Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[wip][do not review] auth support for dbnode #4235

Draft
wants to merge 18 commits into
base: master
Choose a base branch
from
Draft

[wip][do not review] auth support for dbnode #4235

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
49a1c4f
Merge pull request #1 from m3db/master
gandhikrishna Jun 22, 2022
8985967
Merge branch 'm3db:master' into master
gandhikrishna Jul 7, 2022
76ea2e9
Merge branch 'm3db:master' into master
gandhikrishna Apr 26, 2023
372cb59
Merge branch 'm3db:master' into master
gandhikrishna May 12, 2023
b007db7
[WIP] auth for dbnode
gandhikrishna May 22, 2023
748090f
lint fixes
gandhikrishna May 23, 2023
207495a
lint fixes
gandhikrishna May 23, 2023
5955868
mocks regen
gandhikrishna May 23, 2023
440e253
lint
gandhikrishna May 23, 2023
b0533bf
lint
gandhikrishna May 23, 2023
91062ea
make clean
gandhikrishna May 23, 2023
7fb3ffe
client integration with auth module
gandhikrishna May 23, 2023
56fe71c
server integration with auth module
gandhikrishna May 23, 2023
56ecbab
Merge branch 'master' into security-changes-2
gandhikrishna May 25, 2023
073f189
fix test
gandhikrishna May 25, 2023
781d26c
comments
gandhikrishna May 25, 2023
9c0f87e
test CI
gandhikrishna May 30, 2023
353b4af
Merge branch 'm3db:master' into security-changes-2
gandhikrishna Aug 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 21 additions & 1 deletion src/cluster/client/etcd/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
package etcd

import (
"fmt"
"os"
"time"

Expand Down Expand Up @@ -52,6 +53,8 @@ type ClusterConfig struct {
AutoSyncInterval time.Duration `yaml:"autoSyncInterval"`
DialTimeout time.Duration `yaml:"dialTimeout"`

Auth *AuthConfig `yaml:"auth"`
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pls don't use pointers in config structures


DialOptions []grpc.DialOption `yaml:"-"` // nonserializable
}

Expand All @@ -68,7 +71,6 @@ func (c ClusterConfig) NewCluster() Cluster {
SetDialOptions(c.DialOptions).
SetKeepAliveOptions(keepAliveOpts).
SetTLSOptions(c.TLS.newOptions())

// Autosync should *always* be on, unless the user very explicitly requests it to be off. They can do this via a
// negative value (in which case we can assume they know what they're doing).
// Therefore, only update if it's nonzero, on the assumption that zero is just the empty value.
Expand Down Expand Up @@ -119,6 +121,23 @@ func (c *KeepAliveConfig) NewOptions() KeepAliveOptions {
SetKeepAliveTimeout(c.Timeout)
}

// AuthConfig configures authentication behavior.
type AuthConfig struct {
Enabled bool `yaml:"enabled"`
UserName string `yaml:"username"`
Password string `yaml:"password"`
}

// Validate validates the AuthConfig.
func (a *AuthConfig) Validate() error {
if a.Enabled {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

if !a.Enabled { return nil } ...

if a.UserName == "" || a.Password == "" {
return fmt.Errorf("credentials must be set for client's outbound")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

super nit: avoid using single quote in the log messages

}
}
return nil
}

// Configuration is for config service client.
type Configuration struct {
Zone string `yaml:"zone"`
Expand All @@ -129,6 +148,7 @@ type Configuration struct {
SDConfig services.Configuration `yaml:"m3sd"`
WatchWithRevision int64 `yaml:"watchWithRevision"`
NewDirectoryMode *os.FileMode `yaml:"newDirectoryMode"`
Auth *AuthConfig `yaml:"auth"`

Retry retry.Configuration `yaml:"retry"`
RequestTimeout time.Duration `yaml:"requestTimeout"`
Expand Down
190 changes: 190 additions & 0 deletions src/cmd/services/m3dbnode/config/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,190 @@
// Copyright (c) 2023 Uber Technologies, Inc.
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in
// all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
// THE SOFTWARE.

package config

import "fmt"

// AuthConfig is the top level config that includes secrets of inbound and
// outbound of a dbnode.
type AuthConfig struct {
Outbound *Outbounds `yaml:"outbounds"`
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above, avoid using pointers in config structs. Once you replace it with values I don't think you need all these validation methods

Inbound *Inbound `yaml:"inbounds"`
}

// Validate validates the AuthConfig. We use this method to validate fields
// where the validator package falls short.
func (c *AuthConfig) Validate() error {
if c.Outbound == nil {
return fmt.Errorf("outbound creds are not present")
}

if err := c.Outbound.Validate(); err != nil {
return err
}

if c.Inbound != nil {
if err := c.Inbound.Validate(); err != nil {
return err
}
}
return nil
}

// Outbounds consist secrets for outbounds connections for m3dbnodes and
// etcd.
type Outbounds struct {
M3DB *ServicesConfig `yaml:"m3db"`
Etcd *ServicesConfig `yaml:"etcd"`
}

// Validate validates the Outbounds.
func (c *Outbounds) Validate() error {
if c.M3DB == nil {
return fmt.Errorf("incomplete outbound creds, m3db node creds not provided")
}

if err := c.M3DB.Validate(); err != nil {
return err
}

if c.Etcd == nil {
return fmt.Errorf("incomplete outbound creds, etcd node creds not provided")
}
if err := c.Etcd.Validate(); err != nil {
return err
}

return nil
}

// Inbound consist secrets for Inbound connections for m3dbnodes.
type Inbound struct {
M3DB *InboundConfig `yaml:"m3db"`
}

// Validate validates the Inbound.
func (c *Inbound) Validate() error {
if c.M3DB == nil {
return fmt.Errorf("incomplete inboundcreds, m3db config not provided")
}

if err := c.M3DB.Validate(); err != nil {
return err
}
return nil
}

// InboundConfig consist credentials and auth mode for inbound request.
type InboundConfig struct {
Mode *string `yaml:"mode"`
Credentials []*InboundCredentials `yaml:"credentials"`
}

// Validate validates the InboundConfig.
func (c *InboundConfig) Validate() error {
if c.Mode == nil {
return fmt.Errorf("incomplete inboundcreds, mode not provided")
}

for _, node := range c.Credentials {
if err := node.Validate(); err != nil {
return err
}
}

return nil
}

// ServicesConfig consist of service level config.
type ServicesConfig struct {
NodeConfig []*ServiceConfig `yaml:"services"`
}

// Validate validates the ServicesConfig.
func (c *ServicesConfig) Validate() error {
if c.NodeConfig == nil || len(c.NodeConfig) == 0 {
return fmt.Errorf("incomplete creds, service level creds not provided")
}

for _, node := range c.NodeConfig {
if err := node.Validate(); err != nil {
return err
}
}

return nil
}

// ServiceConfig consist of service level config.
type ServiceConfig struct {
Service *OutboundCredentials `yaml:"service"`
}

// Validate validates the ServiceConfig.
func (c *ServiceConfig) Validate() error {
if c.Service == nil {
return fmt.Errorf("incomplete creds, service level creds not provided")
}

if err := c.Service.Validate(); err != nil {
return err
}

return nil
}

// OutboundCredentials is the bottom most struct consist used for storing outbounds creds.
type OutboundCredentials struct {
Zone string
Username *string
Password *string
}

// Validate validates the Credentials.
func (c *OutboundCredentials) Validate() error {
if c.Username == nil {
return fmt.Errorf("incomplete creds, username not provided for outbounds")
}
if c.Password == nil {
return fmt.Errorf("incomplete creds, password not provided for outbounds")
}

return nil
}

// InboundCredentials is the bottom most struct consist used for storing outbounds creds.
type InboundCredentials struct {
Zone string `yaml:"zone"`
Username *string `yaml:"username"`
Digest *string `yaml:"digest"`
}

// Validate validates the Credentials.
func (c *InboundCredentials) Validate() error {
if c.Username == nil {
return fmt.Errorf("incomplete creds, username not provided for inbounds")
}
if c.Digest == nil {
return fmt.Errorf("incomplete creds, digest password not provided for inbounds")
}

return nil
}
Loading