This is an automated email from the ASF dual-hosted git repository.
membphis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-apisix.git
The following commit(s) were added to refs/heads/master by this push:
new ef89dce feature: support etcd auth (#1769)
ef89dce is described below
commit ef89dceda62a359ad70c0131c5f79b6eecf58059
Author: Shenal Silva <[email protected]>
AuthorDate: Fri Jun 26 14:55:58 2020 +0530
feature: support etcd auth (#1769)
Fix #1713 , #1770
---
.travis.yml | 2 +-
.travis/linux_apisix_current_luarocks_runner.sh | 5 +++
.travis/linux_apisix_master_luarocks_runner.sh | 6 ++-
.travis/linux_openresty_runner.sh | 8 +++-
.travis/linux_tengine_runner.sh | 8 +++-
conf/config.yaml | 3 +-
t/APISIX.pm | 9 ++++
t/core/etcd-auth-fail.t | 56 +++++++++++++++++++++++
t/core/etcd-auth.t | 59 +++++++++++++++++++++++++
9 files changed, 149 insertions(+), 7 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index d33d27c..ddc6b89 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,4 +1,4 @@
-dist: xenial
+dist: bionic
sudo: required
matrix:
diff --git a/.travis/linux_apisix_current_luarocks_runner.sh
b/.travis/linux_apisix_current_luarocks_runner.sh
index b67e115..0264fc5 100755
--- a/.travis/linux_apisix_current_luarocks_runner.sh
+++ b/.travis/linux_apisix_current_luarocks_runner.sh
@@ -47,6 +47,11 @@ script() {
export
PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$OPENRESTY_PREFIX/bin:$PATH
openresty -V
sudo service etcd start
+ sudo service etcd stop
+ mkdir -p ~/etcd-data
+ /usr/bin/etcd --listen-client-urls 'http://0.0.0.0:2379'
--advertise-client-urls='http://0.0.0.0:2379' --data-dir ~/etcd-data >
/dev/null 2>&1 &
+ etcd --version
+ sleep 5
sudo rm -rf /usr/local/apisix
diff --git a/.travis/linux_apisix_master_luarocks_runner.sh
b/.travis/linux_apisix_master_luarocks_runner.sh
index e65bdbd..7705c97 100755
--- a/.travis/linux_apisix_master_luarocks_runner.sh
+++ b/.travis/linux_apisix_master_luarocks_runner.sh
@@ -47,7 +47,11 @@ script() {
export_or_prefix
export
PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$OPENRESTY_PREFIX/bin:$PATH
openresty -V
- sudo service etcd start
+ sudo service etcd stop
+ mkdir -p ~/etcd-data
+ /usr/bin/etcd --listen-client-urls 'http://0.0.0.0:2379'
--advertise-client-urls='http://0.0.0.0:2379' --data-dir ~/etcd-data >
/dev/null 2>&1 &
+ etcd --version
+ sleep 5
sudo rm -rf /usr/local/apisix
diff --git a/.travis/linux_openresty_runner.sh
b/.travis/linux_openresty_runner.sh
index d569983..86505cf 100755
--- a/.travis/linux_openresty_runner.sh
+++ b/.travis/linux_openresty_runner.sh
@@ -128,7 +128,11 @@ script() {
export_or_prefix
export
PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$OPENRESTY_PREFIX/bin:$PATH
openresty -V
- sudo service etcd start
+ sudo service etcd stop
+ mkdir -p ~/etcd-data
+ /usr/bin/etcd --listen-client-urls 'http://0.0.0.0:2379'
--advertise-client-urls='http://0.0.0.0:2379' --data-dir ~/etcd-data >
/dev/null 2>&1 &
+ etcd --version
+ sleep 5
./build-cache/grpc_server_example &
@@ -147,7 +151,7 @@ script() {
sleep 1
make lint && make license-check || exit 1
- APISIX_ENABLE_LUACOV=1 prove -Itest-nginx/lib -r t
+ APISIX_ENABLE_LUACOV=1 PERL5LIB=.:$PERL5LIB prove -Itest-nginx/lib -r t
}
after_success() {
diff --git a/.travis/linux_tengine_runner.sh b/.travis/linux_tengine_runner.sh
index 472e86f..fb9b6fd 100755
--- a/.travis/linux_tengine_runner.sh
+++ b/.travis/linux_tengine_runner.sh
@@ -271,7 +271,11 @@ script() {
export_or_prefix
export
PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$OPENRESTY_PREFIX/bin:$PATH
openresty -V
- sudo service etcd start
+ sudo service etcd stop
+ mkdir -p ~/etcd-data
+ /usr/bin/etcd --listen-client-urls 'http://0.0.0.0:2379'
--advertise-client-urls='http://0.0.0.0:2379' --data-dir ~/etcd-data >
/dev/null 2>&1 &
+ etcd --version
+ sleep 5
./build-cache/grpc_server_example &
@@ -284,7 +288,7 @@ script() {
./bin/apisix stop
sleep 1
make lint && make license-check || exit 1
- APISIX_ENABLE_LUACOV=1 prove -Itest-nginx/lib -r t
+ APISIX_ENABLE_LUACOV=1 PERL5LIB=.:$PERL5LIB prove -Itest-nginx/lib -r t
}
after_success() {
diff --git a/conf/config.yaml b/conf/config.yaml
index 7cd178d..fe7716d 100644
--- a/conf/config.yaml
+++ b/conf/config.yaml
@@ -122,7 +122,8 @@ etcd:
- "http://127.0.0.1:2379"; # multiple etcd address
prefix: "/apisix" # apisix configurations prefix
timeout: 3 # 3 seconds
-
+ # user: root # root username for etcd
+ # password: 5tHkHhYkjr6cQY # root password for etcd
#eureka:
# host: # it's possible to define multiple eureka
hosts addresses of the same eureka cluster.
# - "http://127.0.0.1:8761";
diff --git a/t/APISIX.pm b/t/APISIX.pm
index a973143..0b93fb2 100644
--- a/t/APISIX.pm
+++ b/t/APISIX.pm
@@ -79,6 +79,14 @@ $yaml_config =~ s/enable_heartbeat: true/enable_heartbeat:
false/;
$yaml_config =~ s/ # stream_proxy:/ stream_proxy:\n tcp:\n - 9100/;
$yaml_config =~ s/admin_key:/disable_admin_key:/;
+my $etcd_enable_auth = $ENV{"ETCD_ENABLE_AUTH"} || "false";
+
+if ($etcd_enable_auth eq "true") {
+ $yaml_config =~ s/ # user:/ user:/;
+ $yaml_config =~ s/ # password:/ password:/;
+}
+
+
my $profile = $ENV{"APISIX_PROFILE"};
@@ -102,6 +110,7 @@ add_block_preprocessor(sub {
my $main_config = $block->main_config // <<_EOC_;
worker_rlimit_core 500M;
+env ENABLE_ETCD_AUTH;
env APISIX_PROFILE;
_EOC_
diff --git a/t/core/etcd-auth-fail.t b/t/core/etcd-auth-fail.t
new file mode 100644
index 0000000..dfeaffe
--- /dev/null
+++ b/t/core/etcd-auth-fail.t
@@ -0,0 +1,56 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+BEGIN {
+ $ENV{"ETCD_ENABLE_AUTH"} = "false"
+}
+
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+log_level("info");
+
+# Authentication is enabled at etcd and credentials are set
+system('etcdctl --endpoints="http://127.0.0.1:2379"; -u root:5tHkHhYkjr6cQY
user add root:5tHkHhYkjr6cQY');
+system('etcdctl --endpoints="http://127.0.0.1:2379"; -u root:5tHkHhYkjr6cQY
auth enable');
+system('etcdctl --endpoints="http://127.0.0.1:2379"; -u root:5tHkHhYkjr6cQY
role revoke --path "/*" -rw guest');
+
+run_tests;
+
+# Authentication is disabled at etcd & guest access is granted
+system('etcdctl --endpoints="http://127.0.0.1:2379"; -u root:5tHkHhYkjr6cQY
auth disable');
+system('etcdctl --endpoints="http://127.0.0.1:2379"; -u root:5tHkHhYkjr6cQY
role grant --path "/*" -rw guest');
+
+
+__DATA__
+
+=== TEST 1: Set and Get a value pass
+--- config
+ location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local key = "/test_key"
+ local val = "test_value"
+ local res, err = core.etcd.set(key, val)
+ ngx.say(err)
+ }
+ }
+--- request
+GET /t
+--- response_body
+insufficient credentials code: 401
diff --git a/t/core/etcd-auth.t b/t/core/etcd-auth.t
new file mode 100644
index 0000000..3051a68
--- /dev/null
+++ b/t/core/etcd-auth.t
@@ -0,0 +1,59 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+BEGIN {
+ $ENV{"ETCD_ENABLE_AUTH"} = "true"
+}
+
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+log_level("info");
+
+# Authentication is enabled at etcd and credentials are set
+system('etcdctl --endpoints="http://127.0.0.1:2379"; -u root:5tHkHhYkjr6cQY
user add root:5tHkHhYkjr6cQY');
+system('etcdctl --endpoints="http://127.0.0.1:2379"; -u root:5tHkHhYkjr6cQY
auth enable');
+system('etcdctl --endpoints="http://127.0.0.1:2379"; -u root:5tHkHhYkjr6cQY
role revoke --path "/*" -rw guest');
+
+run_tests;
+
+# Authentication is disabled at etcd & guest access is granted
+system('etcdctl --endpoints="http://127.0.0.1:2379"; -u root:5tHkHhYkjr6cQY
auth disable');
+system('etcdctl --endpoints="http://127.0.0.1:2379"; -u root:5tHkHhYkjr6cQY
role grant --path "/*" -rw guest');
+
+__DATA__
+
+=== TEST 1: Set and Get a value pass with authentication
+--- config
+ location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local key = "/test_key"
+ local val = "test_value"
+ core.etcd.set(key, val)
+ local res, err = core.etcd.get(key)
+ ngx.say(res.body.node.value)
+ core.etcd.delete(val)
+ }
+ }
+--- request
+GET /t
+--- response_body
+test_value
+--- no_error_log
+[error]
