Pass controller/invoker credentials use env

Author: ningyougang

ansible/roles/controller/tasks/deploy.yml

@@ -71,18 +71,6 @@
     dest: "{{ controller.confdir }}/{{ controller_name }}/jmxremote.access"
     mode: 0777
 
-- name: copy controller auth username file
-  template:
-    src: "controllerauth.username.j2"
-    dest: "{{ controller.confdir  }}/{{ controller_name }}/controllerauth.username"
-    mode: 0777
-
-- name: copy controller auth password file
-  template:
-    src: "controllerauth.password.j2"
-    dest: "{{ controller.confdir  }}/{{ controller_name }}/controllerauth.password"
-    mode: 0777
-
 - name: "copy kafka truststore/keystore"
   when: kafka.protocol == 'SSL'
   copy:
@@ -215,6 +203,9 @@
       "CONFIG_whisk_db_activationsFilterDdoc": "{{ db_whisk_activations_filter_ddoc | default() }}"
       "CONFIG_whisk_userEvents_enabled": "{{ user_events | default(false) | lower }}"
 
+      "CONFIG_whisk_credentials_controller_username": "{{ controller.username }}"
+      "CONFIG_whisk_credentials_controller_password": "{{ controller.password }}"
+
       "LIMITS_ACTIONS_INVOKES_PERMINUTE": "{{ limits.invocationsPerMinute }}"
       "LIMITS_ACTIONS_INVOKES_CONCURRENT": "{{ limits.concurrentInvocations }}"
       "LIMITS_TRIGGERS_FIRES_PERMINUTE": "{{ limits.firesPerMinute }}"

ansible/roles/invoker/tasks/deploy.yml

@@ -183,18 +183,6 @@
     dest: "{{ invoker.confdir  }}/{{ invoker_name }}/jmxremote.access"
     mode: 0777
 
-- name: copy invoker auth username file
-  template:
-    src: "invokerauth.username.j2"
-    dest: "{{ invoker.confdir  }}/invoker{{ groups['invokers'].index(inventory_hostname) }}/invokerauth.username"
-    mode: 0777
-
-- name: copy invoker auth password file
-  template:
-    src: "invokerauth.password.j2"
-    dest: "{{ invoker.confdir  }}/invoker{{ groups['invokers'].index(inventory_hostname) }}/invokerauth.password"
-    mode: 0777
-
 - name: add additional jvm params if jmxremote is enabled
   when: jmx.enabled
   set_fact:
@@ -278,6 +266,8 @@
       "CONFIG_whisk_timeLimit_min": "{{ limit_action_time_min | default() }}"
       "CONFIG_whisk_timeLimit_max": "{{ limit_action_time_max | default() }}"
       "CONFIG_whisk_timeLimit_std": "{{ limit_action_time_std | default() }}"
+      "CONFIG_whisk_credentials_invoker_username": "{{ invoker.username }}"
+      "CONFIG_whisk_credentials_invoker_password": "{{ invoker.password }}"
       "CONFIG_whisk_concurrencyLimit_min": "{{ limit_action_concurrency_min | default() }}"
       "CONFIG_whisk_concurrencyLimit_max": "{{ limit_action_concurrency_max | default() }}"
       "CONFIG_whisk_concurrencyLimit_std": "{{ limit_action_concurrency_std | default() }}"

ansible/templates/controllerauth.password.j2

@@ -27,7 +27,7 @@ whisk.spi {
   EntitlementSpiProvider = org.apache.openwhisk.core.entitlement.LocalEntitlementProvider
   AuthenticationDirectiveProvider = org.apache.openwhisk.core.controller.BasicAuthenticationDirective
   InvokerProvider = org.apache.openwhisk.core.invoker.InvokerReactive
-  InvokerServerProvider = org.apache.openwhisk.core.invoker.InvokerServer
+  InvokerServerProvider = org.apache.openwhisk.core.invoker.DefaultInvokerServer
 }
 
 dispatchers {

ansible/templates/controllerauth.username.j2

@@ -0,0 +1,22 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.openwhisk.common
+
+case class ControllerCredentials(username: String, password: String)
+
+case class InvokerCredentials(username: String, password: String)

ansible/templates/invokerauth.password.j2

@@ -265,4 +265,7 @@ object ConfigKeys {
   val swaggerUi = "whisk.swagger-ui"
 
   val apacheClientConfig = "whisk.apache-client"
+
+  val controllerCredentials = "whisk.credentials.controller"
+  val invokerCredentials = "whisk.credentials.invoker"
 }

ansible/templates/invokerauth.username.j2

@@ -31,8 +31,15 @@ import pureconfig.generic.auto._
 import spray.json.DefaultJsonProtocol._
 import spray.json._
 import org.apache.openwhisk.common.Https.HttpsConfig
-import org.apache.openwhisk.common.{AkkaLogging, ConfigMXBean, Logging, LoggingMarkers, TransactionId}
-import org.apache.openwhisk.core.WhiskConfig
+import org.apache.openwhisk.common.{
+  AkkaLogging,
+  ConfigMXBean,
+  ControllerCredentials,
+  Logging,
+  LoggingMarkers,
+  TransactionId
+}
+import org.apache.openwhisk.core.{ConfigKeys, WhiskConfig}
 import org.apache.openwhisk.core.connector.MessagingProvider
 import org.apache.openwhisk.core.containerpool.logging.LogStoreProvider
 import org.apache.openwhisk.core.database.{ActivationStoreProvider, CacheChangeNotification, RemoteCacheInvalidation}
@@ -165,16 +172,7 @@ class Controller(val instance: ControllerInstanceId,
     runtimes,
     List(apiV1.basepath()))
 
-  private val controllerUsername = {
-    val source = scala.io.Source.fromFile("/conf/controllerauth.username");
-    try source.mkString.replaceAll("\r|\n", "")
-    finally source.close()
-  }
-  private val controllerPassword = {
-    val source = scala.io.Source.fromFile("/conf/controllerauth.password");
-    try source.mkString.replaceAll("\r|\n", "")
-    finally source.close()
-  }
+  private val controllerCredentials = loadConfigOrThrow[ControllerCredentials](ConfigKeys.controllerCredentials)
 
   /**
    * config runtime
@@ -184,7 +182,7 @@ class Controller(val instance: ControllerInstanceId,
     (path("config" / "runtime") & post) {
       extractCredentials {
         case Some(BasicHttpCredentials(username, password)) =>
-          if (username == controllerUsername && password == controllerPassword) {
+          if (username == controllerCredentials.username && password == controllerCredentials.password) {
             entity(as[String]) { runtime =>
               val execManifest = ExecManifest.initialize(runtime)
               if (execManifest.isFailure) {

common/scala/src/main/resources/reference.conf

@@ -21,38 +21,33 @@ import akka.actor.ActorSystem
 import akka.http.scaladsl.model.StatusCodes
 import akka.http.scaladsl.model.headers.BasicHttpCredentials
 import akka.http.scaladsl.server.Route
-import org.apache.openwhisk.common.{Logging, TransactionId}
+import org.apache.openwhisk.common.{InvokerCredentials, Logging, TransactionId}
+import org.apache.openwhisk.core.ConfigKeys
 import org.apache.openwhisk.core.containerpool.PrewarmingConfig
 import org.apache.openwhisk.core.entity.{CodeExecAsString, ExecManifest}
 import org.apache.openwhisk.http.BasicRasService
 
+import pureconfig._
+import pureconfig.generic.auto._
+
 import scala.concurrent.ExecutionContext
 
 /**
  * Implements web server to handle certain REST API calls.
  */
-class InvokerServer(val invoker: InvokerCore)(implicit val ec: ExecutionContext,
-                                              val actorSystem: ActorSystem,
-                                              val logger: Logging)
+class DefaultInvokerServer(val invoker: InvokerCore)(implicit val ec: ExecutionContext,
+                                                     val actorSystem: ActorSystem,
+                                                     val logger: Logging)
     extends BasicRasService {
 
-  val invokerUsername = {
-    val source = scala.io.Source.fromFile("/conf/invokerauth.username");
-    try source.mkString.replaceAll("\r|\n", "")
-    finally source.close()
-  }
-  val invokerPassword = {
-    val source = scala.io.Source.fromFile("/conf/invokerauth.password");
-    try source.mkString.replaceAll("\r|\n", "")
-    finally source.close()
-  }
+  private val invokerCredentials = loadConfigOrThrow[InvokerCredentials](ConfigKeys.invokerCredentials)
 
   override def routes(implicit transid: TransactionId): Route = {
     super.routes ~ {
       (path("config" / "runtime") & post) {
         extractCredentials {
           case Some(BasicHttpCredentials(username, password)) =>
-            if (username == invokerUsername && password == invokerPassword) {
+            if (username == invokerCredentials.username && password == invokerCredentials.password) {
               entity(as[String]) { prewarmRuntime =>
                 val execManifest = ExecManifest.initialize(prewarmRuntime)
                 if (execManifest.isFailure) {
@@ -82,8 +77,8 @@ class InvokerServer(val invoker: InvokerCore)(implicit val ec: ExecutionContext,
   }
 }
 
-object InvokerServer extends InvokerServerProvider {
+object DefaultInvokerServer extends InvokerServerProvider {
   override def instance(
     invoker: InvokerCore)(implicit ec: ExecutionContext, actorSystem: ActorSystem, logger: Logging): BasicRasService =
-    new InvokerServer(invoker)
+    new DefaultInvokerServer(invoker)
 }

common/scala/src/main/scala/org/apache/openwhisk/common/ComponentCredentials.scala

@@ -58,6 +58,13 @@ whisk {
     interface = localhost
   }
 
+  credentials {
+    controller.username = controller.user
+    controller.password = controller.pass
+  }
+
+
+
   # Default set of users which are bootstrapped upon start
   users {
     whisk-system = "789c46b1-71f6-4ed5-8c54-816aa4f8c502:abczO3xZCLrMN6v2BKK1dXYFpXlPkccOFqm12CdAsMgRU4VrNZ9lyGVCGuMDGIwP"