[jira] [Commented] (BROOKLYN-421) Catalog libraries: externalized config for basic-auth credentials in url (via YAML)

Fri, 15 Dec 2017 03:13:37 -0800 

    [ 
https://issues.apache.org/jira/browse/BROOKLYN-421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16292353#comment-16292353
 ] 

Sam Corbett commented on BROOKLYN-421:
--------------------------------------

Here's a more up-to-date stack trace for the alternative option:
{noformat}
"brooklyn-jetty-server-8081-qtp651992021-30@7102" prio=5 tid=0x1e nid=NA 
runnable
  java.lang.Thread.State: RUNNABLE
          at 
org.apache.brooklyn.util.core.ResourceUtils.getResourceFromUrl(ResourceUtils.java:221)
          at 
org.apache.brooklyn.core.mgmt.ha.OsgiArchiveInstaller.makeLocalZipFileFromInputStreamOrUrl(OsgiArchiveInstaller.java:243)
          - locked <0x1d87> (a 
org.apache.brooklyn.core.mgmt.ha.OsgiArchiveInstaller)
          at 
org.apache.brooklyn.core.mgmt.ha.OsgiArchiveInstaller.install(OsgiArchiveInstaller.java:392)
          at 
org.apache.brooklyn.core.mgmt.ha.OsgiManager.installDeferredStart(OsgiManager.java:400)
          at 
org.apache.brooklyn.core.catalog.internal.CatalogUtils.installLibraries(CatalogUtils.java:172)
          at 
org.apache.brooklyn.core.catalog.internal.CatalogUtils.installLibraries(CatalogUtils.java:152)
          at 
org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItemsFromItemMetadataBlock(BasicBrooklynCatalog.java:671)
          at 
org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItemsFromCatalogBomRoot(BasicBrooklynCatalog.java:558)
          at 
org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.addTypesFromBundleBom(BasicBrooklynCatalog.java:1573)
          at 
org.apache.brooklyn.core.catalog.internal.CatalogBundleLoader.scanForCatalogInternal(CatalogBundleLoader.java:104)
          at 
org.apache.brooklyn.core.catalog.internal.CatalogBundleLoader.scanForCatalog(CatalogBundleLoader.java:67)
          at 
org.apache.brooklyn.core.mgmt.ha.OsgiManager.loadCatalogBom(OsgiManager.java:561)
          at 
org.apache.brooklyn.core.mgmt.ha.OsgiArchiveInstaller$1.run(OsgiArchiveInstaller.java:644)
          at 
org.apache.brooklyn.core.mgmt.ha.OsgiArchiveInstaller.install(OsgiArchiveInstaller.java:701)
          at 
org.apache.brooklyn.core.mgmt.ha.OsgiManager.install(OsgiManager.java:415)
          at 
org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.addItemsOsgi(BasicBrooklynCatalog.java:1516)
          at 
org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.addItems(BasicBrooklynCatalog.java:1453)
          at 
org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.addItems(BasicBrooklynCatalog.java:117)
          at 
org.apache.brooklyn.rest.resources.CatalogResource.createFromYaml(CatalogResource.java:140)
          at 
sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-1)
          at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
          at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
          at java.lang.reflect.Method.invoke(Method.java:498)
{noformat}

YAML to bundle URL:
# BasicBrooklynCatalog.collectCatalogItemsFromItemMetadataBlock turns the YAML 
into instances of {{CatalogBundle}}.     
# CatalogUtils.installLibraries turns each {{CatalogBundle}} into a 
{{BasicManagedBundle}}.
# OsgiArchiveInstaller.makeLocalZipFileFromInputStreamOrUrl passes the bundle's 
URL to {{ResourceUtils}}.


> Catalog libraries: externalized config for basic-auth credentials in url (via 
> YAML)
> -----------------------------------------------------------------------------------
>
>                 Key: BROOKLYN-421
>                 URL: https://issues.apache.org/jira/browse/BROOKLYN-421
>             Project: Brooklyn
>          Issue Type: Bug
>    Affects Versions: 0.10.0
>            Reporter: Aled Sage
>
> A customer wants to use YAML catalog items, where the library bundles are 
> retrieved from their Nexus repo using basic-auth. They want the nexus 
> credentials to be stored in an externalized credential store. They want the 
> credentials to be able to contain special characters (e.g. "@") that are not 
> valid in a URL.
> Building up to this, here is what we currently support...
> Either of the catalog items below is valid (i.e. the credentials can be 
> encoded in the url; the library can be supplied either as a string or as a 
> map (where the map currently takes keys of "url", "name" and "version")):
> {noformat}
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - url: https://myuser:myp...@nexus.example.com/mybundle.jar
>   item:
>     ...
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - https://myuser:myp...@nexus.example.com/mybundle.jar
>   item:
>     ...
> {noformat}
> For usernames / passwords with special characters, these need to be escaped 
> before adding to the url. For example, for username "myu...@example.com", the 
> url would be 
> {{https://myuser%40mydomain.com:myp...@nexus.example.com/mybundle.jar}}.
> For externalized config, one can use the example below:
> {noformat}
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - $brooklyn:formatString:
>     - https://%s:%s...@nexus.example.com/mybundle.jar
>     - $brooklyn:external("myprovider", "username")
>     - $brooklyn:external("myprovider", "password")
>   item:
>     ...
> {noformat}
> However, this requires that the externalised config stores the username and 
> password in its url-escaped form (rather than as the raw password).
> It also means that the password is embedded in the url, which is potentially 
> logged or persisted.
> ---
> We could fix the first of these problems (i.e. credentials store can just 
> supply the raw username/password) by adding DSL support for 
> {{$brooklyn:escapeUrl}}. One could write something like:
> {noformat}
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - $brooklyn:formatString:
>     - https://%s:%s...@nexus.example.com/mybundle.jar
>     - $brooklyn:escapeUrl:
>       - $brooklyn:external("myprovider", "username")
>     - $brooklyn:escapeUrl:
>       - $brooklyn:external("myprovider", "password")
>   item:
>     ...
> {noformat}
> ---
> Alternatively (as well?) we could supply the basic-auth credentials as an 
> explicit configuration option. The advantage of this is that we should be 
> able to keep it as the DSL "deferred supplier" so not persist the password.
> For example, something like the YAML below:
> {noformat}
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - url: https://nexus.example.com/mybundle.jar
>     basicAuth:
>       username: $brooklyn:external("myprovider", "username")
>       password: $brooklyn:external("myprovider", "password")
>   item:
>     ...
> {noformat}
> However, this is fiddly to implement. Looking at the code path for where it 
> eventually loads the bundle over http(s):
> {noformat}
> "main" prio=5 tid=0x00007fa34c002000 nid=0x1703 at 
> breakpoint[0x0000700000217000]
>    java.lang.Thread.State: RUNNABLE
>         at 
> org.apache.brooklyn.util.core.ResourceUtils.getResourceViaHttp(ResourceUtils.java:420)
>         at 
> org.apache.brooklyn.util.core.ResourceUtils.getResourceFromUrl(ResourceUtils.java:251)
>         at 
> org.apache.brooklyn.util.core.osgi.Osgis.getUrlStream(Osgis.java:421)
>         at org.apache.brooklyn.util.core.osgi.Osgis.cacheFile(Osgis.java:369)
>         at org.apache.brooklyn.util.core.osgi.Osgis.install(Osgis.java:342)
>         at 
> org.apache.brooklyn.core.mgmt.ha.OsgiManager.registerBundle(OsgiManager.java:122)
>         at 
> org.apache.brooklyn.core.catalog.internal.CatalogUtils.installLibraries(CatalogUtils.java:160)
>         at 
> org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItems(BasicBrooklynCatalog.java:494)
>         at 
> org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItems(BasicBrooklynCatalog.java:428)
>         at 
> org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItems(BasicBrooklynCatalog.java:417)
>         at 
> org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.addItems(BasicBrooklynCatalog.java:974)
>         at 
> org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.addItems(BasicBrooklynCatalog.java:1)
>         at 
> org.apache.brooklyn.camp.brooklyn.AbstractYamlTest.addCatalogItems(AbstractYamlTest.java:199)
>         at 
> org.apache.brooklyn.camp.brooklyn.AbstractYamlTest.addCatalogItems(AbstractYamlTest.java:195)
>         at 
> org.apache.brooklyn.camp.brooklyn.catalog.CatalogOsgiVersionMoreEntityTest.testLibraryUrlsUsingExternalizedConfig(CatalogOsgiVersionMoreEntityTest.java:318)
> {noformat}
> One needs to go all the way back to {{OsgiManager.registerBundle}} before we 
> have the {{CatalogBundle}} object - after that, we only have the URL string. 
> So that is a lot of methods that would need to change!



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to