Repository: knox Updated Branches: refs/heads/KNOX-1204 f315b6652 -> e4b75908d
add credential provider to get idbroker creds from alias service Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/e4b75908 Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/e4b75908 Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/e4b75908 Branch: refs/heads/KNOX-1204 Commit: e4b75908d0a4d2529483203b243bb5dc9386534f Parents: f315b66 Author: Larry McCay <[email protected]> Authored: Wed Jul 4 13:55:21 2018 -0400 Committer: Larry McCay <[email protected]> Committed: Wed Jul 4 13:55:21 2018 -0400 ---------------------------------------------------------------------- .../AbstractKnoxCloudCredentialsClient.java | 18 ++++- .../idbroker/IdentityBrokerResource.java | 18 ++++- .../idbroker/KnoxCloudCredentialsClient.java | 11 +++ .../KnoxCloudCredentialsClientManager.java | 82 ++++++++++++++++++++ .../KnoxCloudCredentiatlsClientManager.java | 75 ------------------ .../service/idbroker/aws/KnoxAWSClient.java | 48 +++++++++++- .../service/knoxs3/KnoxS3ClientBuilder.java | 4 +- 7 files changed, 174 insertions(+), 82 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/e4b75908/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/AbstractKnoxCloudCredentialsClient.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/AbstractKnoxCloudCredentialsClient.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/AbstractKnoxCloudCredentialsClient.java index b150d28..af6ab01 100644 --- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/AbstractKnoxCloudCredentialsClient.java +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/AbstractKnoxCloudCredentialsClient.java @@ -17,13 +17,24 @@ */ package org.apache.knox.gateway.service.idbroker; -public class AbstractKnoxCloudCredentialsClient { +import java.util.Properties; + +import org.apache.knox.gateway.services.security.AliasService; + +public abstract class AbstractKnoxCloudCredentialsClient implements KnoxCloudCredentialsClient { private KnoxCloudPolicyProvider policyProvider = null; + protected AliasService aliasService; + protected String topologyName; public AbstractKnoxCloudCredentialsClient() { super(); } + @Override + public void init(Properties context) { + topologyName = context.getProperty("topology.name"); + } + public KnoxCloudPolicyProvider getPolicyProvider() { return policyProvider; } @@ -31,4 +42,9 @@ public class AbstractKnoxCloudCredentialsClient { public void setPolicyProvider(KnoxCloudPolicyProvider policyProvider) { this.policyProvider = policyProvider; } + + @Override + public void setAliasService(AliasService aliasService) { + this.aliasService = aliasService; + } } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/e4b75908/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdentityBrokerResource.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdentityBrokerResource.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdentityBrokerResource.java index 1167011..d457976 100644 --- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdentityBrokerResource.java +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdentityBrokerResource.java @@ -18,6 +18,8 @@ package org.apache.knox.gateway.service.idbroker; import org.apache.knox.gateway.i18n.messages.MessagesFactory; +import org.apache.knox.gateway.services.GatewayServices; +import org.apache.knox.gateway.services.security.AliasService; import javax.annotation.PostConstruct; import javax.servlet.ServletContext; @@ -47,7 +49,7 @@ public class IdentityBrokerResource { private static final String NO_CACHE = "must-revalidate,no-cache,no-store"; private KnoxCloudPolicyProvider policyProvider = new KnoxPolicyProviderManager(); - private KnoxCloudCredentialsClient credentialsClient = new KnoxCloudCredentiatlsClientManager(); + private KnoxCloudCredentialsClient credentialsClient = new KnoxCloudCredentialsClientManager(); @Context HttpServletRequest request; @@ -61,12 +63,24 @@ public class IdentityBrokerResource { @PostConstruct public void init() { Properties props = getProperties(); + String topologyName = (String) request.getServletContext(). + getAttribute(GatewayServices.GATEWAY_CLUSTER_ATTRIBUTE); + props.setProperty("topology.name", topologyName); policyProvider.init(props); credentialsClient.init(props); credentialsClient.setPolicyProvider(policyProvider); + AliasService aliasService = getAliasService(); + credentialsClient.setAliasService(aliasService); } - private Properties getProperties() { + private AliasService getAliasService() { + GatewayServices services = (GatewayServices)request.getServletContext(). + getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE); + AliasService as = services.getService(GatewayServices.ALIAS_SERVICE); + return as; +} + +private Properties getProperties() { Properties props = new Properties(); String paramName = null; Enumeration<String> e = context.getInitParameterNames(); http://git-wip-us.apache.org/repos/asf/knox/blob/e4b75908/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClient.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClient.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClient.java index c494d04..80b4fd0 100644 --- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClient.java +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClient.java @@ -19,6 +19,8 @@ package org.apache.knox.gateway.service.idbroker; import java.util.Properties; +import org.apache.knox.gateway.services.security.AliasService; + public interface KnoxCloudCredentialsClient { /** * initialize client with the context from the topology @@ -48,4 +50,13 @@ public interface KnoxCloudCredentialsClient { */ String getName(); + /** + * Set the AliasService implementation currently configured for the + * gateway, in order to locate the idbroker credentials for the given + * topology instance. Topology name is in the Properties provided to + * the init method. + * @param aliasService + */ + void setAliasService(AliasService aliasService); + } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/e4b75908/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClientManager.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClientManager.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClientManager.java new file mode 100644 index 0000000..cd08f69 --- /dev/null +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClientManager.java @@ -0,0 +1,82 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.service.idbroker; + +import java.util.Iterator; +import java.util.Properties; +import java.util.ServiceLoader; + +import org.apache.knox.gateway.services.security.AliasService; + +public class KnoxCloudCredentialsClientManager implements KnoxCloudCredentialsClient { + + private static final String CLOUD_CLIENT_PROVIDER = "cloud.client.provider"; + private KnoxCloudCredentialsClient delegate = null; + + @Override + public Object getCredentials() { + return delegate.getCredentials(); + } + + @Override + public KnoxCloudPolicyProvider getPolicyProvider() { + return delegate.getPolicyProvider(); + } + + @Override + public void setPolicyProvider(KnoxCloudPolicyProvider policyProvider) { + delegate.setPolicyProvider(policyProvider); + } + + @Override + public String getName() { + return delegate.getName(); + } + + @Override + public void init(Properties context) { + try { + delegate = loadDelegate(context.getProperty(CLOUD_CLIENT_PROVIDER)); + delegate.init(context); + } + catch (IdentityBrokerConfigException e) { + e.printStackTrace(); + } + } + + @Override + public void setAliasService(AliasService aliasService) { + delegate.setAliasService(aliasService); + } + + public KnoxCloudCredentialsClient loadDelegate(String name) throws IdentityBrokerConfigException { + KnoxCloudCredentialsClient delegate = null; + ServiceLoader<KnoxCloudCredentialsClient> loader = ServiceLoader.load(KnoxCloudCredentialsClient.class); + Iterator<KnoxCloudCredentialsClient> iterator = loader.iterator(); + while(iterator.hasNext()) { + delegate = iterator.next(); + if (name.equals(delegate.getName())) { + break; + } + } + if (delegate == null) { + throw new IdentityBrokerConfigException(name); + } + return delegate; + } +} http://git-wip-us.apache.org/repos/asf/knox/blob/e4b75908/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentiatlsClientManager.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentiatlsClientManager.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentiatlsClientManager.java deleted file mode 100644 index 6db5193..0000000 --- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentiatlsClientManager.java +++ /dev/null @@ -1,75 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.knox.gateway.service.idbroker; - -import java.util.Iterator; -import java.util.Properties; -import java.util.ServiceLoader; - -public class KnoxCloudCredentiatlsClientManager implements KnoxCloudCredentialsClient { - - private static final String CLOUD_CLIENT_PROVIDER = "cloud.client.provider"; - private KnoxCloudCredentialsClient delegate = null; - - @Override - public Object getCredentials() { - return delegate.getCredentials(); - } - - @Override - public KnoxCloudPolicyProvider getPolicyProvider() { - return delegate.getPolicyProvider(); - } - - @Override - public void setPolicyProvider(KnoxCloudPolicyProvider policyProvider) { - delegate.setPolicyProvider(policyProvider); - } - - @Override - public String getName() { - return delegate.getName(); - } - - @Override - public void init(Properties context) { - try { - delegate = loadDelegate(context.getProperty(CLOUD_CLIENT_PROVIDER)); - } - catch (IdentityBrokerConfigException e) { - e.printStackTrace(); - } - } - - public KnoxCloudCredentialsClient loadDelegate(String name) throws IdentityBrokerConfigException { - KnoxCloudCredentialsClient delegate = null; - ServiceLoader<KnoxCloudCredentialsClient> loader = ServiceLoader.load(KnoxCloudCredentialsClient.class); - Iterator<KnoxCloudCredentialsClient> iterator = loader.iterator(); - while(iterator.hasNext()) { - delegate = iterator.next(); - if (name.equals(delegate.getName())) { - break; - } - } - if (delegate == null) { - throw new IdentityBrokerConfigException(name); - } - return delegate; - } - -} http://git-wip-us.apache.org/repos/asf/knox/blob/e4b75908/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java index bdc8f79..1294eb7 100644 --- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java @@ -25,7 +25,10 @@ import javax.security.auth.Subject; import org.apache.knox.gateway.security.SubjectUtils; import org.apache.knox.gateway.service.idbroker.AbstractKnoxCloudCredentialsClient; import org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient; +import org.apache.knox.gateway.services.security.AliasServiceException; +import com.amazonaws.auth.AWSCredentials; +import com.amazonaws.auth.AWSCredentialsProvider; import com.amazonaws.regions.Regions; import com.amazonaws.services.securitytoken.AWSSecurityTokenService; import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder; @@ -33,7 +36,8 @@ import com.amazonaws.services.securitytoken.model.GetFederationTokenRequest; import com.amazonaws.services.securitytoken.model.GetFederationTokenResult; public class KnoxAWSClient extends AbstractKnoxCloudCredentialsClient implements KnoxCloudCredentialsClient { - /* (non-Javadoc) + +/* (non-Javadoc) * @see org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient#getCredentials() */ @Override @@ -48,7 +52,9 @@ public class KnoxAWSClient extends AbstractKnoxCloudCredentialsClient implements private GetFederationTokenResult getFederationTokenResult() { String policy; - AWSSecurityTokenService sts_client = AWSSecurityTokenServiceClientBuilder.standard().withRegion(Regions.US_EAST_1).build(); + AWSSecurityTokenService sts_client = AWSSecurityTokenServiceClientBuilder.standard(). + withCredentials(new AliasServiceAWSCredentialsProvider()). + withRegion(Regions.US_EAST_1).build(); String username = null; Subject subject = Subject.getSubject(AccessController.getContext()); username = getEffectiveUserName(subject); @@ -73,5 +79,43 @@ public class KnoxAWSClient extends AbstractKnoxCloudCredentialsClient implements @Override public void init(Properties context) { + super.init(context); } + + private class AliasServiceAWSCredentialsProvider + implements AWSCredentialsProvider { + @Override + public AWSCredentials getCredentials() { + return new AWSCredentials() { + @Override + public String getAWSAccessKeyId() { + try { + return new String(aliasService. + getPasswordFromAliasForCluster(topologyName, "aws.credentials.key")); + } catch (AliasServiceException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + return null; + } + @Override + public String getAWSSecretKey() { + try { + return new String(aliasService. + getPasswordFromAliasForCluster(topologyName, "aws.credentials.secret")); + } catch (AliasServiceException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + return null; + } + }; + } + + @Override + public void refresh() { + } + + } + } http://git-wip-us.apache.org/repos/asf/knox/blob/e4b75908/gateway-service-knoxs3/src/main/java/org/apache/knox/gateway/service/knoxs3/KnoxS3ClientBuilder.java ---------------------------------------------------------------------- diff --git a/gateway-service-knoxs3/src/main/java/org/apache/knox/gateway/service/knoxs3/KnoxS3ClientBuilder.java b/gateway-service-knoxs3/src/main/java/org/apache/knox/gateway/service/knoxs3/KnoxS3ClientBuilder.java index 62730f9..1f91b72 100644 --- a/gateway-service-knoxs3/src/main/java/org/apache/knox/gateway/service/knoxs3/KnoxS3ClientBuilder.java +++ b/gateway-service-knoxs3/src/main/java/org/apache/knox/gateway/service/knoxs3/KnoxS3ClientBuilder.java @@ -33,7 +33,7 @@ import org.apache.knox.gateway.security.ImpersonatedPrincipal; import org.apache.knox.gateway.security.PrimaryPrincipal; import org.apache.knox.gateway.security.SubjectUtils; import org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient; -import org.apache.knox.gateway.service.idbroker.KnoxCloudCredentiatlsClientManager; +import org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClientManager; import org.apache.knox.gateway.service.idbroker.KnoxCloudPolicyProvider; import org.apache.knox.gateway.service.idbroker.KnoxPolicyProviderManager; @@ -52,7 +52,7 @@ import com.amazonaws.services.securitytoken.model.GetFederationTokenResult; public class KnoxS3ClientBuilder { private KnoxCloudPolicyProvider policyProvider = new KnoxPolicyProviderManager(); - private KnoxCloudCredentialsClient credentialsClient = new KnoxCloudCredentiatlsClientManager(); + private KnoxCloudCredentialsClient credentialsClient = new KnoxCloudCredentialsClientManager(); private Properties props = null;
