You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@bookkeeper.apache.org by si...@apache.org on 2018/01/05 19:23:31 UTC
[bookkeeper] branch master updated: BookieNettyServer: add
contextHandler to the local transport pipeline
This is an automated email from the ASF dual-hosted git repository.
sijie pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/bookkeeper.git
The following commit(s) were added to refs/heads/master by this push:
new dc30763 BookieNettyServer: add contextHandler to the local transport pipeline
dc30763 is described below
commit dc30763f21a3b06d6cb429998c3d3cb2a7aac8f2
Author: Samuel Just <sj...@salesforce.com>
AuthorDate: Fri Jan 5 11:23:24 2018 -0800
BookieNettyServer: add contextHandler to the local transport pipeline
Left off of 8e0bd2c3d81b522e97434d8646915f36422a104b. In fact,
authentication is already enabled on LocalTransport. This extra line is
needed for the machinery which allows auth plugins to access ssl state.
Currently, the only plugin which uses that machinery is in TestTLS.
Adds test cases to validate that functionality with Local Transport
enabled.
Signed-off-by: Samuel Just <sjustsalesforce.com>
Author: Samuel Just <sj...@salesforce.com>
Reviewers: Enrico Olivelli <eo...@gmail.com>
This closes #941 from athanatos/forupstream/requestprocessorfixes/4
---
.../apache/bookkeeper/proto/BookieNettyServer.java | 1 +
.../java/org/apache/bookkeeper/tls/TestTLS.java | 67 ++++++++++++++++++++++
2 files changed, 68 insertions(+)
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/proto/BookieNettyServer.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/proto/BookieNettyServer.java
index a2d7fc9..dc2cbce 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/proto/BookieNettyServer.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/proto/BookieNettyServer.java
@@ -372,6 +372,7 @@ class BookieNettyServer {
: new RejectRequestHandler();
pipeline.addLast("bookieRequestHandler", requestHandler);
+ pipeline.addLast("contextHandler", contextHandler);
}
});
diff --git a/bookkeeper-server/src/test/java/org/apache/bookkeeper/tls/TestTLS.java b/bookkeeper-server/src/test/java/org/apache/bookkeeper/tls/TestTLS.java
index 65cb7d1..1ba7f94 100644
--- a/bookkeeper-server/src/test/java/org/apache/bookkeeper/tls/TestTLS.java
+++ b/bookkeeper-server/src/test/java/org/apache/bookkeeper/tls/TestTLS.java
@@ -178,6 +178,21 @@ public class TestTLS extends BookKeeperClusterTestCase {
testClient(clientConf, numBookies);
}
+ /**
+ * Verify the basic use of TLS. TLS client, TLS servers with LocalTransport.
+ */
+ @Test
+ public void testConnectToLocalTLSClusterTLSClient() throws Exception {
+ ServerConfiguration serverConf = new ServerConfiguration();
+ for (ServerConfiguration conf : bsConfs) {
+ conf.setDisableServerSocketBind(true);
+ conf.setEnableLocalTransport(true);
+ }
+ restartBookies(serverConf);
+
+ ClientConfiguration clientConf = new ClientConfiguration(baseClientConf);
+ testClient(clientConf, numBookies);
+ }
/**
* Multiple clients, some with TLS, and some without TLS.
@@ -327,6 +342,30 @@ public class TestTLS extends BookKeeperClusterTestCase {
}
/**
+ * Verify that a bookie-side Auth plugin can access server certificates over LocalTransport.
+ */
+ @Test
+ public void testBookieAuthPluginRequireClientTLSAuthenticationLocal() throws Exception {
+ ServerConfiguration serverConf = new ServerConfiguration(baseConf);
+ serverConf.setBookieAuthProviderFactoryClass(AllowOnlyClientsWithX509Certificates.class.getName());
+ serverConf.setDisableServerSocketBind(true);
+ serverConf.setEnableLocalTransport(true);
+ restartBookies(serverConf);
+
+ secureBookieSideChannel = false;
+ secureBookieSideChannelPrincipals = null;
+ ClientConfiguration clientConf = new ClientConfiguration(baseClientConf);
+
+ testClient(clientConf, numBookies);
+ assertTrue(secureBookieSideChannel);
+ assertNotNull(secureBookieSideChannelPrincipals);
+ assertTrue(!secureBookieSideChannelPrincipals.isEmpty());
+ assertTrue(secureBookieSideChannelPrincipals.iterator().next() instanceof Certificate);
+ Certificate cert = (Certificate) secureBookieSideChannelPrincipals.iterator().next();
+ assertTrue(cert instanceof X509Certificate);
+ }
+
+ /**
* Verify that a bookie-side Auth plugin can access server certificates.
*/
@Test
@@ -353,6 +392,34 @@ public class TestTLS extends BookKeeperClusterTestCase {
}
/**
+ * Verify that a bookie-side Auth plugin can access server certificates over LocalTransport.
+ */
+ @Test
+ public void testBookieAuthPluginDenyAccessToClientWithoutTLSAuthenticationLocal() throws Exception {
+ ServerConfiguration serverConf = new ServerConfiguration(baseConf);
+ serverConf.setTLSClientAuthentication(false);
+ serverConf.setBookieAuthProviderFactoryClass(AllowOnlyClientsWithX509Certificates.class.getName());
+ serverConf.setDisableServerSocketBind(true);
+ serverConf.setEnableLocalTransport(true);
+ restartBookies(serverConf);
+
+ secureBookieSideChannel = false;
+ secureBookieSideChannelPrincipals = null;
+ ClientConfiguration clientConf = new ClientConfiguration(baseClientConf);
+ clientConf.setTLSClientAuthentication(false);
+
+ try {
+ testClient(clientConf, numBookies);
+ fail("Shouldn't be able to connect");
+ } catch (BKException.BKUnauthorizedAccessException authFailed) {
+ }
+
+ assertTrue(secureBookieSideChannel);
+ assertNotNull(secureBookieSideChannelPrincipals);
+ assertTrue(secureBookieSideChannelPrincipals.isEmpty());
+ }
+
+ /**
* Verify that a bookie-side Auth plugin can access server certificates.
*/
@Test
--
To stop receiving notification emails like this one, please contact
['"commits@bookkeeper.apache.org" <co...@bookkeeper.apache.org>'].