brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (BROOKLYN-421) Catalog libraries: externalized config for basic-auth credentials in url (via YAML)
Date Tue, 14 Feb 2017 11:51:42 GMT

    [ https://issues.apache.org/jira/browse/BROOKLYN-421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15865647#comment-15865647
] 

ASF GitHub Bot commented on BROOKLYN-421:
-----------------------------------------

Github user geomacy commented on the issue:

    https://github.com/apache/brooklyn-server/pull/551
  
    @aledsage, yes my comment above just meant that on reflection it's not invalid to use
URI() to escape illegal characters in that way, but it still doesn't give us all we need;
 +1 to your suggestion about the more "idiomatic yaml", I like that syntax.


> Catalog libraries: externalized config for basic-auth credentials in url (via YAML)
> -----------------------------------------------------------------------------------
>
>                 Key: BROOKLYN-421
>                 URL: https://issues.apache.org/jira/browse/BROOKLYN-421
>             Project: Brooklyn
>          Issue Type: Bug
>    Affects Versions: 0.10.0
>            Reporter: Aled Sage
>
> A customer wants to use YAML catalog items, where the library bundles are retrieved from
their Nexus repo using basic-auth. They want the nexus credentials to be stored in an externalized
credential store. They want the credentials to be able to contain special characters (e.g.
"@") that are not valid in a URL.
> Building up to this, here is what we currently support...
> Either of the catalog items below is valid (i.e. the credentials can be encoded in the
url; the library can be supplied either as a string or as a map (where the map currently takes
keys of "url", "name" and "version")):
> {noformat}
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - url: https://myuser:mypass@nexus.example.com/mybundle.jar
>   item:
>     ...
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - https://myuser:mypass@nexus.example.com/mybundle.jar
>   item:
>     ...
> {noformat}
> For usernames / passwords with special characters, these need to be escaped before adding
to the url. For example, for username "myuser@example.com", the url would be {{https://myuser%40mydomain.com:mypass@nexus.example.com/mybundle.jar}}.
> For externalized config, one can use the example below:
> {noformat}
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - $brooklyn:formatString:
>     - https://%s:%s@nexus.example.com/mybundle.jar
>     - $brooklyn:external("myprovider", "username")
>     - $brooklyn:external("myprovider", "password")
>   item:
>     ...
> {noformat}
> However, this requires that the externalised config stores the username and password
in its url-escaped form (rather than as the raw password).
> It also means that the password is embedded in the url, which is potentially logged or
persisted.
> ---
> We could fix the first of these problems (i.e. credentials store can just supply the
raw username/password) by adding DSL support for {{$brooklyn:escapeUrl}}. One could write
something like:
> {noformat}
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - $brooklyn:formatString:
>     - https://%s:%s@nexus.example.com/mybundle.jar
>     - $brooklyn:escapeUrl:
>       - $brooklyn:external("myprovider", "username")
>     - $brooklyn:escapeUrl:
>       - $brooklyn:external("myprovider", "password")
>   item:
>     ...
> {noformat}
> ---
> Alternatively (as well?) we could supply the basic-auth credentials as an explicit configuration
option. The advantage of this is that we should be able to keep it as the DSL "deferred supplier"
so not persist the password.
> For example, something like the YAML below:
> {noformat}
> brooklyn.catalog:
>   id: simple-example
>   version: "1.0"
>   itemType: template
>   libraries:
>   - url: https://nexus.example.com/mybundle.jar
>     basicAuth:
>       username: $brooklyn:external("myprovider", "username")
>       password: $brooklyn:external("myprovider", "password")
>   item:
>     ...
> {noformat}
> However, this is fiddly to implement. Looking at the code path for where it eventually
loads the bundle over http(s):
> {noformat}
> "main" prio=5 tid=0x00007fa34c002000 nid=0x1703 at breakpoint[0x0000700000217000]
>    java.lang.Thread.State: RUNNABLE
>         at org.apache.brooklyn.util.core.ResourceUtils.getResourceViaHttp(ResourceUtils.java:420)
>         at org.apache.brooklyn.util.core.ResourceUtils.getResourceFromUrl(ResourceUtils.java:251)
>         at org.apache.brooklyn.util.core.osgi.Osgis.getUrlStream(Osgis.java:421)
>         at org.apache.brooklyn.util.core.osgi.Osgis.cacheFile(Osgis.java:369)
>         at org.apache.brooklyn.util.core.osgi.Osgis.install(Osgis.java:342)
>         at org.apache.brooklyn.core.mgmt.ha.OsgiManager.registerBundle(OsgiManager.java:122)
>         at org.apache.brooklyn.core.catalog.internal.CatalogUtils.installLibraries(CatalogUtils.java:160)
>         at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItems(BasicBrooklynCatalog.java:494)
>         at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItems(BasicBrooklynCatalog.java:428)
>         at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.collectCatalogItems(BasicBrooklynCatalog.java:417)
>         at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.addItems(BasicBrooklynCatalog.java:974)
>         at org.apache.brooklyn.core.catalog.internal.BasicBrooklynCatalog.addItems(BasicBrooklynCatalog.java:1)
>         at org.apache.brooklyn.camp.brooklyn.AbstractYamlTest.addCatalogItems(AbstractYamlTest.java:199)
>         at org.apache.brooklyn.camp.brooklyn.AbstractYamlTest.addCatalogItems(AbstractYamlTest.java:195)
>         at org.apache.brooklyn.camp.brooklyn.catalog.CatalogOsgiVersionMoreEntityTest.testLibraryUrlsUsingExternalizedConfig(CatalogOsgiVersionMoreEntityTest.java:318)
> {noformat}
> One needs to go all the way back to {{OsgiManager.registerBundle}} before we have the
{{CatalogBundle}} object - after that, we only have the URL string. So that is a lot of methods
that would need to change!



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message