You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@drill.apache.org by dz...@apache.org on 2021/12/14 17:31:51 UTC

[drill] branch master updated: DRILL-8076: Remove unneeded Vault token BOOT opt (#2404)

This is an automated email from the ASF dual-hosted git repository.

dzamo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/drill.git


The following commit(s) were added to refs/heads/master by this push:
     new c931f16  DRILL-8076: Remove unneeded Vault token BOOT opt (#2404)
c931f16 is described below

commit c931f1693997a8e0d38d41fcc1335f13282b62e8
Author: James Turton <91...@users.noreply.github.com>
AuthorDate: Tue Dec 14 19:31:42 2021 +0200

    DRILL-8076: Remove unneeded Vault token BOOT opt (#2404)
    
    * Remove unneeded Vault token BOOT opt.
    
    * Remove Vault token BOOT opt code from unit test class.
---
 .../rpc/user/security/VaultUserAuthenticator.java  | 37 ++++------------------
 .../user/security/TestVaultUserAuthenticator.java  |  2 --
 2 files changed, 6 insertions(+), 33 deletions(-)

diff --git a/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/VaultUserAuthenticator.java b/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/VaultUserAuthenticator.java
index 110d5f7..a7e94ef 100644
--- a/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/VaultUserAuthenticator.java
+++ b/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/VaultUserAuthenticator.java
@@ -42,7 +42,6 @@ public class VaultUserAuthenticator implements UserAuthenticator {
 
   // Drill boot options used to configure Vault auth.
   public static final String VAULT_ADDRESS = "drill.exec.security.user.auth.vault.address";
-  public static final String VAULT_TOKEN = "drill.exec.security.user.auth.vault.token";
   public static final String VAULT_AUTH_METHOD = "drill.exec.security.user.auth.vault.method";
 
   // The subset of Vault auth methods that are supported by this authenticator
@@ -86,32 +85,9 @@ public class VaultUserAuthenticator implements UserAuthenticator {
       )
     );
 
+    // There's no need for Drill have its own Vault token for it to use auth
+    // methods.
     VaultConfig vaultConfBuilder = new VaultConfig().address(vaultAddress);
-    String vaultToken = config.hasPath(VAULT_TOKEN)
-      ? config.getString(VAULT_TOKEN)
-      : null;
-
-    if (this.authMethod == VaultAuthMethod.VAULT_TOKEN) {
-      // Drill will use end users' Vault tokens for Vault operations
-      if (vaultToken != null) {
-        logger.warn(
-          "When Drill is set to authenticate using end user Vault tokens the " +
-          "[{}] BOOT option is ignored.",
-          VAULT_TOKEN
-        );
-      }
-    } else {
-      // Drill needs its own Vault token set in a BOOT option
-      if (vaultToken == null) {
-        throw new DrillbitStartupException(String.format(
-          "Only the %s method is supported if you do not set a token in the " +
-            "[%s] config option.",
-          VaultAuthMethod.VAULT_TOKEN,
-          VAULT_TOKEN
-        ));
-      }
-      vaultConfBuilder.token(vaultToken);
-    }
 
     // Initialise Vault client
     try {
@@ -127,11 +103,9 @@ public class VaultUserAuthenticator implements UserAuthenticator {
       logger.error(String.join(System.lineSeparator(),
           "Error initialising the Vault client library using configuration: ",
           "\tvaultAddress: {}",
-          "\tvaultToken: {}",
           "\tauthMethod: {}"
         ),
         vaultAddress,
-        vaultToken,
         authMethod,
         e
       );
@@ -175,9 +149,10 @@ public class VaultUserAuthenticator implements UserAuthenticator {
         case VAULT_TOKEN:
           // user = username, password = vault token
 
-          // Create a throwaway Vault client using the provided token and send a
-          // token lookup request to Vault which will fail if the token is
-          // invalid.
+          // The BetterCloud Vault client doesn't provide an auth-by-token
+          // method so instead we create a throwaway Vault client using the
+          // provided token and send a token lookup request to Vault which
+          // will fail if the token is invalid.
           VaultConfig lookupConfig = new VaultConfig()
             .address(this.vaultConfig.getAddress())
             .token(password)
diff --git a/exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestVaultUserAuthenticator.java b/exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestVaultUserAuthenticator.java
index d5e33c2..d5bf5cf 100644
--- a/exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestVaultUserAuthenticator.java
+++ b/exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestVaultUserAuthenticator.java
@@ -74,7 +74,6 @@ public class TestVaultUserAuthenticator extends ClusterTest {
       .configProperty(ExecConstants.USER_AUTHENTICATION_ENABLED, true)
       .configProperty(ExecConstants.USER_AUTHENTICATOR_IMPL, "vault")
       .configProperty(VaultUserAuthenticator.VAULT_ADDRESS, vaultAddr)
-      .configProperty(VaultUserAuthenticator.VAULT_TOKEN, ROOT_TOKEN_VALUE)
       .configProperty(
         VaultUserAuthenticator.VAULT_AUTH_METHOD,
         VaultUserAuthenticator.VaultAuthMethod.USER_PASS
@@ -110,7 +109,6 @@ public class TestVaultUserAuthenticator extends ClusterTest {
       .configProperty(ExecConstants.USER_AUTHENTICATION_ENABLED, true)
       .configProperty(ExecConstants.USER_AUTHENTICATOR_IMPL, "vault")
       .configProperty(VaultUserAuthenticator.VAULT_ADDRESS, vaultAddr)
-      // test without any VAULT_TOKEN boot option for token auth method
       .configProperty(
         VaultUserAuthenticator.VAULT_AUTH_METHOD,
         VaultUserAuthenticator.VaultAuthMethod.VAULT_TOKEN