Skip to content

Commit

Permalink
Consolidate encryption and auth (#366)
Browse files Browse the repository at this point in the history 
# Description

Fixes #365

Changes, heavily inspired by the [consolidation which recently happened for the kafka-operator](stackabletech/kafka-operator#532). Relates to stackabletech/issues#293

The new structure was guided by this snippet:
```
apiVersion: druid.stackable.tech/v1alpha1
kind: DruidCluster
metadata:
  name: derby-druid
spec:
  image:
    productVersion: 24.0.0
    stackableVersion: 0.3.0
  clusterConfig:
    authentication:
      - authenticationClass: druid-tls-authentication-class (tls) # String
      - authenticationClass: druid-ldap-authentication-class (ldap) # String
    authorization:
      opa:
        configMapName: test-opa
        package: druid
    zookeeperConfigMapName: druid-znode
    metadataStorageDatabase:
      dbType: derby
      connString: jdbc:derby://localhost:1527/var/druid/metadata.db;create=true
      host: localhost
      port: 1527
    deepStorage:
      hdfs:
        configMapName: druid-hdfs
        directory: /druid
    tls:
      serverSecretClass: secret_class # Option<String>. *In general* defaults to "tls"
      internalSecretClass: secret_class # Option<String>. *In general* defaults to "tls"
```

## Overview of introduced changes

While working on the main issue, adjacent and somewhat-related refactorings/changes were introduced as well:

* Prefer not to disable TLS for integration tests, where possible (justification: while the complexity is slightly higher, we are tested the recommended codepath more, as TLS is on by default)
* Introduce dedicated authorization and security rust files
* Adjustments to test helper scripts (mostly regarding uniformity and ergonomics)

## Highlight

Security-validation logic is well tested!



Co-authored-by: Vladislav Supalov <[email protected]>
  • Loading branch information
@sbernauer
sbernauer and Vladislav Supalov committed Jan 10, 2023
1 parent 6bd9e1c commit eacc322
Show file tree
Hide file tree
Showing 70 changed files with 1,262 additions and 2,044 deletions.
1 change: 1 addition & 0 deletions Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

50 changes: 30 additions & 20 deletions deploy/crd/druidcluster.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ spec:
spec:
properties:
brokers:
description: Configuration of the broker role
properties:
cliOverrides:
additionalProperties:
Expand Down Expand Up @@ -355,22 +356,27 @@ spec:
- roleGroups
type: object
clusterConfig:
description: Common cluster wide configuration that can not differ or be overriden on a role or role group level
description: Common cluster wide configuration that can not differ or be overridden on a role or role group level
properties:
authentication:
description: Authentication class settings for Druid like TLS authentication or LDAP
nullable: true
properties:
tls:
description: TLS based client authentication (mutual TLS)
nullable: true
properties:
authenticationClass:
type: string
required:
- authenticationClass
type: object
type: object
default: []
description: List of Authentication classes using like TLS or LDAP to authenticate users
items:
properties:
authenticationClass:
description: |-
The AuthenticationClass <https://docs.stackable.tech/home/nightly/concepts/authenticationclass.html> to use.
## TLS provider
Only affects client connections. This setting controls: - If clients need to authenticate themselves against Druid via TLS - Which ca.crt to use when validating the provided client certs
Please note that the SecretClass used to authenticate users needs to be the same as the SecretClass used for internal communication.
type: string
required:
- authenticationClass
type: object
type: array
authorization:
description: Authorization settings for Druid like OPA
nullable: true
Expand Down Expand Up @@ -667,15 +673,15 @@ spec:
type: object
tls:
default:
secretClass: tls
description: TLS encryption settings for Druid
serverAndInternalSecretClass: tls
description: TLS encryption settings for Druid. This setting only affects server and internal communication. It does not affect client tls authentication, use `clusterConfig.authentication` instead.
nullable: true
properties:
secretClass:
description: 'Only affects client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client Important: This will activate encrypted internal druid communication as well!'
serverAndInternalSecretClass:
default: tls
description: 'This setting controls client as well as internal tls usage: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the clients - Which cert the servers should use to authenticate themselves among each other'
nullable: true
type: string
required:
- secretClass
type: object
zookeeperConfigMapName:
description: ZooKeeper discovery ConfigMap
Expand All @@ -686,6 +692,7 @@ spec:
- zookeeperConfigMapName
type: object
coordinators:
description: Configuration of the coordinator role
properties:
cliOverrides:
additionalProperties:
Expand Down Expand Up @@ -1018,6 +1025,7 @@ spec:
- roleGroups
type: object
historicals:
description: Configuration of the historical role
properties:
cliOverrides:
additionalProperties:
Expand Down Expand Up @@ -1507,6 +1515,7 @@ spec:
type: string
type: object
middleManagers:
description: Configuration of the middle managed role
properties:
cliOverrides:
additionalProperties:
Expand Down Expand Up @@ -1839,6 +1848,7 @@ spec:
- roleGroups
type: object
routers:
description: Configuration of the router role
properties:
cliOverrides:
additionalProperties:
Expand Down
50 changes: 30 additions & 20 deletions deploy/helm/druid-operator/crds/crds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ spec:
spec:
properties:
brokers:
description: Configuration of the broker role
properties:
cliOverrides:
additionalProperties:
Expand Down Expand Up @@ -357,22 +358,27 @@ spec:
- roleGroups
type: object
clusterConfig:
description: Common cluster wide configuration that can not differ or be overriden on a role or role group level
description: Common cluster wide configuration that can not differ or be overridden on a role or role group level
properties:
authentication:
description: Authentication class settings for Druid like TLS authentication or LDAP
nullable: true
properties:
tls:
description: TLS based client authentication (mutual TLS)
nullable: true
properties:
authenticationClass:
type: string
required:
- authenticationClass
type: object
type: object
default: []
description: List of Authentication classes using like TLS or LDAP to authenticate users
items:
properties:
authenticationClass:
description: |-
The AuthenticationClass <https://docs.stackable.tech/home/nightly/concepts/authenticationclass.html> to use.
## TLS provider
Only affects client connections. This setting controls: - If clients need to authenticate themselves against Druid via TLS - Which ca.crt to use when validating the provided client certs
Please note that the SecretClass used to authenticate users needs to be the same as the SecretClass used for internal communication.
type: string
required:
- authenticationClass
type: object
type: array
authorization:
description: Authorization settings for Druid like OPA
nullable: true
Expand Down Expand Up @@ -669,15 +675,15 @@ spec:
type: object
tls:
default:
secretClass: tls
description: TLS encryption settings for Druid
serverAndInternalSecretClass: tls
description: TLS encryption settings for Druid. This setting only affects server and internal communication. It does not affect client tls authentication, use `clusterConfig.authentication` instead.
nullable: true
properties:
secretClass:
description: 'Only affects client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client Important: This will activate encrypted internal druid communication as well!'
serverAndInternalSecretClass:
default: tls
description: 'This setting controls client as well as internal tls usage: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the clients - Which cert the servers should use to authenticate themselves among each other'
nullable: true
type: string
required:
- secretClass
type: object
zookeeperConfigMapName:
description: ZooKeeper discovery ConfigMap
Expand All @@ -688,6 +694,7 @@ spec:
- zookeeperConfigMapName
type: object
coordinators:
description: Configuration of the coordinator role
properties:
cliOverrides:
additionalProperties:
Expand Down Expand Up @@ -1020,6 +1027,7 @@ spec:
- roleGroups
type: object
historicals:
description: Configuration of the historical role
properties:
cliOverrides:
additionalProperties:
Expand Down Expand Up @@ -1509,6 +1517,7 @@ spec:
type: string
type: object
middleManagers:
description: Configuration of the middle managed role
properties:
cliOverrides:
additionalProperties:
Expand Down Expand Up @@ -1841,6 +1850,7 @@ spec:
- roleGroups
type: object
routers:
description: Configuration of the router role
properties:
cliOverrides:
additionalProperties:
Expand Down
50 changes: 30 additions & 20 deletions deploy/manifests/crds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ spec:
spec:
properties:
brokers:
description: Configuration of the broker role
properties:
cliOverrides:
additionalProperties:
Expand Down Expand Up @@ -358,22 +359,27 @@ spec:
- roleGroups
type: object
clusterConfig:
description: Common cluster wide configuration that can not differ or be overriden on a role or role group level
description: Common cluster wide configuration that can not differ or be overridden on a role or role group level
properties:
authentication:
description: Authentication class settings for Druid like TLS authentication or LDAP
nullable: true
properties:
tls:
description: TLS based client authentication (mutual TLS)
nullable: true
properties:
authenticationClass:
type: string
required:
- authenticationClass
type: object
type: object
default: []
description: List of Authentication classes using like TLS or LDAP to authenticate users
items:
properties:
authenticationClass:
description: |-
The AuthenticationClass <https://docs.stackable.tech/home/nightly/concepts/authenticationclass.html> to use.
## TLS provider
Only affects client connections. This setting controls: - If clients need to authenticate themselves against Druid via TLS - Which ca.crt to use when validating the provided client certs
Please note that the SecretClass used to authenticate users needs to be the same as the SecretClass used for internal communication.
type: string
required:
- authenticationClass
type: object
type: array
authorization:
description: Authorization settings for Druid like OPA
nullable: true
Expand Down Expand Up @@ -670,15 +676,15 @@ spec:
type: object
tls:
default:
secretClass: tls
description: TLS encryption settings for Druid
serverAndInternalSecretClass: tls
description: TLS encryption settings for Druid. This setting only affects server and internal communication. It does not affect client tls authentication, use `clusterConfig.authentication` instead.
nullable: true
properties:
secretClass:
description: 'Only affects client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client Important: This will activate encrypted internal druid communication as well!'
serverAndInternalSecretClass:
default: tls
description: 'This setting controls client as well as internal tls usage: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the clients - Which cert the servers should use to authenticate themselves among each other'
nullable: true
type: string
required:
- secretClass
type: object
zookeeperConfigMapName:
description: ZooKeeper discovery ConfigMap
Expand All @@ -689,6 +695,7 @@ spec:
- zookeeperConfigMapName
type: object
coordinators:
description: Configuration of the coordinator role
properties:
cliOverrides:
additionalProperties:
Expand Down Expand Up @@ -1021,6 +1028,7 @@ spec:
- roleGroups
type: object
historicals:
description: Configuration of the historical role
properties:
cliOverrides:
additionalProperties:
Expand Down Expand Up @@ -1510,6 +1518,7 @@ spec:
type: string
type: object
middleManagers:
description: Configuration of the middle managed role
properties:
cliOverrides:
additionalProperties:
Expand Down Expand Up @@ -1842,6 +1851,7 @@ spec:
- roleGroups
type: object
routers:
description: Configuration of the router role
properties:
cliOverrides:
additionalProperties:
Expand Down
13 changes: 5 additions & 8 deletions docs/modules/ROOT/pages/usage.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -265,11 +265,11 @@ TLS encryption is supported for internal cluster communication (e.g. between Bro
spec:
clusterConfig:
tls:
secretClass: tls # <1>
serverAndInternalSecretClass: tls # <1>
----
<1> Name of the `SecretClass` that is used to encrypt internal and external communication.

IMPORTANT: A Stackable Druid cluster is always encrypted per default. In order to disable this default behavior you can set `spec.clusterConfig.tls: null`.
IMPORTANT: A Stackable Druid cluster is always encrypted per default. In order to disable this default behavior you can set `spec.clusterConfig.tls.serverAndInternalSecretClass: null`.

=== Authentication

Expand All @@ -282,13 +282,10 @@ The access to the Druid cluster can be limited by configuring client authenticat
spec:
clusterConfig:
authentication:
tls:
authenticationClass: druid-tls-auth # <1>
- authenticationClass: druid-tls-auth # <1>
----
<1> Name of the `AuthenticationClass` that is used to encrypt and authenticate communication.

IMPORTANT: The TLS `AuthenticationClass` and its respective `SecretClass` will always take precedence over the TLS encryption `SecretClass` (if provided).

The `AuthenticationClass` may or may not have a `SecretClass` configured:
[source,yaml]
----
Expand All @@ -303,10 +300,10 @@ spec:
tls:
clientCertSecretClass: druid-mtls # <1>
# Option 2
tls: null # <2>
tls: {} # <2>
----
<1> If a client `SecretClass` is provided in the `AuthenticationClass` (here `druid-mtls`), these certificates will be used for encryption and authentication.
<2> If no client `SecretClass` is provided in the `AuthenticationClass`, the `spec.clusterConfig.tls.secretClass` will be used for encryption and authentication. It cannot be explicitly set to null in this case.
<2> If no client `SecretClass` is provided in the `AuthenticationClass`, the `spec.clusterConfig.tls.serverAndInternalSecretClass` will be used for encryption and authentication. It cannot be explicitly set to null in this case.

==== LDAP

Expand Down
5 changes: 2 additions & 3 deletions examples/tls/tls-druid-cluster.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,8 +83,7 @@ spec:
stackableVersion: 0.3.0
clusterConfig:
authentication:
tls:
authenticationClass: druid-mtls-authentication-class
- authenticationClass: druid-mtls-authentication-class
deepStorage:
hdfs:
configMapName: druid-hdfs
Expand All @@ -95,7 +94,7 @@ spec:
host: localhost
port: 1527
tls:
secretClass: tls
serverAndInternalSecretClass: tls
zookeeperConfigMapName: druid-znode
brokers:
roleGroups:
Expand Down
3 changes: 2 additions & 1 deletion rust/crd/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,6 @@ snafu = "0.7"
lazy_static = "1.4"

[dev-dependencies]
serde_yaml = "0.8"
indoc = "1.0"
rstest = "0.16"
serde_yaml = "0.8"
Loading

0 comments on commit eacc322

Please sign in to comment.