You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@brooklyn.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/01/03 14:34:58 UTC
[jira] [Commented] (BROOKLYN-421) Catalog libraries: externalized config for basic-auth credentials in url (via YAML)

    [ https://issues.apache.org/jira/browse/BROOKLYN-421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15795193#comment-15795193 ] 

ASF GitHub Bot commented on BROOKLYN-421:
-----------------------------------------

Github user neykov commented on a diff in the pull request:

    https://github.com/apache/brooklyn-server/pull/502#discussion_r94412314
  
    --- Diff: camp/camp-brooklyn/src/test/java/org/apache/brooklyn/camp/brooklyn/catalog/CatalogOsgiLibraryTest.java ---
    @@ -0,0 +1,286 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + *
    + *     http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing,
    + * software distributed under the License is distributed on an
    + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    + * KIND, either express or implied.  See the License for the
    + * specific language governing permissions and limitations
    + * under the License.
    + */
    +package org.apache.brooklyn.camp.brooklyn.catalog;
    +
    +import static org.testng.Assert.assertEquals;
    +
    +import java.io.InputStream;
    +import java.net.URL;
    +import java.nio.charset.StandardCharsets;
    +import java.util.Map;
    +
    +import org.apache.brooklyn.api.catalog.CatalogItem;
    +import org.apache.brooklyn.api.catalog.CatalogItem.CatalogBundle;
    +import org.apache.brooklyn.api.mgmt.ManagementContext;
    +import org.apache.brooklyn.camp.brooklyn.AbstractYamlTest;
    +import org.apache.brooklyn.core.config.external.AbstractExternalConfigSupplier;
    +import org.apache.brooklyn.core.mgmt.internal.ExternalConfigSupplierRegistry;
    +import org.apache.brooklyn.core.mgmt.internal.ManagementContextInternal;
    +import org.apache.brooklyn.core.mgmt.osgi.OsgiVersionMoreEntityTest;
    +import org.apache.brooklyn.entity.stock.BasicApplication;
    +import org.apache.brooklyn.test.Asserts;
    +import org.apache.brooklyn.test.support.TestResourceUnavailableException;
    +import org.apache.brooklyn.util.core.http.BetterMockWebServer;
    +import org.apache.brooklyn.util.stream.Streams;
    +import org.slf4j.Logger;
    +import org.slf4j.LoggerFactory;
    +import org.testng.annotations.AfterMethod;
    +import org.testng.annotations.BeforeMethod;
    +import org.testng.annotations.Test;
    +
    +import com.google.common.collect.ImmutableMap;
    +import com.google.common.collect.Iterables;
    +import com.google.common.io.BaseEncoding;
    +import com.google.common.net.UrlEscapers;
    +import com.google.mockwebserver.Dispatcher;
    +import com.google.mockwebserver.MockResponse;
    +import com.google.mockwebserver.RecordedRequest;
    +
    +public class CatalogOsgiLibraryTest extends AbstractYamlTest {
    +    
    +    @SuppressWarnings("unused")
    +    private static final Logger log = LoggerFactory.getLogger(CatalogOsgiLibraryTest.class);
    +
    +    private BetterMockWebServer webServer;
    +
    +    private String jarName = "brooklyn-test-osgi-entities.jar";
    +    private String malformedJarName = "thisIsNotAJar.jar";
    +    private String classpathUrl = "classpath:/brooklyn/osgi/" + jarName;
    --- End diff --
    
    Use constants from [OsgiTestResources](https://github.com/apache/brooklyn-server/blob/master/utils/common/src/test/java/org/apache/brooklyn/util/osgi/OsgiTestResources.java#L46) here and below.


> Catalog libraries: externalized config for basic-auth credentials in url (via YAML)
> -----------------------------------------------------------------------------------
>
>                 Key: BROOKLYN-421
>                 URL: https://issues.apache.org/jira/browse/BROOKLYN-421
>             Project: Brooklyn
>          Issue Type: Bug
>    Affects Versions: 0.10.0
>            Reporter: Aled Sage
>
> A customer wants to use YAML catalog items, where the library bundles are retrieved from their Nexus repo using basic-auth. They want the nexus credentials to be stored in an externalized credential store. They want the credentials to be able to contain special characters (e.g. "@") that are not valid in a URL.
> Building up to this, here is what we currently support...
> Either of the catalog items below is valid (i.e. the credentials can be encoded in the url; the library can be supplied either as a string or as a map (where the map currently takes keys of "url", "name" and "version")):
> {noformat}
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - url: https://myuser:mypass@nexus.example.com/mybundle.jar
>   item:
>     ...
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - https://myuser:mypass@nexus.example.com/mybundle.jar
>   item:
>     ...
> {noformat}
> For usernames / passwords with special characters, these need to be escaped before adding to the url. For example, for username "myuser@example.com", the url would be {{https://myuser%40mydomain.com:mypass@nexus.example.com/mybundle.jar}}.
> For externalized config, one can use the example below:
> {noformat}
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - $brooklyn:formatString:
>     - https://%s:%s@nexus.example.com/mybundle.jar
>     - $brooklyn:external("myprovider", "username")
>     - $brooklyn:external("myprovider", "password")
>   item:
>     ...
> {noformat}
> However, this requires that the externalised config stores the username and password in its url-escaped form (rather than as the raw password).
> It also means that the password is embedded in the url, which is potentially logged or persisted.
> ---
> We could fix the first of these problems (i.e. credentials store can just supply the raw username/password) by adding DSL support for {{$brooklyn:escapeUrl}}. One could write something like:
> {noformat}
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - $brooklyn:formatString:
>     - https://%s:%s@nexus.example.com/mybundle.jar
>     - $brooklyn:escapeUrl:
>       - $brooklyn:external("myprovider", "username")
>     - $brooklyn:escapeUrl:
>       - $brooklyn:external("myprovider", "password")
>   item:
>     ...
> {noformat}
> ---
> Alternatively (as well?) we could supply the basic-auth credentials as an explicit configuration option. The advantage of this is that we should be able to keep it as the DSL "deferred supplier" so not persist the password.
> For example, something like the YAML below:
> {noformat}
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - url: https://nexus.example.com/mybundle.jar
>     basicAuth:
>       username: $brooklyn:external("myprovider", "username")
>       password: $brooklyn:external("myprovider", "password")
>   item:
>     ...
> {noformat}
> However, this is fiddly to implement. Looking at the code path for where it eventually loads the bundle over http(s):
> {noformat}
> "main" prio=5 tid=0x00007fa34c002000 nid=0x1703 at breakpoint[0x0000700000217000]
>    java.lang.Thread.State: RUNNABLE
>         at org.apache.brooklyn.util.core.ResourceUtils.getResourceViaHttp(ResourceUtils.java:420)
>         at org.apache.brooklyn.util.core.ResourceUtils.getResourceFromUrl(ResourceUtils.java:251)
>         at org.apache.brooklyn.util.core.osgi.Osgis.getUrlStream(Osgis.java:421)
>         at org.apache.brooklyn.util.core.osgi.Osgis.cacheFile(Osgis.java:369)
>         at org.apache.brooklyn.util.core.osgi.Osgis.install(Osgis.java:342)
>         at org.apache.brooklyn.core.mgmt.ha.OsgiManager.registerBundle(OsgiManager.java:122)
>         at org.apache.brooklyn.core.catalog.internal.CatalogUtils.installLibraries(CatalogUtils.java:160)
>         at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItems(BasicBrooklynCatalog.java:494)
>         at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItems(BasicBrooklynCatalog.java:428)
>         at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItems(BasicBrooklynCatalog.java:417)
>         at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.addItems(BasicBrooklynCatalog.java:974)
>         at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.addItems(BasicBrooklynCatalog.java:1)
>         at org.apache.brooklyn.camp.brooklyn.AbstractYamlTest.addCatalogItems(AbstractYamlTest.java:199)
>         at org.apache.brooklyn.camp.brooklyn.AbstractYamlTest.addCatalogItems(AbstractYamlTest.java:195)
>         at org.apache.brooklyn.camp.brooklyn.catalog.CatalogOsgiVersionMoreEntityTest.testLibraryUrlsUsingExternalizedConfig(CatalogOsgiVersionMoreEntityTest.java:318)
> {noformat}
> One needs to go all the way back to {{OsgiManager.registerBundle}} before we have the {{CatalogBundle}} object - after that, we only have the URL string. So that is a lot of methods that would need to change!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)