Github user Ethanlm commented on a diff in the pull request:
https://github.com/apache/storm/pull/2531#discussion_r164881908
--- Diff:
storm-client/src/jvm/org/apache/storm/security/auth/AuthUtils.java ---
@@ -264,6 +269,128 @@ public static IGroupMappingServiceProvider
GetGroupMappingServiceProviderPlugin(
}
}
+ /**
+ * Get the key used to store a WorkerToken in the credentials map
+ * @param type the type of service to get.
+ * @return the key as a String.
+ */
+ public static String workerTokenCredentialsKey(WorkerTokenServiceType
type) {
+ return "STORM_WORKER_TOKEN_" + type.name();
+ }
+
+ /**
+ * Read a WorkerToken out of credentials for the given type.
+ * @param credentials the credentials map.
+ * @param type the type of service we are looking for.
+ * @return the deserialized WorkerToken or null if none could be found.
+ */
+ public static WorkerToken readWorkerToken(Map<String,String>
credentials, WorkerTokenServiceType type) {
+ WorkerToken ret = null;
+ String key = workerTokenCredentialsKey(type);
+ String tokenStr = credentials.get(key);
+ if (tokenStr != null) {
+ ret = Utils.deserializeFromString(tokenStr, WorkerToken.class);
+ }
+ return ret;
+ }
+
+ /**
+ * Store a worker token in some credentials. It can be pulled back out
by calling readWorkerToken.
+ * @param credentials the credentials map.
+ * @param token the token you want to store.
+ */
+ public static void setWorkerToken(Map<String,String> credentials,
WorkerToken token) {
+ String key = workerTokenCredentialsKey(token.get_serviceType());
+ credentials.put(key, Utils.serializeToString(token));
+ }
+
+ /**
+ * Find a worker token in a given subject with a given token type.
+ * @param subject what to look in.
+ * @param type the type of token to look for.
+ * @return the token or null.
+ */
+ public static WorkerToken findWorkerToken(Subject subject, final
WorkerTokenServiceType type) {
+ Set<WorkerToken> creds =
subject.getPrivateCredentials(WorkerToken.class);
+ synchronized(creds) {
+ return creds.stream()
+ .filter((wt) ->
+ wt.get_serviceType() == type)
+ .findAny().orElse(null);
+ }
+ }
+
+ private static boolean willWorkerTokensBeStoredSecurely(Map<String,
Object> conf) {
+ boolean overrideZkAuth =
ObjectReader.getBoolean(conf.get("TESTING.ONLY.ENABLE.INSECURE.WORKER.TOKENS"),
false);
+ if (Utils.isZkAuthenticationConfiguredStormServer(conf)) {
+ return true;
+ } else if (overrideZkAuth) {
+ LOG.error("\n\n\t\tYOU HAVE ENABLED INSECURE WORKER TOKENS.
IF THIS IS NOT A UNIT TEST PLEASE STOP NOW!!!\n\n");
+ return true;
+ }
+ return false;
+ }
+
+ /**
+ * Check if worker tokens should be enabled on the server side or not.
+ * @param server a Thrift server to know if the transport support
tokens or not. No need to create a token if the transport does not
+ * support it.
+ * @param conf the daemon configuration to be sure the tokens are
secure.
+ * @return true if we can enable them, else false.
+ */
+ public static boolean areWorkerTokensEnabledServer(ThriftServer
server, Map<String, Object> conf) {
+ return server.supportsWorkerTokens() &&
willWorkerTokensBeStoredSecurely(conf);
+ }
+
+ /**
+ * Check if worker tokens should be enabled on the server side or not
(for a given server).
+ * @param connectionType the type of server this is for.
+ * @param conf the daemon configuration top be sure the tokens are
secure.
--- End diff --
should `top` --> `to` ?
---
