[INLONG-5283][Manager] Add OpenAPI authentication option (default off) (apache#5284)

woofyzhao · web-flow · commit 961a4338ef52 · 2022-07-30T17:26:48.000+08:00
diff --git a/inlong-agent/agent-core/src/test/resources/agent.properties b/inlong-agent/agent-core/src/test/resources/agent.properties
@@ -26,5 +26,5 @@ job.thread.running.core=10
 ############################
 agent.manager.vip.http.host=127.0.0.1
 agent.manager.vip.http.port=8083
-agent.manager.auth.secretId=test
-agent.manager.auth.secretKey=123456
+agent.manager.auth.secretId=
+agent.manager.auth.secretKey=
diff --git a/inlong-agent/agent-plugins/src/test/resources/agent.properties b/inlong-agent/agent-plugins/src/test/resources/agent.properties
@@ -23,5 +23,5 @@ job.thread.running.core=10
 agent.manager.vip.http.host=127.0.0.1
 agent.manager.vip.http.port=8083
 agent.fetcher.classname=org.apache.inlong.agent.plugin.fetcher.ManagerFetcher
-agent.manager.auth.secretId=test
-agent.manager.auth.secretKey=123456
+agent.manager.auth.secretId=
+agent.manager.auth.secretKey=
diff --git a/inlong-agent/conf/agent.properties b/inlong-agent/conf/agent.properties
@@ -106,8 +106,8 @@ agent.scheduled.snapshotreport=0 0/1 * * * ? *
 ############################
 agent.manager.vip.http.host=127.0.0.1
 agent.manager.vip.http.port=8083
-agent.manager.auth.secretId=admin
-agent.manager.auth.secretKey=87haw3VYTPqK5fK0
+agent.manager.auth.secretId=
+agent.manager.auth.secretKey=
 
 
 
diff --git a/inlong-common/src/main/java/org/apache/inlong/common/util/BasicAuth.java b/inlong-common/src/main/java/org/apache/inlong/common/util/BasicAuth.java
@@ -17,6 +17,8 @@
 
 package org.apache.inlong.common.util;
 
+import org.apache.commons.lang3.StringUtils;
+
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 
@@ -29,11 +31,15 @@ public class BasicAuth {
     public static final String BASIC_AUTH_PREFIX = "Basic";
     public static final String BASIC_AUTH_SEPARATOR = " ";
     public static final String BASIC_AUTH_JOINER = ":";
+    public static final String BASIC_AUTH_EMPTY = "";
 
     /**
      * Generate http basic auth credential from configured secretId and secretKey
      */
     public static String genBasicAuthCredential(String secretId, String secretKey) {
+        if (StringUtils.isBlank(secretId) || StringUtils.isBlank(secretKey)) {
+            return BASIC_AUTH_EMPTY;
+        }
         String credential = String.join(BASIC_AUTH_JOINER, secretId, secretKey);
         return BASIC_AUTH_PREFIX + BASIC_AUTH_SEPARATOR + Base64.getEncoder()
                 .encodeToString(credential.getBytes(StandardCharsets.UTF_8));
diff --git a/inlong-dataproxy/conf/common.properties b/inlong-dataproxy/conf/common.properties
@@ -20,8 +20,8 @@
 cluster.id=1
 # manager open api address and auth key
 manager.hosts=127.0.0.1:8083
-manager.auth.secretId=admin
-manager.auth.secretKey=87haw3VYTPqK5fK0
+manager.auth.secretId=
+manager.auth.secretKey=
 # proxy cluster name
 proxy.cluster.name=default_dataproxy
 # check interval of local config (millisecond)
diff --git a/inlong-dataproxy/dataproxy-source/src/main/java/org/apache/inlong/dataproxy/config/AuthUtils.java b/inlong-dataproxy/dataproxy-source/src/main/java/org/apache/inlong/dataproxy/config/AuthUtils.java
@@ -17,7 +17,6 @@
 
 package org.apache.inlong.dataproxy.config;
 
-import org.apache.commons.lang3.StringUtils;
 import org.apache.inlong.common.util.BasicAuth;
 import org.apache.inlong.dataproxy.consts.ConfigConstants;
 import org.slf4j.Logger;
@@ -36,10 +35,6 @@ public static String genBasicAuth() {
         Map<String, String> properties = ConfigManager.getInstance().getCommonProperties();
         String secretId = properties.get(ConfigConstants.MANAGER_AUTH_SECRET_ID);
         String secretKey = properties.get(ConfigConstants.MANAGER_AUTH_SECRET_KEY);
-        if (StringUtils.isBlank(secretId) || StringUtils.isBlank(secretKey)) {
-            LOG.error("secretId or secretKey missing");
-            return null;
-        }
         return BasicAuth.genBasicAuthCredential(secretId, secretKey);
     }
 
diff --git a/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/impl/InlongShiroImpl.java b/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/impl/InlongShiroImpl.java
@@ -36,6 +36,7 @@
 import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
 import org.apache.shiro.web.session.mgt.WebSessionManager;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.stereotype.Component;
 
@@ -59,6 +60,9 @@ public class InlongShiroImpl implements InlongShiro {
     @Autowired
     private UserService userService;
 
+    @Value("${openapi.auth.enabled:false}")
+    private Boolean openAPIAuthEnabled;
+
     @Override
     public WebSecurityManager getWebSecurityManager() {
         return new DefaultWebSecurityManager();
@@ -93,7 +97,6 @@ public ShiroFilterFactoryBean getShiroFilter(SecurityManager securityManager) {
         // anon: can be accessed by anyone, authc: only authentication is successful can be accessed
         Map<String, Filter> filters = new LinkedHashMap<>();
         filters.put(FILTER_NAME_WEB, new AuthenticationFilter());
-        filters.put(FILTER_NAME_API, new OpenAPIFilter());
         shiroFilterFactoryBean.setFilters(filters);
         Map<String, String> pathDefinitions = new LinkedHashMap<>();
         // login, register request
@@ -107,7 +110,12 @@ public ShiroFilterFactoryBean getShiroFilter(SecurityManager securityManager) {
         pathDefinitions.put("/swagger-resources", "anon");
 
         // openapi
-        pathDefinitions.put("/openapi/**/*", FILTER_NAME_API);
+        if (openAPIAuthEnabled) {
+            filters.put(FILTER_NAME_API, new OpenAPIFilter());
+            pathDefinitions.put("/openapi/**/*", FILTER_NAME_API);
+        } else {
+            pathDefinitions.put("/openapi/**/*", "anon");
+        }
 
         // other web
         pathDefinitions.put("/**", FILTER_NAME_WEB);
diff --git a/inlong-manager/manager-web/src/main/resources/application.properties b/inlong-manager/manager-web/src/main/resources/application.properties
@@ -58,3 +58,6 @@ inlong.auth.type=default
 # Encryption config, the suffix of value must be the same as the version.
 inlong.encrypt.version=1
 inlong.encrypt.key.value1="I!N@L#O$N%G^"
+
+# clients (e.g. agent and dataproxy) must be authenticated by secretId and secretKey if turned on
+openapi.auth.enabled=false
diff --git a/inlong-manager/manager-web/src/test/resources/application.properties b/inlong-manager/manager-web/src/test/resources/application.properties
@@ -58,3 +58,6 @@ inlong.auth.type=default
 # Encryption config, the suffix of value must be the same as the version.
 inlong.encrypt.version=1
 inlong.encrypt.key.value1="I!N@L#O$N%G^"
+
+# clients (e.g. agent and dataproxy) must be authenticated by secretId and secretKey if turned on
+openapi.auth.enabled=false
