feat: add nameserver auth

java/openmldb-batch/src/main/scala/com/_4paradigm/openmldb/batch/OpenmldbBatchConfig.scala

@@ -159,7 +159,7 @@ class OpenmldbBatchConfig extends Serializable {
   var openmldbUser = "root"
 
   @ConfigOption(name = "openmldb.password", doc = "The password of OpenMLDB")
-  var openmldbPassword = "root"
+  var openmldbPassword = ""
 
   @ConfigOption(name = "openmldb.default.db", doc = "The default database for OpenMLDB SQL")
   var defaultDb = "default_db"

src/CMakeLists.txt

@@ -60,7 +60,7 @@ endfunction(compile_lib)
 
 set(TEST_LIBS
     openmldb_test_base apiserver nameserver tablet query_response_time openmldb_sdk
-    openmldb_catalog client zk_client storage schema replica openmldb_codec base openmldb_proto log
+    openmldb_catalog client zk_client storage schema replica openmldb_codec base auth openmldb_proto log
     common zookeeper_mt tcmalloc_minimal ${RocksDB_LIB} ${VM_LIBS} ${LLVM_LIBS} ${ZETASQL_LIBS} ${BRPC_LIBS})
 if(CMAKE_CXX_COMPILER_ID MATCHES "GNU" AND CMAKE_CXX_COMPILER_VERSION VERSION_LESS "9.1")
     # GNU implementation prior to 9.1 requires linking with -lstdc++fs
@@ -123,7 +123,7 @@ set_property(
 )
 
 add_library(openmldb_flags flags.cc)
-
+compile_lib(auth auth "")
 compile_lib(openmldb_codec codec "")
 compile_lib(openmldb_catalog catalog "")
 compile_lib(schema schema "")
@@ -141,7 +141,7 @@ compile_lib(apiserver apiserver "")
 find_package(yaml-cpp REQUIRED)
 set(yaml_libs yaml-cpp)
 
-set(BUILTIN_LIBS apiserver nameserver tablet query_response_time openmldb_sdk openmldb_catalog client zk_client replica base storage openmldb_codec schema openmldb_proto log ${RocksDB_LIB})
+set(BUILTIN_LIBS apiserver nameserver tablet query_response_time openmldb_sdk openmldb_catalog client zk_client replica base storage openmldb_codec schema openmldb_proto log auth ${RocksDB_LIB})
 set(BIN_LIBS ${BUILTIN_LIBS}
 common zookeeper_mt tcmalloc_minimal
 ${VM_LIBS}
@@ -152,6 +152,7 @@ ${BRPC_LIBS})
 if(TESTING_ENABLE)
     add_subdirectory(test)
     compile_test(cmd)
+    compile_test(auth)
     compile_test(base)
     compile_test(codec)
     compile_test(zk)

src/auth/auth_utils.cc

@@ -0,0 +1,21 @@
+/*
+ * Copyright 2021 4Paradigm
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "auth_utils.h"
+
+namespace openmldb::auth {
+std::string FormUserHost(const std::string& username, const std::string& host) { return username + "@" + host; }
+}  // namespace openmldb::auth

src/auth/auth_utils.h

@@ -0,0 +1,26 @@
+/*
+ * Copyright 2021 4Paradigm
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef SRC_AUTH_AUTH_UTILS_H_
+#define SRC_AUTH_AUTH_UTILS_H_
+
+#include <string>
+
+namespace openmldb::auth {
+std::string FormUserHost(const std::string& username, const std::string& host);
+}  // namespace openmldb::auth
+
+#endif  // SRC_AUTH_AUTH_UTILS_H_

src/auth/brpc_authenticator.cc

@@ -0,0 +1,70 @@
+/*
+ * Copyright 2021 4Paradigm
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "brpc_authenticator.h"
+
+#include "auth_utils.h"
+#include "butil/endpoint.h"
+
+namespace openmldb::authn {
+
+int BRPCAuthenticator::GenerateCredential(std::string* auth_str) const {
+    std::visit(
+        [auth_str](const auto& s) {
+            using T = std::decay_t<decltype(s)>;
+            if constexpr (std::is_same_v<T, UserToken>) {
+                *auth_str = "u" + s.user + ":" + s.password;
+            } else if constexpr (std::is_same_v<T, ServiceToken>) {
+                *auth_str = "s" + s.token;
+            }
+        },
+        auth_token_);
+    return 0;
+}
+
+int BRPCAuthenticator::VerifyCredential(const std::string& auth_str, const butil::EndPoint& client_addr,
+                                        brpc::AuthContext* out_ctx) const {
+    if (auth_str.length() < 2) {
+        return -1;
+    }
+
+    char auth_type = auth_str[0];
+    std::string credential = auth_str.substr(1);
+    if (auth_type == 'u') {
+        size_t pos = credential.find(':');
+        if (pos == std::string::npos) {
+            return -1;
+        }
+        auto host = butil::ip2str(client_addr.ip).c_str();
+        std::string username = credential.substr(0, pos);
+        std::string password = credential.substr(pos + 1);
+        if (is_authenticated_(host, username, password)) {
+            out_ctx->set_user(auth::FormUserHost(username, host));
+            out_ctx->set_is_service(false);
+            return 0;
+        }
+    } else if (auth_type == 's') {
+        if (VerifyToken(credential)) {
+            out_ctx->set_is_service(true);
+            return 0;
+        }
+    }
+    return -1;
+}
+
+bool BRPCAuthenticator::VerifyToken(const std::string& token) const { return token == "default"; }
+
+}  // namespace openmldb::authn

src/auth/brpc_authenticator.h

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2021 4Paradigm
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef SRC_AUTH_BRPC_AUTHENTICATOR_H_
+#define SRC_AUTH_BRPC_AUTHENTICATOR_H_
+#include <functional>
+#include <string>
+#include <utility>
+#include <variant>
+
+#include "brpc/authenticator.h"
+
+namespace openmldb::authn {
+
+struct ServiceToken {
+    std::string token;
+};
+
+struct UserToken {
+    std::string user, password;
+};
+
+using AuthToken = std::variant<ServiceToken, UserToken>;
+
+class BRPCAuthenticator : public brpc::Authenticator {
+ public:
+    using IsAuthenticatedFunc = std::function<bool(const std::string&, const std::string&, const std::string&)>;
+
+    BRPCAuthenticator() {
+        is_authenticated_ = [](const std::string& host, const std::string& username, const std::string& password) {
+            return true;
+        };
+    }
+
+    explicit BRPCAuthenticator(const AuthToken auth_token) : auth_token_(auth_token) {}
+
+    explicit BRPCAuthenticator(IsAuthenticatedFunc is_authenticated) : is_authenticated_(std::move(is_authenticated)) {}
+
+    int GenerateCredential(std::string* auth_str) const override;
+    int VerifyCredential(const std::string& auth_str, const butil::EndPoint& client_addr,
+                         brpc::AuthContext* out_ctx) const override;
+
+ private:
+    AuthToken auth_token_ = openmldb::authn::ServiceToken{"default"};
+    IsAuthenticatedFunc is_authenticated_;
+    bool VerifyToken(const std::string& token) const;
+};
+
+}  // namespace openmldb::authn
+#endif  // SRC_AUTH_BRPC_AUTHENTICATOR_H_

src/auth/refreshable_map.h

@@ -0,0 +1,52 @@
+/*
+ * Copyright 2021 4Paradigm
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef SRC_AUTH_REFRESHABLE_MAP_H_
+#define SRC_AUTH_REFRESHABLE_MAP_H_
+
+#include <memory>
+#include <mutex>
+#include <optional>
+#include <shared_mutex>
+#include <unordered_map>
+#include <utility>
+
+namespace openmldb::auth {
+
+template <typename Key, typename Value>
+class RefreshableMap {
+ public:
+    std::optional<Value> Get(const Key& key) const {
+        std::shared_lock<std::shared_mutex> lock(mutex_);
+        if (auto it = map_->find(key); it != map_->end()) {
+            return it->second;
+        }
+        return std::nullopt;
+    }
+
+    void Refresh(std::unique_ptr<std::unordered_map<Key, Value>> new_map) {
+        std::unique_lock<std::shared_mutex> lock(mutex_);
+        map_ = std::move(new_map);
+    }
+
+ private:
+    mutable std::shared_mutex mutex_;
+    std::shared_ptr<std::unordered_map<Key, Value>> map_;
+};
+
+}  // namespace openmldb::auth
+
+#endif  // SRC_AUTH_REFRESHABLE_MAP_H_