Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
The TELNET api now supports basic and HMACSHA256 authentication. Ther…
…e is still some work to do with the HMAC implementation, it's kind of fake, the noonce and date are hardcoded for example. The connection will attempt to authenticate, and once authenticated the authentication handler is dropped from the pipeline and OpenTSDB behaves the same as it does when not using authentication. You can see below various authentication attempts and the corresponding OpenTSDB log output. ``` --------------------------------------------------------------- $ telnet localhost 4242 Connected to localhost. Escape character is '^]'. auth basic admin admin AUTHSUCESS. exit Connection closed by foreign host. 2016-03-18 00:05:32,510 DEBUG [OpenTSDB I/O Worker OpenTSDB#4] AuthenticationChannelHandler: Setting up AuthenticationChannelHandler 2016-03-18 00:05:32,510 DEBUG [OpenTSDB I/O Worker OpenTSDB#4] AuthenticationChannelHandler: Passing auth command to Authentication Plugin 2016-03-18 00:05:32,510 DEBUG [OpenTSDB I/O Worker OpenTSDB#4] EmbeddedAuthenticationPlugin: Validating Credentials 2016-03-18 00:05:32,510 DEBUG [OpenTSDB I/O Worker OpenTSDB#4] EmbeddedAuthenticationPlugin: Authentication Succeeded for: admin 2016-03-18 00:05:32,511 INFO [OpenTSDB I/O Worker OpenTSDB#4] AuthenticationChannelHandler: Authentication Completed --------------------------------------------------------------- $ telnet localhost 4242 Connected to localhost. Escape character is '^]'. auth hmacsha256 admin digest=6e833ce4ebdaa38b4e6f2473605a7d6d6709b6d63d2a38d0374237dee390c535&date=2016-03-18T04:10:27+00:00&noonce=4353 AUTHSUCESS. put test.foo 53434646745 43 tag=value put: unknown metric: No such name for 'metrics': 'test.foo' exit Connection closed by foreign host. 2016-03-18 00:02:47,631 DEBUG [OpenTSDB I/O Worker tsuna#2] AuthenticationChannelHandler: Setting up AuthenticationChannelHandler 2016-03-18 00:02:47,631 DEBUG [OpenTSDB I/O Worker tsuna#2] AuthenticationChannelHandler: Passing auth command to Authentication Plugin 2016-03-18 00:02:47,631 DEBUG [OpenTSDB I/O Worker tsuna#2] EmbeddedAuthenticationPlugin: Validating Digest 2016-03-18 00:02:47,631 DEBUG [OpenTSDB I/O Worker tsuna#2] EmbeddedAuthenticationPlugin: Authenticating admin 6e833ce4ebdaa38b4e6f2473605a7d6d6709b6d63d2a38d0374237dee390c535 2016-03-18 00:02:47,631 TRACE [OpenTSDB I/O Worker tsuna#2] EmbeddedAuthenticationPlugin: Generating HASH for admin admin2016-03-18T04:10:27+00:004353 2016-03-18 00:02:47,631 DEBUG [OpenTSDB I/O Worker tsuna#2] EmbeddedAuthenticationPlugin: Generating HASH for admin 2016-03-18 00:02:47,632 DEBUG [OpenTSDB I/O Worker tsuna#2] EmbeddedAuthenticationPlugin: Calc: 6e833ce4ebdaa38b4e6f2473605a7d6d6709b6d63d2a38d0374237dee390c535 2016-03-18 00:02:47,632 DEBUG [OpenTSDB I/O Worker tsuna#2] EmbeddedAuthenticationPlugin: Prov: 6e833ce4ebdaa38b4e6f2473605a7d6d6709b6d63d2a38d0374237dee390c535 2016-03-18 00:02:47,632 DEBUG [OpenTSDB I/O Worker tsuna#2] EmbeddedAuthenticationPlugin: Authentication Succeeded for: admin 2016-03-18 00:02:47,632 INFO [OpenTSDB I/O Worker tsuna#2] AuthenticationChannelHandler: Authentication Completed 2016-03-18 00:02:52,719 DEBUG [OpenTSDB I/O Worker tsuna#2] PutDataPointRpc: put: unknown metric: No such name for 'metrics': 'test.foo' --------------------------------------------------------------- $ telnet localhost 4242 Connected to localhost. Escape character is '^]'. put test.foo 53434646745 43 tag=value AUTHFAIL put test.foo 53434646745 43 tag=value AUTHFAIL auth hmacsha256 admin digest=6e833ce4ebdaa38b4e6f2473605a7d6d6709b6d63d2a38d0374237dee390c535&date=2016-03-18T04:10:27+00:00&noonce=4353 AUTHSUCESS. put test.foo 53434646745 43 tag=value put: unknown metric: No such name for 'metrics': 'test.foo' exit Connection closed by foreign host. 2016-03-18 00:02:56,102 DEBUG [OpenTSDB I/O Worker tsuna#3] AuthenticationChannelHandler: Setting up AuthenticationChannelHandler 2016-03-18 00:02:56,103 DEBUG [OpenTSDB I/O Worker tsuna#3] AuthenticationChannelHandler: Passing auth command to Authentication Plugin 2016-03-18 00:02:56,103 ERROR [OpenTSDB I/O Worker tsuna#3] EmbeddedAuthenticationPlugin: Invalid Authentication Command Length: 5 2016-03-18 00:02:57,798 DEBUG [OpenTSDB I/O Worker tsuna#3] AuthenticationChannelHandler: Passing auth command to Authentication Plugin 2016-03-18 00:02:57,798 ERROR [OpenTSDB I/O Worker tsuna#3] EmbeddedAuthenticationPlugin: Invalid Authentication Command Length: 5 2016-03-18 00:03:02,173 DEBUG [OpenTSDB I/O Worker tsuna#3] AuthenticationChannelHandler: Passing auth command to Authentication Plugin 2016-03-18 00:03:02,174 DEBUG [OpenTSDB I/O Worker tsuna#3] EmbeddedAuthenticationPlugin: Validating Digest 2016-03-18 00:03:02,174 DEBUG [OpenTSDB I/O Worker tsuna#3] EmbeddedAuthenticationPlugin: Authenticating admin 6e833ce4ebdaa38b4e6f2473605a7d6d6709b6d63d2a38d0374237dee390c535 2016-03-18 00:03:02,174 TRACE [OpenTSDB I/O Worker tsuna#3] EmbeddedAuthenticationPlugin: Generating HASH for admin admin2016-03-18T04:10:27+00:004353 2016-03-18 00:03:02,174 DEBUG [OpenTSDB I/O Worker tsuna#3] EmbeddedAuthenticationPlugin: Generating HASH for admin 2016-03-18 00:03:02,174 DEBUG [OpenTSDB I/O Worker tsuna#3] EmbeddedAuthenticationPlugin: Calc: 6e833ce4ebdaa38b4e6f2473605a7d6d6709b6d63d2a38d0374237dee390c535 2016-03-18 00:03:02,174 DEBUG [OpenTSDB I/O Worker tsuna#3] EmbeddedAuthenticationPlugin: Prov: 6e833ce4ebdaa38b4e6f2473605a7d6d6709b6d63d2a38d0374237dee390c535 2016-03-18 00:03:02,174 DEBUG [OpenTSDB I/O Worker tsuna#3] EmbeddedAuthenticationPlugin: Authentication Succeeded for: admin 2016-03-18 00:03:02,174 INFO [OpenTSDB I/O Worker tsuna#3] AuthenticationChannelHandler: Authentication Completed 2016-03-18 00:03:12,038 DEBUG [OpenTSDB I/O Worker tsuna#3] PutDataPointRpc: put: unknown metric: No such name for 'metrics': 'test.foo' --------------------------------------------------------------- ``` Remaining Items: * Create handler for HTTP to pull same HMAC values from headers * Create HTTP API for modifying accessKey and Account objects - GET accessKey will generate new accessKey/accessSecretKey for an account (requires account root credentials) - DEL accessKey will delete the associated accessKey (will work with accessKey credentials or account root credentials) - PUT account will create a new account (requires admin credentials), returns root account accessKey/secretAccessKey - GET account will fetch account info, and list all accessKeys (but not accessSecretKeys) - DEL account will delete an account and all keys (requires admin credentials or account root credentials) * Modify the built-in authentication plugin to store credentials in HBase The API above will do nothing in OpenTSDB but will call the appropriate functions on the AuthenticationPlugin if configured. Will return a 405 Method Not Allowed if no plugin is configured. The built-in authentication plugin currently just uses the single user provided in the config, but I would like to expand it to store accounts and accessKey/accessSecretKey pairs in an HBase table. The admin credentials are in the config, the built in plugin has no notion of groups.
- Loading branch information