[jira] [Work logged] (KNOX-2990) TokenStateService implementation cleanup

Wed, 03 Jan 2024 02:10:04 -0800 


     [ 
https://issues.apache.org/jira/browse/KNOX-2990?focusedWorklogId=897819&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-897819
 ]

ASF GitHub Bot logged work on KNOX-2990:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 03/Jan/24 10:08
            Start Date: 03/Jan/24 10:08
    Worklog Time Spent: 10m 
      Work Description: smolnar82 commented on code in PR #826:
URL: https://github.com/apache/knox/pull/826#discussion_r1440274597


##########
gateway-server/src/main/java/org/apache/knox/gateway/util/TokenMigrationTool.java:
##########
@@ -0,0 +1,232 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.util;
+
+import java.io.PrintStream;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.atomic.AtomicInteger;
+
+import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.services.security.AliasService;
+import org.apache.knox.gateway.services.security.AliasServiceException;
+import org.apache.knox.gateway.services.security.token.TokenMetadata;
+import org.apache.knox.gateway.services.security.token.TokenStateService;
+import org.apache.knox.gateway.services.token.impl.TokenStateServiceMessages;
+
+public class TokenMigrationTool {
+
+  private static final String TOKEN_ALIAS_SUFFIX_DELIM = "--";
+  private static final String TOKEN_ISSUE_TIME_POSTFIX = 
TOKEN_ALIAS_SUFFIX_DELIM + "iss";
+  private static final String TOKEN_MAX_LIFETIME_POSTFIX = 
TOKEN_ALIAS_SUFFIX_DELIM + "max";
+  private static final String TOKEN_META_POSTFIX = TOKEN_ALIAS_SUFFIX_DELIM + 
"meta";
+  private static final TokenStateServiceMessages LOG = 
MessagesFactory.get(TokenStateServiceMessages.class);
+
+  private final AliasService aliasService;
+  private final TokenStateService tokenStateService;
+  private final PrintStream out;
+
+  private int progressCount = 10;
+  private boolean archiveMigratedTokens;
+  private boolean migrateExpiredTokens;
+  private boolean verbose;
+
+  public TokenMigrationTool(AliasService aliasService, TokenStateService 
tokenStateService, PrintStream out) {
+    this.aliasService = aliasService;
+    this.tokenStateService = tokenStateService;
+    this.out = out;
+  }
+
+  public void setProgressCount(int progressCount) {
+    this.progressCount = progressCount;
+  }
+
+  public void setArchiveMigratedTokens(boolean archiveMigratedTokens) {
+    this.archiveMigratedTokens = archiveMigratedTokens;
+  }
+
+  public void setMigrateExpiredTokens(boolean migrateExpiredTokens) {
+    this.migrateExpiredTokens = migrateExpiredTokens;
+  }
+
+  public void setVerbose(boolean verbose) {
+    this.verbose = verbose;
+  }
+
+  public void migrateTokensFromGatewayCredentialStore() {
+    try {
+      final Map<String, TokenData> tokenDataMap = new ConcurrentHashMap<>();
+      final long start = System.currentTimeMillis();
+      String logMessage = "Loading token aliases from the __gateway credential 
store. This could take a while.";
+      log(logMessage);
+      final Map<String, char[]> passwordAliasMap = 
aliasService.getPasswordsForGateway();
+      log("Token aliases loaded in " + (System.currentTimeMillis() - start) + 
" milliseconds");
+      String alias;
+      for (Map.Entry<String, char[]> passwordAliasMapEntry : 
passwordAliasMap.entrySet()) {
+        alias = passwordAliasMapEntry.getKey();
+        processAlias(passwordAliasMap, passwordAliasMapEntry, alias, 
tokenDataMap);
+      }
+
+      final long migrationStart = System.currentTimeMillis();
+      final AtomicInteger count = new AtomicInteger(0);

Review Comment:
   No, there is no multi-threading here. I needed to use AtomicInteger because 
of the stream below accepts a final `count` variable.





Issue Time Tracking
-------------------

    Worklog Id:     (was: 897819)
    Time Spent: 0.5h  (was: 20m)

> TokenStateService implementation cleanup
> ----------------------------------------
>
>                 Key: KNOX-2990
>                 URL: https://issues.apache.org/jira/browse/KNOX-2990
>             Project: Apache Knox
>          Issue Type: Task
>          Components: Server
>    Affects Versions: 2.0.0, 1.6.0, 1.6.1
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Critical
>             Fix For: 2.1.0
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> This issue is driven by a [DISCUSS] thread initiated on Knox's DEV mailing 
> list [here|https://lists.apache.org/thread/fs9nkl6l45o330ttvgvqxj3jnxt63bcs].
> As a result of that discussion, the following needs to be implemented:
>  * deprecate the following TSS implementations:
>  ** AliasBasedTokenStateService
>  ** ZookeeperTokenStateService
>  ** JournalBasedTokenStateService
>  * document the deprecation of these TSS implementations in v2.1.0 and 
> highlight that they will be removed in the upcoming release (v2.2.0?).
>  * implement a DerbyDB storage that will store tokens in 
> {{$DATA_DIR/security/tokens}} (encrypted or not, it'll be decided later)
>  * make sure appropriate file permissions are set on that folder
>  * have the {{homepage}} topology configured with JDBC TSS pointing to this 
> DerbyDB storage
>  * implement a new KnoxCLI command that migrates existing tokens from 
> credential stores to the DerbyDB storage
>  * automate this new KnoxCLI command in a way such that it runs when Knox 
> Gateway is started, token management is enabled, and DerbyDB storage is 
> configured
>  * ensure that the previous automated step can be controlled (E.g. in case of 
> unforeseen errors it can be turned off)
>  * document possible data replication scenarios when, in the case of HA 
> deployments, existing tokens from one Knox node should be made available in 
> other Knox node(s) and there is no other centralized RDBMS in use 
> (PostgreSQL, MySQL for instance)
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to