You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@openwhisk.apache.org by GitBox <gi...@apache.org> on 2018/06/19 12:04:05 UTC
[GitHub] rabbah commented on a change in pull request #3722: Scala based
admin tooling
rabbah commented on a change in pull request #3722: Scala based admin tooling
URL: https://github.com/apache/incubator-openwhisk/pull/3722#discussion_r196394744
##########
File path: tools/admin/src/main/scala/whisk/core/database/UserCommand.scala
##########
@@ -0,0 +1,352 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package whisk.core.database
+
+import java.util.UUID
+
+import akka.actor.ActorSystem
+import akka.stream.ActorMaterializer
+import akka.stream.scaladsl.{Sink, Source}
+import org.rogach.scallop.{ScallopConfBase, Subcommand}
+import spray.json.{JsBoolean, JsObject, JsString, JsValue, RootJsonFormat}
+import whisk.common.{Logging, TransactionId}
+import whisk.core.cli.{CommandError, CommandMessages, IllegalState, WhiskCommand}
+import whisk.core.database.UserCommand.ExtendedAuth
+import whisk.core.entity.types._
+import whisk.core.entity.{
+ AuthKey,
+ DocInfo,
+ EntityName,
+ Identity,
+ Subject,
+ WhiskAuth,
+ WhiskDocumentReader,
+ WhiskNamespace
+}
+import whisk.http.Messages
+import whisk.spi.SpiLoader
+
+import scala.concurrent.{ExecutionContext, Future}
+import scala.reflect.classTag
+import scala.util.{Properties, Try}
+
+class UserCommand extends Subcommand("user") with WhiskCommand {
+ descr("manage users")
+
+ class CreateUserCmd extends Subcommand("create") {
+ descr("create a user and show authorization key")
+ val auth =
+ opt[String](
+ descr = "the uuid:key to initialize the subject authorization key with",
+ argName = "AUTH",
+ short = 'u')
+ val namespace =
+ opt[String](descr = "create key for given namespace instead (defaults to subject id)", argName = "NAMESPACE")
+ val subject = trailArg[String](descr = "the subject to create")
+
+ validate(subject) { s =>
+ if (s.length < 5) {
+ Left(CommandMessages.shortName)
+ } else {
+ Right(Unit)
+ }
+ }
+
+ validate(auth) { a =>
+ a.split(":") match {
+ case Array(uuid, key) =>
+ if (key.length < 64) {
+ Left(CommandMessages.shortKey)
+ } else if (!isUUID(uuid)) {
+ Left(CommandMessages.invalidUUID)
+ } else {
+ Right(Unit)
+ }
+ case _ => Left(s"failed to determine authorization id and key: $a")
+ }
+
+ }
+
+ def isUUID(u: String) = Try(UUID.fromString(u)).isSuccess
+
+ def desiredNamespace = EntityName(namespace.getOrElse(subject()).trim)
+
+ def authKey: AuthKey = auth.map(AuthKey(_)).getOrElse(AuthKey())
+ }
+
+ val create = new CreateUserCmd
+
+ addSubcommand(create)
+
+ val delete = new Subcommand("delete") {
+ descr("delete a user")
+ val subject = trailArg[String](descr = "the subject to delete")
+ val namespace =
+ opt[String](descr = "delete key for given namespace only", argName = "NAMESPACE")
+ }
+ addSubcommand(delete)
+
+ val get = new Subcommand("get") {
+ descr("get authorization key for user")
+
+ val subject = trailArg[String](descr = "the subject to get key for")
+ val namespace =
+ opt[String](descr = "the namespace to get the key for, defaults to subject id", argName = "NAMESPACE")
+
+ val all = opt[Boolean](descr = "list all namespaces and their keys")
+ }
+ addSubcommand(get)
+
+ val whois = new Subcommand("whois") {
+ descr("identify user from an authorization key")
+ val authkey = trailArg[String](descr = "the credentials to look up 'uuid:key'")
+ }
+ addSubcommand(whois)
+
+ val list = new Subcommand("list") {
+ descr("list authorization keys associated with a namespace")
+ val namespace = trailArg[String](descr = "the namespace to lookup")
+
+ val pick = opt[Int](descr = "show no more than N identities", argName = "N", validate = _ > 0)
+ val key = opt[Boolean](descr = "show only the keys")
+ val all = opt[Boolean](descr = "show all identities")
+
+ def limit: Int = {
+ if (all.isSupplied) 0
+ else pick.getOrElse(0)
+ }
+
+ def showOnlyKeys = key.isSupplied
+ }
+ addSubcommand(list)
+
+ val block = new Subcommand("block") {
+ descr("block one or more users")
+ val subjects = trailArg[List[String]](descr = "one or more users to block")
+ }
+ addSubcommand(block)
+
+ val unblock = new Subcommand("unblock") {
+ descr("unblock one or more users")
+ val subjects = trailArg[List[String]](descr = "one or more users to unblock")
+ }
+ addSubcommand(unblock)
+
+ def exec(cmd: ScallopConfBase)(implicit system: ActorSystem,
+ logging: Logging,
+ materializer: ActorMaterializer,
+ transid: TransactionId): Future[Either[CommandError, String]] = {
+ implicit val executionContext = system.dispatcher
+ val authStore = UserCommand.createDataStore()
+ val result = cmd match {
+ case `create` => createUser(authStore)
+ case `delete` => deleteUser(authStore)
+ case `get` => getKey(authStore)
+ case `whois` => whoIs(authStore)
+ case `list` => list(authStore)
+ case `block` => changeUserState(authStore, block.subjects(), blocked = true)
+ case `unblock` => changeUserState(authStore, unblock.subjects(), blocked = false)
+ }
+ result.onComplete { _ =>
+ authStore.shutdown()
+ }
+ result
+ }
+
+ def createUser(authStore: AuthStore)(implicit transid: TransactionId,
+ ec: ExecutionContext): Future[Either[CommandError, String]] = {
+ authStore.get[ExtendedAuth](DocInfo(create.subject())).flatMap { auth =>
+ if (auth.isBlocked) {
+ Future.successful(Left(IllegalState(CommandMessages.subjectBlocked)))
+ } else if (auth.namespaces.exists(_.name == create.desiredNamespace)) {
+ Future.successful(Left(IllegalState(CommandMessages.namespaceExists)))
+ } else {
+ val newNS = auth.namespaces + WhiskNamespace(create.desiredNamespace, create.authKey)
+ val newAuth = WhiskAuth(auth.subject, newNS).revision[WhiskAuth](auth.rev)
+ authStore.put(newAuth).map(_ => Right(create.authKey.compact))
+ }
+ }
+ }.recoverWith {
+ case _: NoDocumentException =>
+ val auth =
+ WhiskAuth(Subject(create.subject()), Set(WhiskNamespace(create.desiredNamespace, create.authKey)))
+ authStore.put(auth).map(_ => Right(create.authKey.compact))
+ }
+
+ def deleteUser(authStore: AuthStore)(implicit transid: TransactionId,
+ ec: ExecutionContext): Future[Either[CommandError, String]] = {
+ authStore
+ .get[ExtendedAuth](DocInfo(delete.subject()))
+ .flatMap { auth =>
+ delete.namespace
+ .map { namespaceToDelete =>
+ val newNS = auth.namespaces.filter(_.name.asString != namespaceToDelete)
+ if (newNS == auth.namespaces) {
+ Future.successful(
+ Left(IllegalState(CommandMessages.namespaceMissing(namespaceToDelete, delete.subject()))))
+ } else {
+ val newAuth = WhiskAuth(auth.subject, newNS).revision[WhiskAuth](auth.rev)
+ authStore.put(newAuth).map(_ => Right(CommandMessages.namespaceDeleted))
+ }
+ }
+ .getOrElse {
+ authStore.del(auth.docinfo).map(_ => Right(CommandMessages.subjectDeleted))
+ }
+ }
+ .recover {
+ case _: NoDocumentException =>
+ Left(IllegalState(CommandMessages.subjectMissing))
+ }
+ }
+
+ def getKey(authStore: AuthStore)(implicit transid: TransactionId,
+ ec: ExecutionContext): Future[Either[CommandError, String]] = {
+ authStore
+ .get[ExtendedAuth](DocInfo(get.subject()))
+ .map { auth =>
+ if (get.all.isSupplied) {
+ val msg = auth.namespaces.map(ns => s"${ns.name}\t${ns.authkey.compact}").mkString(Properties.lineSeparator)
+ Right(msg)
+ } else {
+ val ns = get.namespace.getOrElse(get.subject())
+ auth.namespaces
+ .find(_.name.asString == ns)
+ .map(n => Right(n.authkey.compact))
+ .getOrElse(Left(IllegalState(CommandMessages.namespaceMissing(ns, get.subject()))))
+ }
+ } recover {
+ case _: NoDocumentException =>
+ Left(IllegalState(CommandMessages.subjectMissing))
+ }
+ }
+
+ def whoIs(authStore: AuthStore)(implicit transid: TransactionId,
+ ec: ExecutionContext): Future[Either[CommandError, String]] = {
+ Identity
+ .get(authStore, AuthKey(whois.authkey()))
+ .map { i =>
+ val msg = Seq(s"subject: ${i.subject}", s"namespace: ${i.namespace}").mkString(Properties.lineSeparator)
+ Right(msg)
+ }
+ .recover {
+ case _: NoDocumentException =>
+ Left(IllegalState(CommandMessages.subjectMissing))
+ }
+ }
+
+ def list(authStore: AuthStore)(implicit transid: TransactionId,
+ ec: ExecutionContext): Future[Either[CommandError, String]] = {
+ Identity
+ .list(authStore, List(list.namespace()), limit = list.limit)
+ .map { rows =>
+ if (rows.isEmpty) Left(IllegalState(CommandMessages.namespaceMissing(list.namespace())))
+ else {
+ val msg = rows
+ .map { row =>
+ row.getFields("id", "value") match {
+ case Seq(JsString(subject), JsObject(value)) =>
+ val JsString(uuid) = value("uuid")
+ val JsString(secret) = value("key")
+ s"$uuid:$secret${if (list.showOnlyKeys) "" else s"\t$subject"}"
+ case _ => throw new IllegalStateException("identities view malformed")
+ }
+ }
+ .mkString(Properties.lineSeparator)
+ Right(msg)
+ }
+ }
+ }
+
+ def changeUserState(authStore: AuthStore, subjects: List[String], blocked: Boolean)(
+ implicit transid: TransactionId,
+ materializer: ActorMaterializer,
+ ec: ExecutionContext): Future[Either[CommandError, String]] = {
+ Source(subjects)
+ .mapAsync(1)(changeUserState(authStore, _, blocked))
+ .runWith(Sink.seq[Either[CommandError, String]])
+ .map { rows =>
+ val lefts = rows.count(_.isLeft)
+ val msg = rows
+ .map {
+ case Left(x) => x.message
+ case Right(x) => x
+ }
+ .mkString(Properties.lineSeparator)
+
+ if (lefts > 0) Left(new CommandError(msg, lefts)) else Right(msg)
+ }
+ }
+
+ private def changeUserState(authStore: AuthStore, subject: String, blocked: Boolean)(
+ implicit transid: TransactionId,
+ ec: ExecutionContext): Future[Either[CommandError, String]] = {
+ authStore
+ .get[ExtendedAuth](DocInfo(subject))
+ .flatMap { auth =>
+ val newAuth = new ExtendedAuth(auth.subject, auth.namespaces, Some(blocked))
+ newAuth.revision[ExtendedAuth](auth.rev)
+ val msg = if (blocked) CommandMessages.blocked(subject) else CommandMessages.unblocked(subject)
+ authStore.put(newAuth).map(_ => Right(msg))
+ }
+ .recover {
+ case _: NoDocumentException =>
+ Left(IllegalState(CommandMessages.subjectMissing(subject)))
+ }
+ }
+}
+
+object UserCommand {
+ def createDataStore()(implicit system: ActorSystem,
+ logging: Logging,
+ materializer: ActorMaterializer): ArtifactStore[WhiskAuth] =
+ SpiLoader
+ .get[ArtifactStoreProvider]
+ .makeStore[WhiskAuth]()(
+ classTag[WhiskAuth],
+ ExtendedAuthFormat,
+ WhiskDocumentReader,
+ system,
+ logging,
+ materializer)
+
+ class ExtendedAuth(subject: Subject, namespaces: Set[WhiskNamespace], blocked: Option[Boolean])
+ extends WhiskAuth(subject, namespaces) {
+ override def toJson: JsObject =
+ blocked.map(b => JsObject(super.toJson.fields + ("blocked" -> JsBoolean(b)))).getOrElse(super.toJson)
+
+ def isBlocked: Boolean = blocked.getOrElse(false)
+ }
+
+ private object ExtendedAuthFormat extends RootJsonFormat[WhiskAuth] {
Review comment:
should this be moved to WhiskAuth?
@markusthoemmes opinion?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services