forked from apache/predictionio
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add TLS and simple key-based auth to Dashboard and stop/restart
endpoints
- Loading branch information
Yevgeny
committed
Mar 2, 2016
1 parent
acd9e3f
commit 7126623
Showing
10 changed files
with
185 additions
and
35 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
akka { | ||
log-config-on-start = false | ||
loggers = ["akka.event.slf4j.Slf4jLogger"] | ||
loglevel = "INFO" | ||
} | ||
|
||
spray.can { | ||
server { | ||
verbose-error-messages = "on" | ||
} | ||
} |
50 changes: 50 additions & 0 deletions
50
common/src/main/scala/io/prediction/authentication/Authentication.scala
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
package io.prediction.authentication | ||
|
||
/** | ||
* Created by ykhodorkovsky on 3/1/16. | ||
*/ | ||
package io.prediction.configuration | ||
|
||
/** | ||
* This is a (very) simple authentication for the dashboard and engine servers | ||
* It is highly recommended to implement a stonger authentication mechanism | ||
*/ | ||
|
||
import java.io.File | ||
|
||
import com.typesafe.config.ConfigFactory | ||
|
||
import scala.concurrent.ExecutionContext.Implicits.global | ||
import spray.http.HttpRequest | ||
import spray.routing.{AuthenticationFailedRejection, RequestContext} | ||
import spray.routing.authentication._ | ||
import spray.routing.directives.AuthMagnet | ||
import scala.concurrent.Future | ||
|
||
|
||
trait KeyAuthentication { | ||
|
||
object ServerKey { | ||
val serverConfig = ConfigFactory.parseFile(new File("conf/server.conf")) | ||
|
||
val key = serverConfig.getString("server.accessKey") | ||
def get: String = key | ||
def param: String = "accessKey" | ||
} | ||
|
||
def withAccessKeyFromFile: RequestContext => Future[Authentication[HttpRequest]] = { | ||
ctx: RequestContext => | ||
val accessKeyParamOpt = ctx.request.uri.query.get(ServerKey.param) | ||
Future { | ||
|
||
val passedKey = accessKeyParamOpt.getOrElse { | ||
Left(AuthenticationFailedRejection( | ||
AuthenticationFailedRejection.CredentialsRejected, List())) | ||
} | ||
|
||
if (passedKey.equals(ServerKey.get)) Right(ctx.request) | ||
else Left(AuthenticationFailedRejection(AuthenticationFailedRejection.CredentialsRejected, List())) | ||
|
||
} | ||
} | ||
} |
52 changes: 52 additions & 0 deletions
52
common/src/main/scala/io/prediction/configuration/SSLConfiguration.scala
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
package io.prediction.configuration | ||
|
||
/** | ||
* Created by ykhodorkovsky on 2/26/16. | ||
*/ | ||
|
||
import java.io.FileInputStream | ||
import java.io.File | ||
import java.security.KeyStore | ||
import javax.net.ssl.{KeyManagerFactory, SSLContext, TrustManagerFactory} | ||
|
||
import com.typesafe.config.ConfigFactory | ||
import spray.io.ServerSSLEngineProvider | ||
|
||
trait SSLConfiguration { | ||
|
||
private val serverConfig = ConfigFactory.parseFile(new File("conf/server.conf")) | ||
|
||
private val keyStoreResource = serverConfig.getString("server.ssl-keystore-resource") | ||
private val password = serverConfig.getString("server.ssl-keystore-pass") | ||
private val keyAlias = serverConfig.getString("server.ssl-key-alias") | ||
|
||
private val keyStore = { | ||
|
||
//Loading keystore from specified file | ||
val clientStore = KeyStore.getInstance("JKS") | ||
val inputStream = new FileInputStream(keyStoreResource) | ||
clientStore.load(inputStream, password.toCharArray) | ||
inputStream.close() | ||
clientStore | ||
} | ||
|
||
//Creating SSL context | ||
implicit def sslContext: SSLContext = { | ||
val context = SSLContext.getInstance("TLS") | ||
val tmf: TrustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm) | ||
val kmf: KeyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm) | ||
kmf.init(keyStore, password.toCharArray) | ||
tmf.init(keyStore) | ||
context.init(kmf.getKeyManagers, tmf.getTrustManagers, null) | ||
context | ||
} | ||
|
||
//provide implicit SSLEngine with some protocols | ||
implicit def sslEngineProvider: ServerSSLEngineProvider = { | ||
ServerSSLEngineProvider { engine => | ||
engine.setEnabledCipherSuites(Array("TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA")) | ||
engine.setEnabledProtocols(Array("TLSv1", "TLSv1.2", "TLSv1.1")) | ||
engine | ||
} | ||
} | ||
} |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
# Engine and dashboard Server related configurations | ||
server { | ||
|
||
accessKey = "" | ||
|
||
ssl-keystore-resource = "conf/keystore.jks" | ||
ssl-keystore-pass = "pioserver" | ||
ssl-key-alias = "selfsigned" | ||
} |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters