From 3216260531d1cd4a83854bebd72260ecb963970a Mon Sep 17 00:00:00 2001 From: pegasas Date: Tue, 20 Aug 2024 21:18:37 +0800 Subject: [PATCH] asd --- .../src/main/resources/application.yaml | 4 +- .../src/main/resources/application.yaml | 3 +- .../src/main/resources/application.yaml | 3 +- .../README.md | 3 +- .../registry/zookeeper/ZookeeperRegistry.java | 10 +- .../ZookeeperRegistryProperties.java | 10 +- .../ZookeeperRegistryDigestTestCase.java | 98 ++++++ .../ZookeeperRegistryX509TestCase.java | 302 ++++++++++++++++++ .../test/resources/application-digest.yaml | 31 ++ .../src/test/resources/application-x509.yaml | 31 ++ .../src/test/resources/application.yaml | 3 +- .../src/test/resources/ssl/README.md | 10 + .../src/test/resources/ssl/testKeyStore.jks | Bin 0 -> 2250 bytes .../src/test/resources/ssl/testTrustStore.jks | Bin 0 -> 960 bytes .../src/main/resources/application.yaml | 3 +- 15 files changed, 498 insertions(+), 13 deletions(-) create mode 100644 dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/java/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistryDigestTestCase.java create mode 100644 dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/java/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistryX509TestCase.java create mode 100644 dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/application-digest.yaml create mode 100644 dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/application-x509.yaml create mode 100644 dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/ssl/README.md create mode 100644 dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/ssl/testKeyStore.jks create mode 100644 dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/ssl/testTrustStore.jks diff --git a/dolphinscheduler-alert/dolphinscheduler-alert-server/src/main/resources/application.yaml b/dolphinscheduler-alert/dolphinscheduler-alert-server/src/main/resources/application.yaml index 927cbc3c2ce6..63f192940e3e 100644 --- a/dolphinscheduler-alert/dolphinscheduler-alert-server/src/main/resources/application.yaml +++ b/dolphinscheduler-alert/dolphinscheduler-alert-server/src/main/resources/application.yaml @@ -88,7 +88,9 @@ registry: session-timeout: 60s connection-timeout: 15s block-until-connected: 15s - digest: ~ + authorization: + digest: ~ + metrics: enabled: true diff --git a/dolphinscheduler-api/src/main/resources/application.yaml b/dolphinscheduler-api/src/main/resources/application.yaml index 9b0e94d64451..ee5ca199e6aa 100644 --- a/dolphinscheduler-api/src/main/resources/application.yaml +++ b/dolphinscheduler-api/src/main/resources/application.yaml @@ -126,7 +126,8 @@ registry: session-timeout: 60s connection-timeout: 15s block-until-connected: 15s - digest: ~ + authorization: + digest: ~ api: audit-enable: false diff --git a/dolphinscheduler-master/src/main/resources/application.yaml b/dolphinscheduler-master/src/main/resources/application.yaml index a4ce4b882837..dfd21429854f 100644 --- a/dolphinscheduler-master/src/main/resources/application.yaml +++ b/dolphinscheduler-master/src/main/resources/application.yaml @@ -80,7 +80,8 @@ registry: session-timeout: 60s connection-timeout: 15s block-until-connected: 15s - digest: ~ + authorization: + digest: ~ master: listen-port: 5678 diff --git a/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/README.md b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/README.md index 7ee512a451d7..3fd0fdfc4fba 100644 --- a/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/README.md +++ b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/README.md @@ -20,7 +20,8 @@ registry: connection-timeout: 9s block-until-connected: 600ms # The following options are set according to personal needs - digest: ~ + authorization: + digest: ~ ``` After do this config, you can start your DolphinScheduler cluster, your cluster will use zookeeper as registry center to diff --git a/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/main/java/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistry.java b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/main/java/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistry.java index d02b5f3c0c0b..e814b8ec45b4 100644 --- a/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/main/java/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistry.java +++ b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/main/java/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistry.java @@ -52,8 +52,6 @@ import lombok.NonNull; import lombok.extern.slf4j.Slf4j; -import com.google.common.base.Strings; - @Slf4j final class ZookeeperRegistry implements Registry { @@ -80,9 +78,10 @@ final class ZookeeperRegistry implements Registry { .sessionTimeoutMs(DurationUtils.toMillisInt(properties.getSessionTimeout())) .connectionTimeoutMs(DurationUtils.toMillisInt(properties.getConnectionTimeout())); - final String digest = properties.getDigest(); - if (!Strings.isNullOrEmpty(digest)) { - builder.authorization("digest", digest.getBytes(StandardCharsets.UTF_8)) + if (properties.getAuthorization().size() > 0) { + final String schema = properties.getAuthorization().keySet().stream().findFirst().get(); + final String schemaValue = properties.getAuthorization().get(schema); + builder.authorization(schema.toLowerCase(), schemaValue.getBytes(StandardCharsets.UTF_8)) .aclProvider(new ACLProvider() { @Override @@ -96,6 +95,7 @@ public List getAclForPath(final String path) { } }); } + client = builder.build(); } diff --git a/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/main/java/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistryProperties.java b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/main/java/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistryProperties.java index c5b27d8b8807..327f8369b920 100644 --- a/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/main/java/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistryProperties.java +++ b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/main/java/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistryProperties.java @@ -20,6 +20,8 @@ import org.apache.commons.lang3.StringUtils; import java.time.Duration; +import java.util.HashMap; +import java.util.Map; import lombok.AllArgsConstructor; import lombok.Data; @@ -79,6 +81,9 @@ public void validate(Object target, Errors errors) { || zookeeper.getBlockUntilConnected().isNegative()) { errors.rejectValue("zookeeper.blockUntilConnected", "", "zookeeper.blockUntilConnected should be positive"); } + if (zookeeper.getAuthorization() != null && zookeeper.getAuthorization().size() != 1) { + errors.rejectValue("zookeeper.authorization", "", "zookeeper.authorization should be unique"); + } printConfig(); } @@ -88,10 +93,11 @@ private void printConfig() { "\n namespace -> " + zookeeper.getNamespace() + "\n connectString -> " + zookeeper.getConnectString() + "\n retryPolicy -> " + zookeeper.getRetryPolicy() + - "\n digest -> " + zookeeper.getDigest() + + "\n authorization -> " + zookeeper.getAuthorization() + "\n sessionTimeout -> " + zookeeper.getSessionTimeout() + "\n connectionTimeout -> " + zookeeper.getConnectionTimeout() + "\n blockUntilConnected -> " + zookeeper.getBlockUntilConnected() + + "\n authorization -> " + zookeeper.getAuthorization() + "\n****************************ZookeeperRegistryProperties**************************************"; log.info(config); } @@ -102,7 +108,7 @@ public static final class ZookeeperProperties { private String namespace = "dolphinscheduler"; private String connectString; private RetryPolicy retryPolicy = new RetryPolicy(); - private String digest; + private Map authorization = new HashMap<>(); private Duration sessionTimeout = Duration.ofSeconds(60); private Duration connectionTimeout = Duration.ofSeconds(15); private Duration blockUntilConnected = Duration.ofSeconds(15); diff --git a/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/java/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistryDigestTestCase.java b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/java/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistryDigestTestCase.java new file mode 100644 index 000000000000..b3f00f2ca46a --- /dev/null +++ b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/java/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistryDigestTestCase.java @@ -0,0 +1,98 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.dolphinscheduler.plugin.registry.zookeeper; + +import org.apache.dolphinscheduler.plugin.registry.RegistryTestCase; + +import org.apache.zookeeper.ZooDefs; +import org.apache.zookeeper.ZooKeeper; +import org.apache.zookeeper.client.ZKClientConfig; +import org.apache.zookeeper.data.ACL; +import org.apache.zookeeper.data.Id; +import org.apache.zookeeper.server.DumbWatcher; +import org.apache.zookeeper.server.auth.DigestAuthenticationProvider; + +import java.util.Collections; +import java.util.stream.Stream; + +import lombok.SneakyThrows; + +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.BeforeAll; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.SpringBootApplication; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.test.context.ActiveProfiles; +import org.testcontainers.containers.GenericContainer; +import org.testcontainers.containers.Network; +import org.testcontainers.lifecycle.Startables; +import org.testcontainers.utility.DockerImageName; + +@ActiveProfiles("digest") +@SpringBootTest(classes = ZookeeperRegistryProperties.class) +@SpringBootApplication(scanBasePackageClasses = ZookeeperRegistryProperties.class) +public class ZookeeperRegistryDigestTestCase extends RegistryTestCase { + + @Autowired + private ZookeeperRegistryProperties zookeeperRegistryProperties; + + private static GenericContainer zookeeperContainer; + + private static final Network NETWORK = Network.newNetwork(); + + private static ZooKeeper zk; + + private static final String ROOT_USER = "root"; + + private static final String ROOT_PASSWORD = "root_passwd"; + + private static final String ID_PASSWORD = String.format("%s:%s", ROOT_USER, ROOT_PASSWORD); + + private static void setupRootACLForDigest(final ZooKeeper zk) throws Exception { + final String digest = DigestAuthenticationProvider.generateDigest(ID_PASSWORD); + final ACL acl = new ACL(ZooDefs.Perms.ALL, new Id("digest", digest)); + zk.setACL("/", Collections.singletonList(acl), -1); + } + + @SneakyThrows + @BeforeAll + public static void setUpTestingServer() { + zookeeperContainer = new GenericContainer<>(DockerImageName.parse("zookeeper:3.8")) + .withNetwork(NETWORK) + .withExposedPorts(2181); + Startables.deepStart(Stream.of(zookeeperContainer)).join(); + System.clearProperty("registry.zookeeper.connect-string"); + System.setProperty("registry.zookeeper.connect-string", "localhost:" + zookeeperContainer.getMappedPort(2181)); + zk = new ZooKeeper("localhost:" + zookeeperContainer.getMappedPort(2181), + 30000, new DumbWatcher(), new ZKClientConfig()); + setupRootACLForDigest(zk); + } + + @SneakyThrows + @Override + public ZookeeperRegistry createRegistry() { + return new ZookeeperRegistry(zookeeperRegistryProperties); + } + + @SneakyThrows + @AfterAll + public static void tearDownTestingServer() { + zk.close(); + zookeeperContainer.close(); + } +} diff --git a/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/java/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistryX509TestCase.java b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/java/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistryX509TestCase.java new file mode 100644 index 000000000000..b13295469dd8 --- /dev/null +++ b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/java/org/apache/dolphinscheduler/plugin/registry/zookeeper/ZookeeperRegistryX509TestCase.java @@ -0,0 +1,302 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.dolphinscheduler.plugin.registry.zookeeper; + +import org.apache.dolphinscheduler.plugin.registry.RegistryTestCase; + +import java.net.Socket; +import java.nio.charset.StandardCharsets; +import java.security.Principal; +import java.security.PrivateKey; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Collections; +import java.util.concurrent.CountDownLatch; +import java.util.concurrent.TimeoutException; +import java.util.stream.Stream; + +import lombok.SneakyThrows; + +import org.apache.zookeeper.WatchedEvent; +import org.apache.zookeeper.Watcher; +import org.apache.zookeeper.ZooDefs; +import org.apache.zookeeper.ZooKeeper; +import org.apache.zookeeper.client.ZKClientConfig; +import org.apache.zookeeper.common.ClientX509Util; +import org.apache.zookeeper.common.QuorumX509Util; +import org.apache.zookeeper.common.Time; +import org.apache.zookeeper.common.X509Exception; +import org.apache.zookeeper.data.ACL; +import org.apache.zookeeper.data.Id; +import org.apache.zookeeper.server.DumbWatcher; +import org.apache.zookeeper.server.NettyServerCnxnFactory; +import org.apache.zookeeper.server.ServerCnxnFactory; +import org.apache.zookeeper.server.admin.Commands; +import org.apache.zookeeper.server.auth.DigestAuthenticationProvider; +import org.apache.zookeeper.server.auth.ProviderRegistry; +import org.apache.zookeeper.server.auth.X509AuthenticationProvider; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.BeforeAll; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.SpringBootApplication; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.test.context.ActiveProfiles; +import org.testcontainers.containers.GenericContainer; +import org.testcontainers.containers.Network; +import org.testcontainers.lifecycle.Startables; +import org.testcontainers.utility.DockerImageName; + +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLContext; +import javax.net.ssl.X509KeyManager; +import javax.net.ssl.X509TrustManager; + +import static org.junit.jupiter.api.Assertions.fail; + +@ActiveProfiles("x509") +@SpringBootTest(classes = ZookeeperRegistryProperties.class) +@SpringBootApplication(scanBasePackageClasses = ZookeeperRegistryProperties.class) +class ZookeeperRegistryX509TestCase extends RegistryTestCase { + + @Autowired + private ZookeeperRegistryProperties zookeeperRegistryProperties; + + private static GenericContainer zookeeperContainer; + + private static final Network NETWORK = Network.newNetwork(); + + private static ZooKeeper zk; + + private static final String X509_SCHEMA = "x509"; + + private static final String X509_SUBJECT_PRINCIPAL = "CN=localhost,OU=ZooKeeper,O=Apache,L=Unknown,ST=Unknown,C=Unknown"; + + private static final ClientX509Util clientX509Util = new ClientX509Util(); + + private static final QuorumX509Util quorumX509Util = new QuorumX509Util(); + + public static class CountdownWatcher implements Watcher { + + // TODO this doesn't need to be volatile! (Should probably be final) + volatile CountDownLatch clientConnected; + // Set to true when connected to a read-only server, or a read-write (quorum) server. + volatile boolean connected; + // Set to true when connected to a quorum server. + volatile boolean syncConnected; + // Set to true when connected to a quorum server in read-only mode + volatile boolean readOnlyConnected; + + public CountdownWatcher() { + reset(); + } + public synchronized void reset() { + clientConnected = new CountDownLatch(1); + connected = false; + syncConnected = false; + readOnlyConnected = false; + } + public synchronized void process(WatchedEvent event) { + Event.KeeperState state = event.getState(); + if (state == Event.KeeperState.SyncConnected) { + connected = true; + syncConnected = true; + readOnlyConnected = false; + } else if (state == Event.KeeperState.ConnectedReadOnly) { + connected = true; + syncConnected = false; + readOnlyConnected = true; + } else { + connected = false; + syncConnected = false; + readOnlyConnected = false; + } + + notifyAll(); + if (connected) { + clientConnected.countDown(); + } + } + public synchronized boolean isConnected() { + return connected; + } + + protected synchronized String connectionDescription() { + return String.format("connected(%s), syncConnected(%s), readOnlyConnected(%s)", + connected, syncConnected, readOnlyConnected); + } + + public synchronized void waitForConnected(long timeout) throws InterruptedException, TimeoutException { + long expire = Time.currentElapsedTime() + timeout; + long left = timeout; + while (!connected && left > 0) { + wait(left); + left = expire - Time.currentElapsedTime(); + } + if (!connected) { + throw new TimeoutException("Failed to connect to ZooKeeper server: " + connectionDescription()); + } + } + public synchronized void waitForSyncConnected(long timeout) throws InterruptedException, TimeoutException { + long expire = Time.currentElapsedTime() + timeout; + long left = timeout; + while (!syncConnected && left > 0) { + wait(left); + left = expire - Time.currentElapsedTime(); + } + if (!syncConnected) { + throw new TimeoutException( + "Failed to connect to read-write ZooKeeper server: " + + connectionDescription()); + } + } + public synchronized void waitForReadOnlyConnected(long timeout) throws InterruptedException, TimeoutException { + long expire = Time.currentElapsedTime() + timeout; + long left = timeout; + while (!readOnlyConnected && left > 0) { + wait(left); + left = expire - Time.currentElapsedTime(); + } + if (!readOnlyConnected) { + throw new TimeoutException( + "Failed to connect in read-only mode to ZooKeeper server: " + + connectionDescription()); + } + } + public synchronized void waitForDisconnected(long timeout) throws InterruptedException, TimeoutException { + long expire = Time.currentElapsedTime() + timeout; + long left = timeout; + while (connected && left > 0) { + wait(left); + left = expire - Time.currentElapsedTime(); + } + if (connected) { + throw new TimeoutException("Did not disconnect: " + connectionDescription()); + } + } + + } + + private static void setupTLS() throws Exception { + System.setProperty("zookeeper.authProvider.x509", "org.apache.zookeeper.server.auth.X509AuthenticationProvider"); + String testDataPath = System.getProperty("test.data.dir", "src/test/resources"); + + System.setProperty(clientX509Util.getSslKeystoreLocationProperty(), testDataPath + "/ssl/testKeyStore.jks"); + System.setProperty(clientX509Util.getSslKeystorePasswdProperty(), "testpass"); + System.setProperty(clientX509Util.getSslTruststoreLocationProperty(), testDataPath + "/ssl/testTrustStore.jks"); + System.setProperty(clientX509Util.getSslTruststorePasswdProperty(), "testpass"); + + // client + System.setProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET, "org.apache.zookeeper.ClientCnxnSocketNetty"); + System.setProperty(ZKClientConfig.SECURE_CLIENT, "true"); + + // server + System.setProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY, "org.apache.zookeeper.server.NettyServerCnxnFactory"); + System.setProperty(NettyServerCnxnFactory.PORT_UNIFICATION_KEY, Boolean.TRUE.toString()); + + // admin server + System.setProperty(quorumX509Util.getSslKeystoreLocationProperty(), testDataPath + "/ssl/testKeyStore.jks"); + System.setProperty(quorumX509Util.getSslKeystorePasswdProperty(), "testpass"); + System.setProperty(quorumX509Util.getSslTruststoreLocationProperty(), testDataPath + "/ssl/testTrustStore.jks"); + System.setProperty(quorumX509Util.getSslTruststorePasswdProperty(), "testpass"); + System.setProperty("zookeeper.admin.forceHttps", "true"); + System.setProperty("zookeeper.admin.needClientAuth", "true"); + + // create SSLContext + final SSLContext sslContext = SSLContext.getInstance(ClientX509Util.DEFAULT_PROTOCOL); + final X509AuthenticationProvider authProvider = (X509AuthenticationProvider) ProviderRegistry.getProvider("x509"); + if (authProvider == null) { + throw new X509Exception.SSLContextException("Could not create SSLContext with x509 auth provider"); + } + sslContext.init(new X509KeyManager[]{authProvider.getKeyManager()}, new X509TrustManager[]{authProvider.getTrustManager()}, null); + + // set SSLSocketFactory + HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory()); + } + + private static void clearTLS() { + System.clearProperty("zookeeper.authProvider.x509"); + + System.clearProperty(clientX509Util.getSslKeystoreLocationProperty()); + System.clearProperty(clientX509Util.getSslKeystorePasswdProperty()); + System.clearProperty(clientX509Util.getSslTruststoreLocationProperty()); + System.clearProperty(clientX509Util.getSslTruststorePasswdProperty()); + + // client side + System.clearProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET); + System.clearProperty(ZKClientConfig.SECURE_CLIENT); + + // server side + System.clearProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY); + System.clearProperty(NettyServerCnxnFactory.PORT_UNIFICATION_KEY); + + // admin server + System.clearProperty(quorumX509Util.getSslKeystoreLocationProperty()); + System.clearProperty(quorumX509Util.getSslKeystorePasswdProperty()); + System.clearProperty(quorumX509Util.getSslTruststoreLocationProperty()); + System.clearProperty(quorumX509Util.getSslTruststorePasswdProperty()); + System.clearProperty("zookeeper.admin.forceHttps"); + System.clearProperty("zookeeper.admin.needClientAuth"); + } + + public static void addAuthInfoForX509(final ZooKeeper zk) { + zk.addAuthInfo(X509_SCHEMA, X509_SUBJECT_PRINCIPAL.getBytes(StandardCharsets.UTF_8)); + } + + private static void setupRootACLForX509(final ZooKeeper zk) throws Exception { + final ACL acl = new ACL(ZooDefs.Perms.ALL, new Id(X509_SCHEMA, X509_SUBJECT_PRINCIPAL)); + zk.setACL("/", Collections.singletonList(acl), -1); + } + + @SneakyThrows + @BeforeAll + public static void setUpTestingServer() { + + + String testDataPath = System.getProperty("test.data.dir", "src/test/resources"); + zookeeperContainer = new GenericContainer<>(DockerImageName.parse("zookeeper:3.8")) + .withNetwork(NETWORK) + .withExposedPorts(2181) + ; + + setupTLS(); + + Startables.deepStart(Stream.of(zookeeperContainer)).join(); + System.clearProperty("registry.zookeeper.connect-string"); + System.setProperty("registry.zookeeper.connect-string", "localhost:" + zookeeperContainer.getMappedPort(2181)); + zk = new ZooKeeper("localhost:" + zookeeperContainer.getMappedPort(2181), + 30000, new CountdownWatcher(), new ZKClientConfig()); + addAuthInfoForX509(zk); + setupRootACLForX509(zk); + + } + + @SneakyThrows + @Override + public ZookeeperRegistry createRegistry() { + return new ZookeeperRegistry(zookeeperRegistryProperties); + } + + @SneakyThrows + @AfterAll + public static void tearDownTestingServer() { + clearTLS(); + zk.close(); + zookeeperContainer.close(); + } +} \ No newline at end of file diff --git a/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/application-digest.yaml b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/application-digest.yaml new file mode 100644 index 000000000000..c618466e06d5 --- /dev/null +++ b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/application-digest.yaml @@ -0,0 +1,31 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +registry: + type: zookeeper + zookeeper: + namespace: dolphinscheduler + connect-string: 127.0.0.1:2181 + retry-policy: + base-sleep-time: 60ms + max-sleep: 300ms + max-retries: 5 + session-timeout: 30s + connection-timeout: 9s + block-until-connected: 3s + authorization: + digest: root:root_passwd diff --git a/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/application-x509.yaml b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/application-x509.yaml new file mode 100644 index 000000000000..e5e57d2ebb85 --- /dev/null +++ b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/application-x509.yaml @@ -0,0 +1,31 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +registry: + type: zookeeper + zookeeper: + namespace: dolphinscheduler + connect-string: 127.0.0.1:2181 + retry-policy: + base-sleep-time: 60ms + max-sleep: 300ms + max-retries: 5 + session-timeout: 30s + connection-timeout: 9s + block-until-connected: 3s + authorization: + x509: "CN=localhost,OU=ZooKeeper,O=Apache,L=Unknown,ST=Unknown,C=Unknown" diff --git a/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/application.yaml b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/application.yaml index 92902a608cb4..b6ef4efa8901 100644 --- a/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/application.yaml +++ b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/application.yaml @@ -27,4 +27,5 @@ registry: session-timeout: 30s connection-timeout: 9s block-until-connected: 3s - digest: ~ + authorization: + digest: ~ diff --git a/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/ssl/README.md b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/ssl/README.md new file mode 100644 index 000000000000..b8823d8a3de8 --- /dev/null +++ b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/ssl/README.md @@ -0,0 +1,10 @@ +SSL test data +=================== + +testKeyStore.jks +--- +Testing keystore, password is "testpass". + +testTrustStore.jks +--- +Testing truststore, password is "testpass". diff --git a/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/ssl/testKeyStore.jks b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/ssl/testKeyStore.jks new file mode 100644 index 0000000000000000000000000000000000000000..40a7d0b7eae24b40c42e0f0e5410ef5caed30e4e GIT binary patch literal 2250 zcmchYcTm%58pqRtPy*6LN+?PVzfeUf1`w&zq=SGG0|%QR1acJR2%%VLt02-@P-)=+ ziHe~kO?qDu#6=(yiXcsnw%pF`+|Jzp_s28yyq}rpnP0)RzV;TtY$ zC7(R3^tB$=fk1EwK!qIvduCX*<@{y3*qGpy z+uDRgnXo37NS(pr>m6s_Eg(Yj~&O}VTK4!bre_A;*pH(*AdNOpVYk3J!AF0vS^djK%a&^ z%{uNVzh~-polN7rjT0If5mM4y!{ez#xVQ#a*PlRRguuHl>*hPEE;~}pxvW{zTI+OdGowlft>sY)L3AagmpddJW*WvdMm{d zAqA>dba^K>_gk(UL!=faEHc1`U#vI}>AqDJNi=^DrJ%=A-_@D&wA!he??v+0>E!s# z-pTMPO27YS7P5hz(Bw0;ZB%Mm^7nEQd{lBH1W`RR%tf@zTXDFRs05x*dO}m8yhHs< zJ@*|`dWppZ!kwFJS&v84JB?2(jYGYDA|+69*OJ#bn8-DQdr}3cvEr@%=hhrwdItyB zYIof4F|wPln|me_Hlvtc@*WXI$V$3Yg6K0egX~z7y)(-R^PX|A)c4saS!Lxs#yv>d zSx5xjom7T$mMsxMg%7n<0~RknDs_e`((S~8K5LnTW^lI`fI2)>Y^Gn?E3aNKok%b; z$#d^y+vdF*PAq@awa5yWDSG-`ZTv#O=EBQ-9tzv$TaqxZo7q%g)1F!MU~`P^w+C$R z5d7Wm|CArbIACh!TEEu_d|fZKWc?5=u0buS+l~&s?RzCExKp8#(Py?C@l*VB%REc_r2a*`tz6FdUBfMRIkV9%TC+Mpd$Ry3tzTbzqq-2zD%=D zW!}lz|4zGI*vlZTCS*W>b|H%SigL^s@srrohr}z>7289nj-;N8P3IBm+>|mgFZu9ml5G7`xoVZ%%A!6@Z>XfM zr$M_+dfVblCB0+0@tN9LJ-=reI0movzD@N(pOJh@-6JF?$*$m!y9js1Xajm65Ht>; zLSq0bgir{DfFTfAs1^eO@FKXB6U-BKdBI?AI0ztN`A<$J)Cq*& z2*-a3>Lk%g6jBg@3--O~kH?+@`2P*K1-aZwBr7~V7$5Q{g9>s5k#711`IAD)fQ%?F zRvW--0@(A~x|)Ey80y5;1~dTO|A7C0NmQ`xUu8M@HK0^53ItHWNC*`S2K|EOye@DF zNazWQBGfP4)zzy%h%vtKkyzM~;4tyXfBtGM_GGU_?a5Q#$<7R7oM8jhOQKshCEEok zTUkcv_6w62wni%3C#VObD1Bf`wWD-B4r*!r>{FyLVq6O8Gm@8^T?*Lqox$@tdlZWL zAjZDypqO1(?xfA%1h1#J3bUSW#tgvMYLoHS!3H2z$K1Pt-q$Ye8=ESzOjry3{pP}# zQTJ-pF^q!P*{Yv=_>8<{o-~_54Y!1Ksx_ML)5n@B2^*5zwWPJBQH8rP$KK9HXOwH0 zhpfbC9UUMz=QouJxq|VBhN|N^RNQ))W0#TaPss4qjDLXe_?kx$C>R7TMg!7-AMO{znJ3F1U!shoa zR|Y$@f+Gh5*;=$F&d97qgH_2n65^v=1&%&GEBW(Q9{ezRt;sU+&BoD|N5nLJ*VKT( z8F?{%(mld7bFzsK*X{Quv0YK1Vp?ary0TGSM3PwKpy0kjqRZTNm$)^?``qGnn8`aD zw^e1MNVuyCNBrD|sjw7bSYI&IU2OuvT{Oyd_gm6lJ6{R^6*k_he_fBQ?skT=VXx1l zhp8?j9{YrWX8M%qaR%X(?Q7ak7eD;5N*G#OaR4jNOO4cNg-+kqk}tbTp&!1a@U}&^ z;CK22^2E#C1l#lI-oA@%V(SY<7C6SY{B$1eT#j?{I80l6Zu&;Il)TbXnKM_Z-|rT; B+9Ln} literal 0 HcmV?d00001 diff --git a/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/ssl/testTrustStore.jks b/dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/src/test/resources/ssl/testTrustStore.jks new file mode 100644 index 0000000000000000000000000000000000000000..33f09c11dfaa303e3054be774923b8fe8c87bdf6 GIT binary patch literal 960 zcmezO_TO6u1_mY|W(3nLC8@Fjt0)(AaQ14{-5=4OK?=6ZuBrt}5OOpHuS zEX5{U*$jBuIJMe5+P?ELGIFyr7~~rY81S(%hqABBO}8iMUFT@2ZOeg zIo0VqU)Gsh?)+2lWOX}l!O^y$Ym+mc_-!)0uCa_;8-rUqM^}7kX7=(~dap{9?W!DC!lk)$X00#?P_`2uw~E*o>P|{AL8)a$wl+I z^Yf=?&w7Zu@^^03*V{V3@&39=C;9AS6{hcZW48MuYPP{>f7jY8`_`m?l>NFX|J}>W zs&)1M!*_CxJ!%JZ-G*y&uI-Q@V8H2Ao^QZ857+o=rh&!T)Lp9>BJ|f@$L(-trg85yKc zWSce1YM95!*M2+JvS9zI1McUKniN!>&wgdnvX7%`#xvWuvXAoFZY!^LTzmDt?4&Pq zS^w6&+vnB3+FavZe+Hy)N+-1FmY z`h|CIf*7@)$X(iEQhcY*L}jI4`P#pm%Xtq~9Z3ClMsTj=sz~9(bJxZvK074w;psw8 i$F1+@P2@41^Um9F1>-ph;maAXGcx@a=o~s4V+sJO#ADR} literal 0 HcmV?d00001 diff --git a/dolphinscheduler-worker/src/main/resources/application.yaml b/dolphinscheduler-worker/src/main/resources/application.yaml index 5cac4c29e5ae..0a2ae9743859 100644 --- a/dolphinscheduler-worker/src/main/resources/application.yaml +++ b/dolphinscheduler-worker/src/main/resources/application.yaml @@ -37,7 +37,8 @@ registry: session-timeout: 60s connection-timeout: 15s block-until-connected: 15s - digest: ~ + authorization: + digest: ~ worker: # worker listener port