Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Merged by Bors] - Consolidate encryption and auth #366

Closed
wants to merge 21 commits into from

Conversation

vsupalov
Copy link
Contributor

@vsupalov vsupalov commented Jan 4, 2023

Description

Fixes #365

Changes, heavily inspired by the consolidation which recently happened for the kafka-operator. Relates to stackabletech/issues#293

The new structure was guided by this snippet:

apiVersion: druid.stackable.tech/v1alpha1
kind: DruidCluster
metadata:
  name: derby-druid
spec:
  image:
    productVersion: 24.0.0
    stackableVersion: 0.3.0
  clusterConfig:
    authentication:
      - authenticationClass: druid-tls-authentication-class (tls) # String
      - authenticationClass: druid-ldap-authentication-class (ldap) # String
    authorization:
      opa:
        configMapName: test-opa
        package: druid
    zookeeperConfigMapName: druid-znode
    metadataStorageDatabase:
      dbType: derby
      connString: jdbc:derby://localhost:1527/var/druid/metadata.db;create=true
      host: localhost
      port: 1527
    deepStorage:
      hdfs:
        configMapName: druid-hdfs
        directory: /druid
    tls:
      serverSecretClass: secret_class # Option<String>. *In general* defaults to "tls"
      internalSecretClass: secret_class # Option<String>. *In general* defaults to "tls"

Overview of introduced changes

While working on the main issue, adjacent and somewhat-related refactorings/changes were introduced as well:

  • Prefer not to disable TLS for integration tests, where possible (justification: while the complexity is slightly higher, we are tested the recommended codepath more, as TLS is on by default)
  • Introduce dedicated authorization and security rust files
  • Adjustments to test helper scripts (mostly regarding uniformity and ergonomics)

Highlight

Security-validation logic is well tested!

Review Checklist

  • Code contains useful comments
  • CRD change approved (or not applicable)
  • (Integration-)Test cases added (or not applicable)
  • Documentation added (or not applicable)
  • Changelog updated (or not applicable)
  • Cargo.toml only contains references to git tags (not specific commits or branches)
  • Helm chart can be installed and deployed operator works (or not applicable)

Once the review is done, comment bors r+ (or bors merge) to merge. Further information

@vsupalov
Copy link
Contributor Author

vsupalov commented Jan 5, 2023

@sbernauer sbernauer force-pushed the 365-consolidate-encryption-and-auth branch from 1525ae0 to d4477a5 Compare January 5, 2023 10:17
@vsupalov vsupalov marked this pull request as ready for review January 5, 2023 10:26
@sbernauer sbernauer requested a review from a team January 5, 2023 10:28
@maltesander maltesander self-requested a review January 6, 2023 14:36
Copy link
Member

@maltesander maltesander left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just minor things. LGTM otherwise!

docs/modules/getting_started/examples/code/druid.yaml Outdated Show resolved Hide resolved
rust/crd/src/authentication.rs Outdated Show resolved Hide resolved
rust/crd/src/security.rs Outdated Show resolved Hide resolved
rust/crd/src/security.rs Outdated Show resolved Hide resolved
rust/crd/src/security.rs Outdated Show resolved Hide resolved
rust/crd/src/security.rs Outdated Show resolved Hide resolved
rust/operator-binary/src/druid_controller.rs Outdated Show resolved Hide resolved
rust/crd/src/tls.rs Outdated Show resolved Hide resolved
tests/templates/kuttl/authorizer/authcheck.py Show resolved Hide resolved
tests/templates/kuttl/ingestion-no-s3-ext/healthcheck.py Outdated Show resolved Hide resolved
@sbernauer
Copy link
Member

@sbernauer sbernauer requested a review from maltesander January 9, 2023 12:51
tests/templates/kuttl/commons/ingestioncheck-tls.py Outdated Show resolved Hide resolved
rust/crd/src/security.rs Outdated Show resolved Hide resolved
rust/crd/src/security.rs Outdated Show resolved Hide resolved
rust/crd/src/authentication.rs Show resolved Hide resolved
@sbernauer
Copy link
Member

Copy link
Member

@maltesander maltesander left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM if test passes!

@sbernauer
Copy link
Member

@sbernauer
Copy link
Member

bors r+

bors bot pushed a commit that referenced this pull request Jan 10, 2023
# Description

Fixes #365

Changes, heavily inspired by the [consolidation which recently happened for the kafka-operator](stackabletech/kafka-operator#532). Relates to stackabletech/issues#293

The new structure was guided by this snippet:
```
apiVersion: druid.stackable.tech/v1alpha1
kind: DruidCluster
metadata:
  name: derby-druid
spec:
  image:
    productVersion: 24.0.0
    stackableVersion: 0.3.0
  clusterConfig:
    authentication:
      - authenticationClass: druid-tls-authentication-class (tls) # String
      - authenticationClass: druid-ldap-authentication-class (ldap) # String
    authorization:
      opa:
        configMapName: test-opa
        package: druid
    zookeeperConfigMapName: druid-znode
    metadataStorageDatabase:
      dbType: derby
      connString: jdbc:derby://localhost:1527/var/druid/metadata.db;create=true
      host: localhost
      port: 1527
    deepStorage:
      hdfs:
        configMapName: druid-hdfs
        directory: /druid
    tls:
      serverSecretClass: secret_class # Option<String>. *In general* defaults to "tls"
      internalSecretClass: secret_class # Option<String>. *In general* defaults to "tls"
```

## Overview of introduced changes

While working on the main issue, adjacent and somewhat-related refactorings/changes were introduced as well:

* Prefer not to disable TLS for integration tests, where possible (justification: while the complexity is slightly higher, we are tested the recommended codepath more, as TLS is on by default)
* Introduce dedicated authorization and security rust files
* Adjustments to test helper scripts (mostly regarding uniformity and ergonomics)

## Highlight

Security-validation logic is well tested!



Co-authored-by: Vladislav Supalov <[email protected]>
@bors
Copy link
Contributor

bors bot commented Jan 10, 2023

Pull request successfully merged into main.

Build succeeded:

@bors bors bot changed the title Consolidate encryption and auth [Merged by Bors] - Consolidate encryption and auth Jan 10, 2023
@bors bors bot closed this Jan 10, 2023
@bors bors bot deleted the 365-consolidate-encryption-and-auth branch January 10, 2023 11:36
bors bot pushed a commit that referenced this pull request Jan 10, 2023
Add Changelog entry for #366
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Consolidate encryption, authentication and authorization
3 participants