Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 48A48200BF4 for ; Fri, 6 Jan 2017 11:27:00 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 471E1160B1F; Fri, 6 Jan 2017 10:27:00 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 6C5B3160B37 for ; Fri, 6 Jan 2017 11:26:59 +0100 (CET) Received: (qmail 97692 invoked by uid 500); 6 Jan 2017 10:26:58 -0000 Mailing-List: contact dev-help@brooklyn.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@brooklyn.apache.org Delivered-To: mailing list dev@brooklyn.apache.org Received: (qmail 97563 invoked by uid 99); 6 Jan 2017 10:26:58 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Jan 2017 10:26:58 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 52E862C03DB for ; Fri, 6 Jan 2017 10:26:58 +0000 (UTC) Date: Fri, 6 Jan 2017 10:26:58 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: dev@brooklyn.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (BROOKLYN-421) Catalog libraries: externalized config for basic-auth credentials in url (via YAML) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 06 Jan 2017 10:27:00 -0000 [ https://issues.apache.org/jira/browse/BROOKLYN-421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15804237#comment-15804237 ] ASF GitHub Bot commented on BROOKLYN-421: ----------------------------------------- Github user asfgit closed the pull request at: https://github.com/apache/brooklyn-server/pull/502 > Catalog libraries: externalized config for basic-auth credentials in url (via YAML) > ----------------------------------------------------------------------------------- > > Key: BROOKLYN-421 > URL: https://issues.apache.org/jira/browse/BROOKLYN-421 > Project: Brooklyn > Issue Type: Bug > Affects Versions: 0.10.0 > Reporter: Aled Sage > > A customer wants to use YAML catalog items, where the library bundles are retrieved from their Nexus repo using basic-auth. They want the nexus credentials to be stored in an externalized credential store. They want the credentials to be able to contain special characters (e.g. "@") that are not valid in a URL. > Building up to this, here is what we currently support... > Either of the catalog items below is valid (i.e. the credentials can be encoded in the url; the library can be supplied either as a string or as a map (where the map currently takes keys of "url", "name" and "version")): > {noformat} > brooklyn.catalog: > id: simple-example > version: "1.0" > itemType: template > libraries: > - url: https://myuser:mypass@nexus.example.com/mybundle.jar > item: > ... > brooklyn.catalog: > id: simple-example > version: "1.0" > itemType: template > libraries: > - https://myuser:mypass@nexus.example.com/mybundle.jar > item: > ... > {noformat} > For usernames / passwords with special characters, these need to be escaped before adding to the url. For example, for username "myuser@example.com", the url would be {{https://myuser%40mydomain.com:mypass@nexus.example.com/mybundle.jar}}. > For externalized config, one can use the example below: > {noformat} > brooklyn.catalog: > id: simple-example > version: "1.0" > itemType: template > libraries: > - $brooklyn:formatString: > - https://%s:%s@nexus.example.com/mybundle.jar > - $brooklyn:external("myprovider", "username") > - $brooklyn:external("myprovider", "password") > item: > ... > {noformat} > However, this requires that the externalised config stores the username and password in its url-escaped form (rather than as the raw password). > It also means that the password is embedded in the url, which is potentially logged or persisted. > --- > We could fix the first of these problems (i.e. credentials store can just supply the raw username/password) by adding DSL support for {{$brooklyn:escapeUrl}}. One could write something like: > {noformat} > brooklyn.catalog: > id: simple-example > version: "1.0" > itemType: template > libraries: > - $brooklyn:formatString: > - https://%s:%s@nexus.example.com/mybundle.jar > - $brooklyn:escapeUrl: > - $brooklyn:external("myprovider", "username") > - $brooklyn:escapeUrl: > - $brooklyn:external("myprovider", "password") > item: > ... > {noformat} > --- > Alternatively (as well?) we could supply the basic-auth credentials as an explicit configuration option. The advantage of this is that we should be able to keep it as the DSL "deferred supplier" so not persist the password. > For example, something like the YAML below: > {noformat} > brooklyn.catalog: > id: simple-example > version: "1.0" > itemType: template > libraries: > - url: https://nexus.example.com/mybundle.jar > basicAuth: > username: $brooklyn:external("myprovider", "username") > password: $brooklyn:external("myprovider", "password") > item: > ... > {noformat} > However, this is fiddly to implement. Looking at the code path for where it eventually loads the bundle over http(s): > {noformat} > "main" prio=5 tid=0x00007fa34c002000 nid=0x1703 at breakpoint[0x0000700000217000] > java.lang.Thread.State: RUNNABLE > at org.apache.brooklyn.util.core.ResourceUtils.getResourceViaHttp(ResourceUtils.java:420) > at org.apache.brooklyn.util.core.ResourceUtils.getResourceFromUrl(ResourceUtils.java:251) > at org.apache.brooklyn.util.core.osgi.Osgis.getUrlStream(Osgis.java:421) > at org.apache.brooklyn.util.core.osgi.Osgis.cacheFile(Osgis.java:369) > at org.apache.brooklyn.util.core.osgi.Osgis.install(Osgis.java:342) > at org.apache.brooklyn.core.mgmt.ha.OsgiManager.registerBundle(OsgiManager.java:122) > at org.apache.brooklyn.core.catalog.internal.CatalogUtils.installLibraries(CatalogUtils.java:160) > at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItems(BasicBrooklynCatalog.java:494) > at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItems(BasicBrooklynCatalog.java:428) > at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItems(BasicBrooklynCatalog.java:417) > at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.addItems(BasicBrooklynCatalog.java:974) > at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.addItems(BasicBrooklynCatalog.java:1) > at org.apache.brooklyn.camp.brooklyn.AbstractYamlTest.addCatalogItems(AbstractYamlTest.java:199) > at org.apache.brooklyn.camp.brooklyn.AbstractYamlTest.addCatalogItems(AbstractYamlTest.java:195) > at org.apache.brooklyn.camp.brooklyn.catalog.CatalogOsgiVersionMoreEntityTest.testLibraryUrlsUsingExternalizedConfig(CatalogOsgiVersionMoreEntityTest.java:318) > {noformat} > One needs to go all the way back to {{OsgiManager.registerBundle}} before we have the {{CatalogBundle}} object - after that, we only have the URL string. So that is a lot of methods that would need to change! -- This message was sent by Atlassian JIRA (v6.3.4#6332)