You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@brooklyn.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/01/03 14:34:58 UTC
[jira] [Commented] (BROOKLYN-421) Catalog libraries: externalized
config for basic-auth credentials in url (via YAML)
[ https://issues.apache.org/jira/browse/BROOKLYN-421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15795193#comment-15795193 ]
ASF GitHub Bot commented on BROOKLYN-421:
-----------------------------------------
Github user neykov commented on a diff in the pull request:
https://github.com/apache/brooklyn-server/pull/502#discussion_r94412314
--- Diff: camp/camp-brooklyn/src/test/java/org/apache/brooklyn/camp/brooklyn/catalog/CatalogOsgiLibraryTest.java ---
@@ -0,0 +1,286 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.brooklyn.camp.brooklyn.catalog;
+
+import static org.testng.Assert.assertEquals;
+
+import java.io.InputStream;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.util.Map;
+
+import org.apache.brooklyn.api.catalog.CatalogItem;
+import org.apache.brooklyn.api.catalog.CatalogItem.CatalogBundle;
+import org.apache.brooklyn.api.mgmt.ManagementContext;
+import org.apache.brooklyn.camp.brooklyn.AbstractYamlTest;
+import org.apache.brooklyn.core.config.external.AbstractExternalConfigSupplier;
+import org.apache.brooklyn.core.mgmt.internal.ExternalConfigSupplierRegistry;
+import org.apache.brooklyn.core.mgmt.internal.ManagementContextInternal;
+import org.apache.brooklyn.core.mgmt.osgi.OsgiVersionMoreEntityTest;
+import org.apache.brooklyn.entity.stock.BasicApplication;
+import org.apache.brooklyn.test.Asserts;
+import org.apache.brooklyn.test.support.TestResourceUnavailableException;
+import org.apache.brooklyn.util.core.http.BetterMockWebServer;
+import org.apache.brooklyn.util.stream.Streams;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.testng.annotations.AfterMethod;
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.Iterables;
+import com.google.common.io.BaseEncoding;
+import com.google.common.net.UrlEscapers;
+import com.google.mockwebserver.Dispatcher;
+import com.google.mockwebserver.MockResponse;
+import com.google.mockwebserver.RecordedRequest;
+
+public class CatalogOsgiLibraryTest extends AbstractYamlTest {
+
+ @SuppressWarnings("unused")
+ private static final Logger log = LoggerFactory.getLogger(CatalogOsgiLibraryTest.class);
+
+ private BetterMockWebServer webServer;
+
+ private String jarName = "brooklyn-test-osgi-entities.jar";
+ private String malformedJarName = "thisIsNotAJar.jar";
+ private String classpathUrl = "classpath:/brooklyn/osgi/" + jarName;
--- End diff --
Use constants from [OsgiTestResources](https://github.com/apache/brooklyn-server/blob/master/utils/common/src/test/java/org/apache/brooklyn/util/osgi/OsgiTestResources.java#L46) here and below.
> Catalog libraries: externalized config for basic-auth credentials in url (via YAML)
> -----------------------------------------------------------------------------------
>
> Key: BROOKLYN-421
> URL: https://issues.apache.org/jira/browse/BROOKLYN-421
> Project: Brooklyn
> Issue Type: Bug
> Affects Versions: 0.10.0
> Reporter: Aled Sage
>
> A customer wants to use YAML catalog items, where the library bundles are retrieved from their Nexus repo using basic-auth. They want the nexus credentials to be stored in an externalized credential store. They want the credentials to be able to contain special characters (e.g. "@") that are not valid in a URL.
> Building up to this, here is what we currently support...
> Either of the catalog items below is valid (i.e. the credentials can be encoded in the url; the library can be supplied either as a string or as a map (where the map currently takes keys of "url", "name" and "version")):
> {noformat}
> brooklyn.catalog:
> id: simple-example
> version: "1.0"
> itemType: template
> libraries:
> - url: https://myuser:mypass@nexus.example.com/mybundle.jar
> item:
> ...
> brooklyn.catalog:
> id: simple-example
> version: "1.0"
> itemType: template
> libraries:
> - https://myuser:mypass@nexus.example.com/mybundle.jar
> item:
> ...
> {noformat}
> For usernames / passwords with special characters, these need to be escaped before adding to the url. For example, for username "myuser@example.com", the url would be {{https://myuser%40mydomain.com:mypass@nexus.example.com/mybundle.jar}}.
> For externalized config, one can use the example below:
> {noformat}
> brooklyn.catalog:
> id: simple-example
> version: "1.0"
> itemType: template
> libraries:
> - $brooklyn:formatString:
> - https://%s:%s@nexus.example.com/mybundle.jar
> - $brooklyn:external("myprovider", "username")
> - $brooklyn:external("myprovider", "password")
> item:
> ...
> {noformat}
> However, this requires that the externalised config stores the username and password in its url-escaped form (rather than as the raw password).
> It also means that the password is embedded in the url, which is potentially logged or persisted.
> ---
> We could fix the first of these problems (i.e. credentials store can just supply the raw username/password) by adding DSL support for {{$brooklyn:escapeUrl}}. One could write something like:
> {noformat}
> brooklyn.catalog:
> id: simple-example
> version: "1.0"
> itemType: template
> libraries:
> - $brooklyn:formatString:
> - https://%s:%s@nexus.example.com/mybundle.jar
> - $brooklyn:escapeUrl:
> - $brooklyn:external("myprovider", "username")
> - $brooklyn:escapeUrl:
> - $brooklyn:external("myprovider", "password")
> item:
> ...
> {noformat}
> ---
> Alternatively (as well?) we could supply the basic-auth credentials as an explicit configuration option. The advantage of this is that we should be able to keep it as the DSL "deferred supplier" so not persist the password.
> For example, something like the YAML below:
> {noformat}
> brooklyn.catalog:
> id: simple-example
> version: "1.0"
> itemType: template
> libraries:
> - url: https://nexus.example.com/mybundle.jar
> basicAuth:
> username: $brooklyn:external("myprovider", "username")
> password: $brooklyn:external("myprovider", "password")
> item:
> ...
> {noformat}
> However, this is fiddly to implement. Looking at the code path for where it eventually loads the bundle over http(s):
> {noformat}
> "main" prio=5 tid=0x00007fa34c002000 nid=0x1703 at breakpoint[0x0000700000217000]
> java.lang.Thread.State: RUNNABLE
> at org.apache.brooklyn.util.core.ResourceUtils.getResourceViaHttp(ResourceUtils.java:420)
> at org.apache.brooklyn.util.core.ResourceUtils.getResourceFromUrl(ResourceUtils.java:251)
> at org.apache.brooklyn.util.core.osgi.Osgis.getUrlStream(Osgis.java:421)
> at org.apache.brooklyn.util.core.osgi.Osgis.cacheFile(Osgis.java:369)
> at org.apache.brooklyn.util.core.osgi.Osgis.install(Osgis.java:342)
> at org.apache.brooklyn.core.mgmt.ha.OsgiManager.registerBundle(OsgiManager.java:122)
> at org.apache.brooklyn.core.catalog.internal.CatalogUtils.installLibraries(CatalogUtils.java:160)
> at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItems(BasicBrooklynCatalog.java:494)
> at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItems(BasicBrooklynCatalog.java:428)
> at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItems(BasicBrooklynCatalog.java:417)
> at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.addItems(BasicBrooklynCatalog.java:974)
> at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.addItems(BasicBrooklynCatalog.java:1)
> at org.apache.brooklyn.camp.brooklyn.AbstractYamlTest.addCatalogItems(AbstractYamlTest.java:199)
> at org.apache.brooklyn.camp.brooklyn.AbstractYamlTest.addCatalogItems(AbstractYamlTest.java:195)
> at org.apache.brooklyn.camp.brooklyn.catalog.CatalogOsgiVersionMoreEntityTest.testLibraryUrlsUsingExternalizedConfig(CatalogOsgiVersionMoreEntityTest.java:318)
> {noformat}
> One needs to go all the way back to {{OsgiManager.registerBundle}} before we have the {{CatalogBundle}} object - after that, we only have the URL string. So that is a lot of methods that would need to change!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)