karaf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david.a.jen...@gmail.com>
Subject Re: Authentication with configuration: BundlevsDeclarativeService?
Date Fri, 23 Aug 2019 16:30:57 GMT


> On Aug 23, 2019, at 8:00 AM, Kamil Paśko <kamil.pasko@antologic.com> wrote:
> 
> David,
>  
> > Is the operator creating the account in the authentication service, so that the
previously invalid credentials become valid?
>  
> Exactly
>  
> > How does your system deal with failures in communication to the authentication service?
Is the operator required to restart all the “weather station” bundles? Is it possible
to treat “invalid credentials” the same as “no communication to the authentication service”?
>  
> In both cases it’s the same: in case of „no communication” or „invalid credentials”
– bundle should stop (with proper message in logs) and should not send any data
> So neither  bundle, nor the  service have any state. If bundle  can not authenticate
itself – it just stops.
>  
> > Can you use the service presence rather than the bundle state to determine “health”?
>  
> I don’t quite understand that

There may be other points of view than mine….
The osgi systems I’ve worked with all used bundle state to indicate whether the bundle wiring
was satisfactory.  Then, services were made available based on whether the configuration and
required dependent services were available. If I understand correctly, you want to use bundle
state to indicate whether a required configuration is present, whether communication with
a remote service is operational, and whether a particular interaction with the remote service
returns “OK”.  I don’t think that’s a good division of responsibility.  It’s much
easier to flag all these things by registering a service when everything is fine and unregistering
it when not.  Services are just as easy to detect as bundles.

If you really need to use a bundle to indicate health, perhaps you could split the problem
into two parts: one bundle contains code, for instance a DS component, that has a required
configuration; when the component is started  (because the configuration is present) is starts
another bundle which, in its bundle activator, tries remote authentication and shuts down
if it fails. If the configuration disappears, the component deactivate method can stop the
other bundle.

David Jencks

>  
> Kind regards,
> Kamil
>  
>  
> Od: David Jencks <mailto:david.a.jencks@gmail.com>
> Wysłano: piątek, 23 sierpnia 2019 16:53
> Do: user@karaf.apache.org <mailto:user@karaf.apache.org>
> Temat: Re: Authentication with configuration: BundlevsDeclarativeService?
>  
> Hi Kamil,
>  
> Is the operator creating the account in the authentication service, so that the previously
invalid credentials become valid?
>  
> How does your system deal with failures in communication to the authentication service?
Is the operator required to restart all the “weather station” bundles? Is it possible
to treat “invalid credentials” the same as “no communication to the authentication service”?
>  
> In any case, with my proposal, restarting the bundle will certainly result in another
attempt to authenticate if the configuration is present.  Can you use the service presence
rather than the bundle state to determine “health”?
>  
> David Jencks
> 
> 
> On Aug 23, 2019, at 7:07 AM, Kamil Paśko <kamil.pasko@antologic.com <mailto:kamil.pasko@antologic.com>>
wrote:
>  
> @Dawid,
>  
> Ok, here’s my situation:
> Let’s say I have hundreds of weather stations 
> Each weather station gathers different data (some only the temperature, some humidity,
some both and some let’s say – radiation). They’re completly independent of each other.
Can be deployed separately, have different versions etc. That’s why I represented each weather
station as separate bundle in Karaf cluster.
> Each weather station sends it’s data to the server using „WeatherService”
> But before weather station can send it’s first data – it must use „AuthenticationService”
and it’s own Configuration (containing it’s login and password) in order to authenticate
itself. If it can not – is should stop and do not send data
> Why restarting the bundle helps with authentication? Because Operator can create weather
station’s account in the system and restart the bundle – then it’ll authenticate itself
successfuly
>  
> I hope that this explains my situation.
>  
> Kind regards,
> Kamil
>  
>  
> Od: David Jencks <mailto:david.a.jencks@gmail.com>
> Wysłano: piątek, 23 sierpnia 2019 15:41
> Do: user@karaf.apache.org <mailto:user@karaf.apache.org>
> Temat: Re: ODP: ODP: Authentication with configuration: BundlevsDeclarativeService?
>  
> Services don’t have state, other than their properties, and you can certainly investigate
services with the console. Ds components do have state, which you can investigate using the
console.
>  
> Your answer doesn’t make sense to me yet. What is the nature of the authentication?
If it’s entirely self contained then changes to the configuration will be automatically
propagated to a configuration-aware component anyway without your doing anything special,
and if it relies on some sort of remote service I’d expect your component would be the only
reasonable place to track this remote services availability.
>  
> I don’t recall ever finding a situation where restarting a bundle was a reasonable
response.
>  
> I may not understand your situation...
> David Jencks 
> 
> Sent from my iPhone
> 
> On Aug 23, 2019, at 4:43 AM, Kamil Paśko <kamil.pasko@antologic.com <mailto:kamil.pasko@antologic.com>>
wrote:
> 
> @David,
>  
> Thank you for your answer.
> I care „if the bundle is active” because as far as I know, Karaf console and API
allows me to check the state of bundles – not particular services. 
> Please, correct me if I’m wrong.
>  
> Moreover - all our monitoring tools verify bundles health, and are able to restart them
when bundle will be able to authenticate again.
>  
> That is why I need to stop whole bundle if authentication fails and I must care about
whole bundle – not particular service.
>  
> Does it make sense?
>  
> Kind regards,
> Kamil
>  
> Od: David Jencks <mailto:david.a.jencks@gmail.com>
> Wysłano: poniedziałek, 19 sierpnia 2019 16:07
> Do: user@karaf.apache.org <mailto:user@karaf.apache.org>
> Temat: Re: ODP: Authentication with configuration: Bundle vsDeclarativeService?
>  
> I suggest you:
> -Reinterpret the 3rd requirement to be that a service is registered only when a configuration
is present and that configuration results in valid authentication. Why do you care if the
bundle is active? What’s usually important is whether a service is present.
> -write a ManagedService as a DS component that authenticates and if successful creates
the actual service.
>  
> David Jencks 
>  
> Sent from my iPhone
> 
> On Aug 19, 2019, at 5:21 AM, Kamil Paśko <kamil.pasko@antologic.com <mailto:kamil.pasko@antologic.com>>
wrote:
> 
> I see that my examples where trimmed. So I send them once again:
> 
> I have a case with three requirements explained below:
> 
> 1) I must implement "something" (Bundle or Component) that will receive configuration
(placed in $KARAF_HOME/etc/myPID.cfg), therefore I can use both:
> 
> a) BundleActivator with ManagedService approach:
> 
> 
> 
> 
> @Override
> public final void start(final BundleContext bundleContext) throws InterruptedException
{
>   serviceReg = bundleContext.registerService(ManagedService.class, new ConfigUpdater(),
new Hashtable<>(singletonMap(Constants.SERVICE_PID, pid)));
> }
> 
> b) DeclarativeService approach:
> 
> 
> 
> 
> @Component(
>     configurationPid = MyService.CONFIGURATION_PID
> )
> public class MyService {
>   @Activate
>   public MyService(final MyConfiguration configuration) throws Exception {
>   }
> }
> 
> 2) But the second requirement is, that config MUST be available before Bundle/Component
starts (because my Bundle/Component must authenticate itself using credentials from the config).
Therefore:
> 
> a) I have no idea how to achieve it using BundleActivator
> 
> b) Using DeclarativeService approach it is easy:
> 
> 
> 
> 
> @Component(
>     immediate = true,
>     configurationPolicy = ConfigurationPolicy.REQUIRE,
>     configurationPid = MyService.CONFIGURATION_PID
> )
> 
> 3) And the third requirement is: if authentication fails - bundle must stop itself:
> 
> a) it is easy using BundleActivator, because if start method throws exception - Bundle
stops itself
> 
> 
> 
> 
>   @Override
>   public final void start(final BundleContext bundleContext) throws InterruptedException
{
>     bundleContext.registerService(ManagedService.class, new ConfigUpdater(), new Hashtable<>(singletonMap(Constants.SERVICE_PID,
pid)));
>   }
>  
>   private final class ConfigUpdater implements ManagedService {
>       @Override
>       public void updated(final Dictionary<String, ?> config) throws ConfigurationException
{
>         if (authenticate(config) == false) {
>           throw new NotAuthenticatedException();
>         }
>       }
>    }
> }
> 
> b) I have no idea how to achieve it using DeclarativeService (let's say that there is
just one service per bundle)
> 
> 
> Could you help me please with figuring out how I can achieve all three requirements at
the same time?
> 
> Kind regards,
> Kamil
>  
> Od: kamilantlgc <mailto:kamil.pasko@antologic.com>
> Wysłano: poniedziałek, 19 sierpnia 2019 14:19
> Do: user@karaf.apache.org <mailto:user@karaf.apache.org>
> Temat: Authentication with configuration: Bundle vs DeclarativeService?
>  
> Dear Karaf users,
>  
> I'm aware that this post is more about OSGi, but you were so helpful so far,
> that I hope it will be the same this time :)
>  
> I have a case with three requirements explained below:
>  
> 1) I must implement "something" (Bundle or Component) that will receive
> configuration (placed in $KARAF_HOME/etc/myPID.cfg), therefore I can use
> both: 
>  
> a) BundleActivator with ManagedService approach:
>  
>  
> b) DeclarativeService approach:
>  
>  
> 2) But the second requirement is, that config MUST be available before
> Bundle/Component starts (because my Bundle/Component must authenticate
> itself using credentials from the config). Therefore:
>  
> a) I have no idea how to achieve it using BundleActivator
>  
> b) Using DeclarativeService approach it is easy:
>  
>  
> 3) And the third requirement is: if authentication fails - bundle must stop
> itself:
>  
> a) it is easy using BundleActivator, because if start method throws
> exception - Bundle stops itself
>  
>  
> b) I have no idea how to achieve it using DeclarativeService (let's say that
> there is just one service per bundle)
>  
>  
> Could you help me please with figuring out how I can achieve all three
> requirements at the same time?
>  
> Kind regards,
> Kamil
>  
>  
>  
> --
> Sent from: http://karaf.922171.n3.nabble.com/Karaf-User-f930749.html <http://karaf.922171.n3.nabble.com/Karaf-User-f930749.html>

Mime
View raw message