You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kyuubi.apache.org by ch...@apache.org on 2023/02/27 03:26:27 UTC
[kyuubi] branch branch-1.7 updated: [KYUUBI #4419] Implement simple EngineSecuritySecretProvider
This is an automated email from the ASF dual-hosted git repository.
chengpan pushed a commit to branch branch-1.7
in repository https://gitbox.apache.org/repos/asf/kyuubi.git
The following commit(s) were added to refs/heads/branch-1.7 by this push:
new 4ffe8922d [KYUUBI #4419] Implement simple EngineSecuritySecretProvider
4ffe8922d is described below
commit 4ffe8922d5d95eba6ea6e722876500c8c84b0c94
Author: Cheng Pan <ch...@apache.org>
AuthorDate: Mon Feb 27 11:25:56 2023 +0800
[KYUUBI #4419] Implement simple EngineSecuritySecretProvider
### _Why are the changes needed?_
This PR implements a simple `EngineSecuritySecretProvider` beside the existing zookeeper implementation, which simplifies the user threshold to use RESTful API w/ HA mode, and this PR also allows the user set `kyuubi.engine.security.secret.provider` using short name 'simple' or 'zookeeper' as well as the full class name.
### _How was this patch tested?_
- [x] Add some test cases that check the changes thoroughly including negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [ ] [Run test](https://kyuubi.readthedocs.io/en/master/develop_tools/testing.html#running-tests) locally before make a pull request
Closes #4419 from pan3793/simple-secret-provider.
Closes #4419
32b1f966a [Cheng Pan] Update kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala
1af12b99d [Cheng Pan] nit
28a228eea [Cheng Pan] nit
65f14494c [Cheng Pan] Implement simple EngineSecuritySecretProvider
Authored-by: Cheng Pan <ch...@apache.org>
Signed-off-by: Cheng Pan <ch...@apache.org>
(cherry picked from commit 83af5ba814d9742bd461d8e9aed55ae6cc8fc731)
Signed-off-by: Cheng Pan <ch...@apache.org>
---
.../scala/org/apache/kyuubi/config/KyuubiConf.scala | 19 +++++++++++++++++--
.../authentication/EngineSecuritySecretProvider.scala | 17 ++++++++++++++++-
.../InternalSecurityAccessorSuite.scala | 5 ++---
.../kyuubi/server/api/v1/BatchesResourceSuite.scala | 7 +++----
4 files changed, 38 insertions(+), 10 deletions(-)
diff --git a/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala b/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala
index e947e6aad..e029d1b10 100644
--- a/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala
+++ b/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala
@@ -2068,8 +2068,23 @@ object KyuubiConf {
"subclass of `EngineSecuritySecretProvider`.")
.version("1.5.0")
.stringConf
- .createWithDefault(
- "org.apache.kyuubi.service.authentication.ZooKeeperEngineSecuritySecretProviderImpl")
+ .transform {
+ case "simple" =>
+ "org.apache.kyuubi.service.authentication.SimpleEngineSecuritySecretProviderImpl"
+ case "zookeeper" =>
+ "org.apache.kyuubi.service.authentication.ZooKeeperEngineSecuritySecretProviderImpl"
+ case other => other
+ }
+ .createWithDefault("zookeeper")
+
+ val SIMPLE_SECURITY_SECRET_PROVIDER_PROVIDER_SECRET: OptionalConfigEntry[String] =
+ buildConf("kyuubi.engine.security.secret.provider.simple.secret")
+ .internal
+ .doc("The secret key used for internal security access. Only take affects when " +
+ s"${ENGINE_SECURITY_SECRET_PROVIDER.key} is 'simple'")
+ .version("1.7.0")
+ .stringConf
+ .createOptional
val ENGINE_SECURITY_CRYPTO_KEY_LENGTH: ConfigEntry[Int] =
buildConf("kyuubi.engine.security.crypto.keyLength")
diff --git a/kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/EngineSecuritySecretProvider.scala b/kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/EngineSecuritySecretProvider.scala
index 5bd9e4092..2bcfe9a67 100644
--- a/kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/EngineSecuritySecretProvider.scala
+++ b/kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/EngineSecuritySecretProvider.scala
@@ -18,7 +18,7 @@
package org.apache.kyuubi.service.authentication
import org.apache.kyuubi.config.KyuubiConf
-import org.apache.kyuubi.config.KyuubiConf.ENGINE_SECURITY_SECRET_PROVIDER
+import org.apache.kyuubi.config.KyuubiConf._
trait EngineSecuritySecretProvider {
@@ -33,6 +33,21 @@ trait EngineSecuritySecretProvider {
def getSecret(): String
}
+class SimpleEngineSecuritySecretProviderImpl extends EngineSecuritySecretProvider {
+
+ private var _conf: KyuubiConf = _
+
+ override def initialize(conf: KyuubiConf): Unit = _conf = conf
+
+ override def getSecret(): String = {
+ _conf.get(SIMPLE_SECURITY_SECRET_PROVIDER_PROVIDER_SECRET).getOrElse {
+ throw new IllegalArgumentException(
+ s"${SIMPLE_SECURITY_SECRET_PROVIDER_PROVIDER_SECRET.key} must be configured " +
+ s"when ${ENGINE_SECURITY_SECRET_PROVIDER.key} is `simple`.")
+ }
+ }
+}
+
object EngineSecuritySecretProvider {
def create(conf: KyuubiConf): EngineSecuritySecretProvider = {
val providerClass = Class.forName(conf.get(ENGINE_SECURITY_SECRET_PROVIDER))
diff --git a/kyuubi-common/src/test/scala/org/apache/kyuubi/service/authentication/InternalSecurityAccessorSuite.scala b/kyuubi-common/src/test/scala/org/apache/kyuubi/service/authentication/InternalSecurityAccessorSuite.scala
index e6c4c8506..e92ac7e61 100644
--- a/kyuubi-common/src/test/scala/org/apache/kyuubi/service/authentication/InternalSecurityAccessorSuite.scala
+++ b/kyuubi-common/src/test/scala/org/apache/kyuubi/service/authentication/InternalSecurityAccessorSuite.scala
@@ -22,9 +22,8 @@ import org.apache.kyuubi.config.KyuubiConf
class InternalSecurityAccessorSuite extends KyuubiFunSuite {
private val conf = KyuubiConf()
- conf.set(
- KyuubiConf.ENGINE_SECURITY_SECRET_PROVIDER,
- classOf[UserDefinedEngineSecuritySecretProvider].getCanonicalName)
+ .set(KyuubiConf.ENGINE_SECURITY_SECRET_PROVIDER, "simple")
+ .set(KyuubiConf.SIMPLE_SECURITY_SECRET_PROVIDER_PROVIDER_SECRET, "ENGINE____SECRET")
test("test encrypt/decrypt, issue token/auth token") {
Seq("AES/CBC/PKCS5PADDING", "AES/CTR/NoPadding").foreach { cipher =>
diff --git a/kyuubi-server/src/test/scala/org/apache/kyuubi/server/api/v1/BatchesResourceSuite.scala b/kyuubi-server/src/test/scala/org/apache/kyuubi/server/api/v1/BatchesResourceSuite.scala
index c77d364f3..ce05cbd6b 100644
--- a/kyuubi-server/src/test/scala/org/apache/kyuubi/server/api/v1/BatchesResourceSuite.scala
+++ b/kyuubi-server/src/test/scala/org/apache/kyuubi/server/api/v1/BatchesResourceSuite.scala
@@ -43,15 +43,14 @@ import org.apache.kyuubi.operation.OperationState.OperationState
import org.apache.kyuubi.server.KyuubiRestFrontendService
import org.apache.kyuubi.server.http.authentication.AuthenticationHandler.AUTHORIZATION_HEADER
import org.apache.kyuubi.server.metadata.api.Metadata
-import org.apache.kyuubi.service.authentication.{KyuubiAuthenticationFactory, UserDefinedEngineSecuritySecretProvider}
+import org.apache.kyuubi.service.authentication.KyuubiAuthenticationFactory
import org.apache.kyuubi.session.{KyuubiBatchSessionImpl, KyuubiSessionManager, SessionHandle, SessionType}
class BatchesResourceSuite extends KyuubiFunSuite with RestFrontendTestHelper with BatchTestHelper {
override protected lazy val conf: KyuubiConf = KyuubiConf()
.set(KyuubiConf.ENGINE_SECURITY_ENABLED, true)
- .set(
- KyuubiConf.ENGINE_SECURITY_SECRET_PROVIDER,
- classOf[UserDefinedEngineSecuritySecretProvider].getName)
+ .set(KyuubiConf.ENGINE_SECURITY_SECRET_PROVIDER, "simple")
+ .set(KyuubiConf.SIMPLE_SECURITY_SECRET_PROVIDER_PROVIDER_SECRET, "ENGINE____SECRET")
.set(
KyuubiConf.SESSION_LOCAL_DIR_ALLOW_LIST,
Seq(Paths.get(sparkBatchTestResource.get).getParent.toString))