[Feature][Registry] Connecting to the ZooKeeper with SSL&ACL

apache · Jul 4, 2024 · 1096362 · 1096362
1 parent 0d59dd0
commit 1096362
Show file tree

Hide file tree

Showing 9 changed files with 124 additions and 0 deletions.
diff --git a/dolphinscheduler-alert/dolphinscheduler-alert-server/src/main/resources/application.yaml b/dolphinscheduler-alert/dolphinscheduler-alert-server/src/main/resources/application.yaml
@@ -89,6 +89,7 @@ registry:
     connection-timeout: 15s
     block-until-connected: 15s
     digest: ~
+    x509-subject_principal: ~
 
 metrics:
   enabled: true

diff --git a/dolphinscheduler-api/src/main/resources/application.yaml b/dolphinscheduler-api/src/main/resources/application.yaml
@@ -127,6 +127,7 @@ registry:
     connection-timeout: 15s
     block-until-connected: 15s
     digest: ~
+    x509-subject_principal: ~
 
 api:
   audit-enable: false

diff --git a/dolphinscheduler-master/src/main/resources/application.yaml b/dolphinscheduler-master/src/main/resources/application.yaml
@@ -81,6 +81,7 @@ registry:
     connection-timeout: 15s
     block-until-connected: 15s
     digest: ~
+    x509-subject_principal: ~
 
 master:
   listen-port: 5678

diff --git a/...dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/README.md b/...dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/README.md
@@ -21,6 +21,7 @@ registry:
     block-until-connected: 600ms
     # The following options are set according to personal needs    
     digest: ~
+    x509-subject_principal: ~
 ```
 
 After do this config, you can start your DolphinScheduler cluster, your cluster will use zookeeper as registry center to

diff --git a/...rc/main/java/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistry.java b/...rc/main/java/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistry.java
@@ -96,6 +96,24 @@ public List<ACL> getAclForPath(final String path) {
                         }
                     });
         }
+
+        final String x509SubjectPrincipal = properties.getX509SubjectPrincipal();
+        if (!Strings.isNullOrEmpty(x509SubjectPrincipal)) {
+            builder.authorization("x509", digest.getBytes(StandardCharsets.UTF_8))
+                    .aclProvider(new ACLProvider() {
+
+                        @Override
+                        public List<ACL> getDefaultAcl() {
+                            return ZooDefs.Ids.CREATOR_ALL_ACL;
+                        }
+
+                        @Override
+                        public List<ACL> getAclForPath(final String path) {
+                            return ZooDefs.Ids.CREATOR_ALL_ACL;
+                        }
+                    });
+        }
+
         client = builder.build();
     }
 

diff --git a/...va/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistryProperties.java b/...va/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistryProperties.java
@@ -87,6 +87,7 @@ private void printConfig() {
                         "\n  connectString -> " + zookeeper.getConnectString() +
                         "\n  retryPolicy -> " + zookeeper.getRetryPolicy() +
                         "\n  digest -> " + zookeeper.getDigest() +
+                        "\n  x5099SubjectPrincipal -> " + zookeeper.getX509SubjectPrincipal() +
                         "\n  sessionTimeout -> " + zookeeper.getSessionTimeout() +
                         "\n  connectionTimeout -> " + zookeeper.getConnectionTimeout() +
                         "\n  blockUntilConnected -> " + zookeeper.getBlockUntilConnected() +
@@ -101,6 +102,7 @@ public static final class ZookeeperProperties {
         private String connectString;
         private RetryPolicy retryPolicy = new RetryPolicy();
         private String digest;
+        private String x509SubjectPrincipal;
         private Duration sessionTimeout = Duration.ofSeconds(60);
         private Duration connectionTimeout = Duration.ofSeconds(15);
         private Duration blockUntilConnected = Duration.ofSeconds(15);

diff --git a/...rg/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistryDigestTestCase.java b/...rg/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistryDigestTestCase.java
@@ -0,0 +1,98 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.dolphinscheduler.plugin.registry.zookeeper;
+
+import org.apache.dolphinscheduler.plugin.registry.RegistryTestCase;
+
+import java.util.Collections;
+import java.util.stream.Stream;
+
+import lombok.SneakyThrows;
+
+import org.apache.zookeeper.ZooDefs;
+import org.apache.zookeeper.ZooKeeper;
+import org.apache.zookeeper.client.ZKClientConfig;
+import org.apache.zookeeper.data.ACL;
+import org.apache.zookeeper.data.Id;
+import org.apache.zookeeper.server.DumbWatcher;
+import org.apache.zookeeper.server.admin.Commands;
+import org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.containers.Network;
+import org.testcontainers.lifecycle.Startables;
+import org.testcontainers.utility.DockerImageName;
+
+@SpringBootTest(classes = ZookeeperRegistryProperties.class)
+@SpringBootApplication(scanBasePackageClasses = ZookeeperRegistryProperties.class)
+public class ZookeeperRegistryDigestTestCase extends RegistryTestCase<ZookeeperRegistry> {
+
+    @Autowired
+    private ZookeeperRegistryProperties zookeeperRegistryProperties;
+
+    private static GenericContainer<?> zookeeperContainer;
+
+    private static final Network NETWORK = Network.newNetwork();
+
+    private static ZooKeeper zk;
+
+    private static final String ROOT_USER = "root";
+
+    private static final String ROOT_PASSWORD = "root_passwd";
+
+    public static void setupRootACLForDigest(final ZooKeeper zk) throws Exception  {
+        final String idPassword = String.format("%s:%s", ROOT_USER, ROOT_PASSWORD);
+        final String digest = DigestAuthenticationProvider.generateDigest(idPassword);
+
+        final ACL acl = new ACL(ZooDefs.Perms.ALL, new Id("digest", digest));
+        zk.setACL("/", Collections.singletonList(acl), -1);
+    }
+
+    @SneakyThrows
+    @BeforeAll
+    public static void setUpTestingServer() {
+        zookeeperContainer = new GenericContainer<>(DockerImageName.parse("zookeeper:3.8"))
+                .withNetwork(NETWORK)
+                .withExposedPorts(2181);
+        Startables.deepStart(Stream.of(zookeeperContainer)).join();
+        System.clearProperty("registry.zookeeper.connect-string");
+        System.setProperty("registry.zookeeper.connect-string", "localhost:" + zookeeperContainer.getMappedPort(2181));
+        zk = new ZooKeeper("localhost:" + zookeeperContainer.getMappedPort(2181),
+                30000, new DumbWatcher(), new ZKClientConfig());
+        System.setProperty("registry.zookeeper.digest", String.format("%s:%s", ROOT_USER, ROOT_PASSWORD));
+        setupRootACLForDigest(zk);
+    }
+
+    @SneakyThrows
+    @Override
+    public ZookeeperRegistry createRegistry() {
+        return new ZookeeperRegistry(zookeeperRegistryProperties);
+    }
+
+    @SneakyThrows
+    @AfterAll
+    public static void tearDownTestingServer() {
+        zk.close();
+        zookeeperContainer.close();
+    }
+}
+
diff --git a/...-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/application.yaml b/...-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/application.yaml
@@ -28,3 +28,4 @@ registry:
     connection-timeout: 9s
     block-until-connected: 3s
     digest: ~
+    x509-subject_principal: ~
diff --git a/dolphinscheduler-worker/src/main/resources/application.yaml b/dolphinscheduler-worker/src/main/resources/application.yaml
@@ -38,6 +38,7 @@ registry:
     connection-timeout: 15s
     block-until-connected: 15s
     digest: ~
+    x509-subject_principal: ~
 
 worker:
   # worker listener port