pulsar-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From si...@apache.org
Subject [pulsar] branch master updated: Enable specifying allowed offset when verifying athenz role token (#3187)
Date Thu, 13 Dec 2018 15:26:24 GMT
This is an automated email from the ASF dual-hosted git repository.

sijie pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new eb3ac3f  Enable specifying allowed offset when verifying athenz role token (#3187)
eb3ac3f is described below

commit eb3ac3f2463d3a94c4efdb6dfd8b0827c8582d81
Author: massakam <massakam@yahoo-corp.jp>
AuthorDate: Fri Dec 14 00:26:18 2018 +0900

    Enable specifying allowed offset when verifying athenz role token (#3187)
    
    ### Motivation
    
    We are using Athenz for client authentication. Occasionally, the following error occurs
and client authentication fails.
    
    > [pulsar-web-28-7] ERROR com.yahoo.athenz.auth.token.Token - Token:validate: token=v=Z1;d=xxx;r=xxx;p=xxx;a=xxx;t=1544027514;e=1544034714;k=0;i=xxx.xxx.xxx.xxx
: has future timestamp=1544027514 : current time=1544027513 : allowed offset=0
    
    This means that the timestamp included in the authentication token is more future than
the server time. Since the difference between them is only 1 second, I think that the time
of either server or client is slightly off.
    
    This error can be avoided by increasing the value of `allowed offset`. Currently, this
value is set to 0 in Pulsar, but the default value in Athenz ZMS seems to be 300 seconds.
    https://github.com/yahoo/athenz/blob/93fe62c17f3ab4556c71c5136c1646df4a874a5f/servers/zms/conf/zms.properties#L277-L280
    
    ### Modifications
    
    * Changed the default value of `allowed offset` from 0 to 30 (I think 300 seconds is too
long)
    * Enabled specifying `allowed offset` using system property
    
    ### Result
    
    Even if the time of the server or client is slightly off, the authentication will succeed.
---
 .../AuthenticationProviderAthenz.java              | 23 ++++++++++++++-
 .../AuthenticationProviderAthenzTest.java          | 33 ++++++++++++++++++++--
 2 files changed, 52 insertions(+), 4 deletions(-)

diff --git a/pulsar-broker-auth-athenz/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenz.java
b/pulsar-broker-auth-athenz/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenz.java
index c2cf45d..955a96d 100644
--- a/pulsar-broker-auth-athenz/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenz.java
+++ b/pulsar-broker-auth-athenz/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenz.java
@@ -31,6 +31,7 @@ import org.apache.pulsar.broker.authentication.AuthenticationProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.Lists;
 import com.yahoo.athenz.auth.token.RoleToken;
 import com.yahoo.athenz.zpe.AuthZpeClient;
@@ -41,8 +42,10 @@ public class AuthenticationProviderAthenz implements AuthenticationProvider
{
     private static final String DOMAIN_NAME_LIST = "athenzDomainNames";
 
     private static final String SYS_PROP_DOMAIN_NAME_LIST = "pulsar.athenz.domain.names";
+    private static final String SYS_PROP_ALLOWED_OFFSET = "pulsar.athenz.role.token_allowed_offset";
 
     private List<String> domainNameList = null;
+    private int allowedOffset = 30;
 
     @Override
     public void initialize(ServiceConfiguration config) throws IOException {
@@ -57,6 +60,20 @@ public class AuthenticationProviderAthenz implements AuthenticationProvider
{
 
         domainNameList = Lists.newArrayList(domainNames.split(","));
         log.info("Supported domain names for athenz: {}", domainNameList);
+
+        if (!StringUtils.isEmpty(System.getProperty(SYS_PROP_ALLOWED_OFFSET))) {
+            try {
+                allowedOffset = Integer.parseInt(System.getProperty(SYS_PROP_ALLOWED_OFFSET));
+            } catch (NumberFormatException e) {
+                throw new IOException("Invalid allowed offset for athenz role token verification
specified", e);
+            }
+
+            if (allowedOffset < 0) {
+                throw new IOException("Allowed offset for athenz role token verification
must not be negative");
+            }
+        }
+
+        log.info("Allowed offset for athenz role token verification: {} sec", allowedOffset);
     }
 
     @Override
@@ -103,7 +120,6 @@ public class AuthenticationProviderAthenz implements AuthenticationProvider
{
         // Synchronize for non-thread safe static calls inside athenz library
         synchronized (this) {
             PublicKey ztsPublicKey = AuthZpeClient.getZtsPublicKey(token.getKeyId());
-            int allowedOffset = 0;
 
             if (ztsPublicKey == null) {
                 throw new AuthenticationException("Unable to retrieve ZTS Public Key");
@@ -123,5 +139,10 @@ public class AuthenticationProviderAthenz implements AuthenticationProvider
{
     public void close() throws IOException {
     }
 
+    @VisibleForTesting
+    int getAllowedOffset() {
+        return this.allowedOffset;
+    }
+
     private static final Logger log = LoggerFactory.getLogger(AuthenticationProviderAthenz.class);
 }
diff --git a/pulsar-broker-auth-athenz/src/test/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenzTest.java
b/pulsar-broker-auth-athenz/src/test/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenzTest.java
index 1946a01..b56021b 100644
--- a/pulsar-broker-auth-athenz/src/test/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenzTest.java
+++ b/pulsar-broker-auth-athenz/src/test/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenzTest.java
@@ -29,6 +29,7 @@ import org.apache.pulsar.broker.authentication.AuthenticationDataCommand;
 import org.apache.pulsar.broker.authentication.AuthenticationDataSource;
 import org.apache.pulsar.broker.authentication.AuthenticationProviderAthenz;
 
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Properties;
@@ -70,12 +71,38 @@ public class AuthenticationProviderAthenzTest {
         ServiceConfiguration emptyConf = new ServiceConfiguration();
         Properties emptyProp = new Properties();
         emptyConf.setProperties(emptyProp);
-        AuthenticationProviderAthenz sysPropProvider = new AuthenticationProviderAthenz();
+        AuthenticationProviderAthenz sysPropProvider1 = new AuthenticationProviderAthenz();
         try {
-            sysPropProvider.initialize(emptyConf);
+            sysPropProvider1.initialize(emptyConf);
+            assertEquals(sysPropProvider1.getAllowedOffset(), 30); // default allowed offset
is 30 sec
         } catch (Exception e) {
             fail("Fail to Read pulsar.athenz.domain.names from System Properties");
         }
+
+        System.setProperty("pulsar.athenz.role.token_allowed_offset", "0");
+        AuthenticationProviderAthenz sysPropProvider2 = new AuthenticationProviderAthenz();
+        try {
+            sysPropProvider2.initialize(config);
+            assertEquals(sysPropProvider2.getAllowedOffset(), 0);
+        } catch (Exception e) {
+            fail("Failed to get allowd offset from system property");
+        }
+
+        System.setProperty("pulsar.athenz.role.token_allowed_offset", "invalid");
+        AuthenticationProviderAthenz sysPropProvider3 = new AuthenticationProviderAthenz();
+        try {
+            sysPropProvider3.initialize(config);
+            fail("Invalid allowed offset should not be specified");
+        } catch (IOException e) {
+        }
+
+        System.setProperty("pulsar.athenz.role.token_allowed_offset", "-1");
+        AuthenticationProviderAthenz sysPropProvider4 = new AuthenticationProviderAthenz();
+        try {
+            sysPropProvider4.initialize(config);
+            fail("Negative allowed offset should not be specified");
+        } catch (IOException e) {
+        }
     }
 
     @Test
@@ -133,4 +160,4 @@ public class AuthenticationProviderAthenzTest {
             // OK, expected
         }
     }
-}
\ No newline at end of file
+}


Mime
View raw message