Skip to content

BB-694: Update auth config schema #2659

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bert-e merged 2 commits into from
Jul 21, 2025
Merged

BB-694: Update auth config schema #2659

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
150f39c
impr(BB-694): Add schemas for kerberos and basic auth configs
tmacro Jul 14, 2025
ead9d77
Bump CI cloudserver tag to 9.0.19
tmacro Jul 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 2 additions & 6 deletions .github/dockerfiles/cloudserver/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,9 @@
ARG CLOUDSERVER_IMAGE=ghcr.io/scality/cloudserver:7.70.47
ARG CLOUDSERVER_IMAGE=ghcr.io/scality/cloudserver:9.0.19

FROM ${CLOUDSERVER_IMAGE}

ADD ./config.json /conf/config.json

# Update sources.list to use archive repositories for Buster
RUN sed -i 's/deb.debian.org/archive.debian.org/g' /etc/apt/sources.list \
&& sed -i 's/security.debian.org/archive.debian.org/g' /etc/apt/sources.list \
&& sed -i '/buster-updates/d' /etc/apt/sources.list \
&& apt update \
RUN apt update \
&& apt install -y curl \
&& apt clean
2 changes: 2 additions & 0 deletions .github/dockerfiles/ft/docker-compose.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ services:
profiles: ['s3c']
build:
context: ../cloudserver
args:
CLOUDSERVER_IMAGE: "${CLOUDSERVER_IMAGE}"
depends_on:
- metadata
ports:
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/tests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -223,7 +223,7 @@ jobs:
fail-fast: false
matrix:
profile: [ 's3c' ]
cloudserver_tag: [ '7.70.47' ]
cloudserver_tag: [ '9.0.19' ]
steps:
- name: Checkout
uses: actions/checkout@v4
Expand Down Expand Up @@ -251,7 +251,7 @@ jobs:
working-directory: .github/dockerfiles/ft
- name: Create Zookeeper paths for tests with metadata
run: |-
# Setup zookeeper paths for backbeat like we do in federation
# Setup zookeeper paths for backbeat like we do in federation
docker exec ft-kafka-1 /opt/kafka_2.11-0.10.1.0/bin/zookeeper-shell.sh localhost:2181 create /backbeat ""
docker exec ft-kafka-1 /opt/kafka_2.11-0.10.1.0/bin/zookeeper-shell.sh localhost:2181 create /backbeat/replication-populator ""
docker exec ft-kafka-1 /opt/kafka_2.11-0.10.1.0/bin/zookeeper-shell.sh localhost:2181 create /backbeat/replication-populator/raft-id-dispatcher ""
Expand Down
44 changes: 33 additions & 11 deletions extensions/notification/NotificationConfigValidator.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,27 +1,45 @@
const joi = require('joi');
const { probeServerJoi } = require('../../lib/config/configItems.joi');

const authSchema = joi.object({
type: joi.string(),
ssl: joi.boolean(),
protocol: joi.string(),
const sslSchema = joi.object({
ssl: joi.boolean().default(false),
Copy link
Copy Markdown
Contributor

@jonathan-gramain jonathan-gramain Jul 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would having type: "ssl" be more consistent with the other auth types?

Copy link
Copy Markdown
Contributor Author

@tmacro tmacro Jul 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ssl auth isn't really a distinct type, it can be used with kerberos and basic auth as well. My feeling is most deploys using kerberos and basic auth will use at least ca and key so the credentials aren't sent over the wire unencrypted.

ca: joi.string(),
client: joi.string(),
key: joi.string(),
keyPassword: joi.string(),
keytab: joi.string(),
principal: joi.string(),
serviceName: joi.string(),
});

const saslAuthSchema = sslSchema.append({
protocol: joi.string().valid('SASL_PLAINTEXT', 'SASL_SSL').required(),
});

const kerberosAuthSchema = saslAuthSchema.append({
type: joi.string().valid('kerberos').required(),
keytab: joi.string().required(),
principal: joi.string().required(),
serviceName: joi.string().required(),
});

const basicAuthSchema = saslAuthSchema.append({
type: joi.string().valid('basic').required(),
credentialsFile: joi.string().required(),
});

const credentialsFileSchema = joi.object({
username: joi.string().required(),
password: joi.string().required(),
});

const authSchema = joi.alternatives().try(sslSchema, kerberosAuthSchema, basicAuthSchema).default({});

const destinationSchema = joi.object({
resource: joi.string().required(),
type: joi.string().required(),
host: joi.string().required(),
port: joi.number().optional(),
internalTopic: joi.string(),
topic: joi.string().required(),
auth: authSchema.default({}),
auth: authSchema,
requiredAcks: joi.number().when('type', {
is: joi.string().not('kafka'),
then: joi.forbidden(),
Expand All @@ -39,10 +57,10 @@ const joiSchema = joi.object({
monitorNotificationFailures: joi.boolean().default(true),
notificationFailedTopic: joi.string().optional(),
zookeeperPath: joi.string().optional(),
queueProcessor: {
queueProcessor: joi.object({
groupId: joi.string().required(),
concurrency: joi.number().greater(0).default(1000),
},
}),
destinations: joi.array().items(destinationSchema).default([]),
// TODO: BB-625 reset to being required after supporting probeserver in S3C
// for bucket notification proceses
Expand All @@ -59,4 +77,8 @@ function configValidator(backbeatConfig, extConfig) {
return validatedConfig;
}

module.exports = configValidator;
module.exports = {
NotificationConfigValidator: configValidator,
authSchema,
credentialsFileSchema,
};
9 changes: 4 additions & 5 deletions extensions/notification/destination/KafkaProducer.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,15 @@
const joi = require('joi');
const { authSchema } = require('../NotificationConfigValidator');

const BackbeatProducer = require('../../../lib/BackbeatProducer');
const authUtil = require('../utils/auth');

class KafkaProducer extends BackbeatProducer {

getConfigJoi() {
return super.getConfigJoi().append(
{ auth: joi.object().optional() }
).keys(
{ topic: joi.string() }
);
return super.getConfigJoi()
.append({ auth: authSchema })
.keys({ topic: joi.string() });
}

getClientId() {
Expand Down
2 changes: 1 addition & 1 deletion extensions/notification/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
const NotificationConfigValidator = require('./NotificationConfigValidator');
const { NotificationConfigValidator } = require('./NotificationConfigValidator');
const NotificationOplogPopulatorUtils = require('./NotificationOplogPopulatorUtils');

module.exports = {
Expand Down
1 change: 1 addition & 0 deletions tests/unit/notification/KafkaNotificationDestination.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ describe('KafkaNotificationDestination ::', () => {
afterEach(() => {
sinon.restore();
});

it('should properly configure producer', done => {
const destConfig = {
host: 'localhost',
Expand Down
Loading
Loading