
httpHeaderName
)
{
this
.
roleToken
=
roleToken
;
this
.
httpHeaderName
=
httpHeaderName
;
}
@Override
public
boolean
hasDataForHttp
()
{
return
true
;
}
@Override
public
Set
<
Entry
<
String
,
String
>>
getHttpHeaders
()
{
Map
<
String
,
String
>
headers
=
new
HashMap
<>();
headers
.
put
(
httpHeaderName
,
roleToken
);
return
headers
.
entrySet
();
}
@Override
public
boolean
hasDataFromCommand
()
{
return
true
;
}
@Override
public
String
getCommandData
()
{
return
roleToken
;
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录