brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (BROOKLYN-421) Catalog libraries: externalized config for basic-auth credentials in url (via YAML)
Date Mon, 06 Feb 2017 14:22:41 GMT

    [ https://issues.apache.org/jira/browse/BROOKLYN-421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15854069#comment-15854069
] 

ASF GitHub Bot commented on BROOKLYN-421:
-----------------------------------------

GitHub user aledsage opened a pull request:

    https://github.com/apache/brooklyn-server/pull/551

    BROOKLYN-421: Adds DSL for $brooklyn:urlEncode(...)

    As stated in the comments within the code, the url encoding is based on "x-www-form-urlencoded".
Therefore care must be taken if encoding username or password (e.g. in http://myuser:mypass@myhost").
It will not encode space correctly, and will not escape "*". The latter we can probably live
with, but the former will be wrong.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/aledsage/brooklyn-server BROOKLYN-421

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/brooklyn-server/pull/551.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #551
    
----
commit fa387821a0594fbd107f0edcb1ee73144a30987b
Author: Aled Sage <aled.sage@gmail.com>
Date:   2017-02-06T12:55:03Z

    Urls.encode(String) specifies UTF-8

commit 316452e578d7199227cf9a5472a4cde7bf2faf8a
Author: Aled Sage <aled.sage@gmail.com>
Date:   2017-01-20T22:29:07Z

    BROOKLYN-421: Adds DSL for $brooklyn:urlEncode(...)

commit 9275edb58c09081fe6ec9d9d5a7bbb241e3f5e8f
Author: Aled Sage <aled.sage@gmail.com>
Date:   2017-02-06T13:53:25Z

    AbstractYamlRebindTest: updates as per AbstractYamlTest
    
    Replaced the createAndStartApplication impl with that from
    AbstractYamlTest. (Before this change, I saw a NoSuchElementException
    because it failed to find the task for the start effector - I’m guessing
    there’s a race for when that task is created).

----


> Catalog libraries: externalized config for basic-auth credentials in url (via YAML)
> -----------------------------------------------------------------------------------
>
>                 Key: BROOKLYN-421
>                 URL: https://issues.apache.org/jira/browse/BROOKLYN-421
>             Project: Brooklyn
>          Issue Type: Bug
>    Affects Versions: 0.10.0
>            Reporter: Aled Sage
>
> A customer wants to use YAML catalog items, where the library bundles are retrieved from
their Nexus repo using basic-auth. They want the nexus credentials to be stored in an externalized
credential store. They want the credentials to be able to contain special characters (e.g.
"@") that are not valid in a URL.
> Building up to this, here is what we currently support...
> Either of the catalog items below is valid (i.e. the credentials can be encoded in the
url; the library can be supplied either as a string or as a map (where the map currently takes
keys of "url", "name" and "version")):
> {noformat}
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - url: https://myuser:mypass@nexus.example.com/mybundle.jar
>   item:
>     ...
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - https://myuser:mypass@nexus.example.com/mybundle.jar
>   item:
>     ...
> {noformat}
> For usernames / passwords with special characters, these need to be escaped before adding
to the url. For example, for username "myuser@example.com", the url would be {{https://myuser%40mydomain.com:mypass@nexus.example.com/mybundle.jar}}.
> For externalized config, one can use the example below:
> {noformat}
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - $brooklyn:formatString:
>     - https://%s:%s@nexus.example.com/mybundle.jar
>     - $brooklyn:external("myprovider", "username")
>     - $brooklyn:external("myprovider", "password")
>   item:
>     ...
> {noformat}
> However, this requires that the externalised config stores the username and password
in its url-escaped form (rather than as the raw password).
> It also means that the password is embedded in the url, which is potentially logged or
persisted.
> ---
> We could fix the first of these problems (i.e. credentials store can just supply the
raw username/password) by adding DSL support for {{$brooklyn:escapeUrl}}. One could write
something like:
> {noformat}
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - $brooklyn:formatString:
>     - https://%s:%s@nexus.example.com/mybundle.jar
>     - $brooklyn:escapeUrl:
>       - $brooklyn:external("myprovider", "username")
>     - $brooklyn:escapeUrl:
>       - $brooklyn:external("myprovider", "password")
>   item:
>     ...
> {noformat}
> ---
> Alternatively (as well?) we could supply the basic-auth credentials as an explicit configuration
option. The advantage of this is that we should be able to keep it as the DSL "deferred supplier"
so not persist the password.
> For example, something like the YAML below:
> {noformat}
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - url: https://nexus.example.com/mybundle.jar
>     basicAuth:
>       username: $brooklyn:external("myprovider", "username")
>       password: $brooklyn:external("myprovider", "password")
>   item:
>     ...
> {noformat}
> However, this is fiddly to implement. Looking at the code path for where it eventually
loads the bundle over http(s):
> {noformat}
> "main" prio=5 tid=0x00007fa34c002000 nid=0x1703 at breakpoint[0x0000700000217000]
>    java.lang.Thread.State: RUNNABLE
>         at org.apache.brooklyn.util.core.ResourceUtils.getResourceViaHttp(ResourceUtils.java:420)
>         at org.apache.brooklyn.util.core.ResourceUtils.getResourceFromUrl(ResourceUtils.java:251)
>         at org.apache.brooklyn.util.core.osgi.Osgis.getUrlStream(Osgis.java:421)
>         at org.apache.brooklyn.util.core.osgi.Osgis.cacheFile(Osgis.java:369)
>         at org.apache.brooklyn.util.core.osgi.Osgis.install(Osgis.java:342)
>         at org.apache.brooklyn.core.mgmt.ha.OsgiManager.registerBundle(OsgiManager.java:122)
>         at org.apache.brooklyn.core.catalog.internal.CatalogUtils.installLibraries(CatalogUtils.java:160)
>         at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItems(BasicBrooklynCatalog.java:494)
>         at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItems(BasicBrooklynCatalog.java:428)
>         at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItems(BasicBrooklynCatalog.java:417)
>         at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.addItems(BasicBrooklynCatalog.java:974)
>         at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.addItems(BasicBrooklynCatalog.java:1)
>         at org.apache.brooklyn.camp.brooklyn.AbstractYamlTest.addCatalogItems(AbstractYamlTest.java:199)
>         at org.apache.brooklyn.camp.brooklyn.AbstractYamlTest.addCatalogItems(AbstractYamlTest.java:195)
>         at org.apache.brooklyn.camp.brooklyn.catalog.CatalogOsgiVersionMoreEntityTest.testLibraryUrlsUsingExternalizedConfig(CatalogOsgiVersionMoreEntityTest.java:318)
> {noformat}
> One needs to go all the way back to {{OsgiManager.registerBundle}} before we have the
{{CatalogBundle}} object - after that, we only have the URL string. So that is a lot of methods
that would need to change!



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message