New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SOLR-16491: Create v2 equivalent for /admin/info/key #1123
Merged
gerlowskija
merged 8 commits into
apache:main
from
gerlowskija:SOLR-16491-v2-equivalent-for-key-api
Oct 31, 2022
Merged
SOLR-16491: Create v2 equivalent for /admin/info/key #1123
gerlowskija
merged 8 commits into
apache:main
from
gerlowskija:SOLR-16491-v2-equivalent-for-key-api
Oct 31, 2022
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Note that the PublicKeyAPI constructor needs an injected class that's new to our framework: CloudConfig. The changes to CoreContainer add a factory that makes CloudConfig injectable (though the same instance is used on all calls).
The response of the existing /admin/info/key endpoint looks like: { "responseHeader":{ "status":0, "QTime":0}, "key":"<some-key-string>"} The only field here that's new over the SolrJerseyResponse base is 'key'.
This commit combines together steps 5 and 7 of creating new JAX-RS APIs. This is done primarily so we can get to a point where the API is available for manual testing. After this commit, a hit on `GET /api/node/key` will return something like: ``` {"responseHeader":{"status":0,"QTime":12},"key":"hello-world"} ``` Some notes on this commit: - The @PermissionName annotation takes its value from PublicKeyHandler.getPermissionName. - PublicKeyAPI is the first v2 API to be associated with PublicKeyHandler, so a few additional methods need to be added to PKH in order for v2 registrations there to take effect: `registerV2` tells Solr that this RequestHandler has v2 APIs associated, and `getApis` is returns an empty list to indicate that PKH has no associated v2 APIs using the 'traditional' framework.
There's not a ton of logic in PublicKeyHandler that needs refactored out; the primary bit was a method `createKeyPair` which generates a RSA key based on some passed in config values. And the only complicating issue here is lifecycle: we want to make sure that the key we use in PublicKeyAPI matches the key used by PublicKeyHandler code, and shares its lifecycle. The best way to refactor this code (IMO) was to create a new class that is primarily responsible for key-generation. We can then instantiate this in CoreContainer and make it available to PKAPI via injection. (This is a small departure from our guess in step 1 that we would want to make the CloudConfig type injectable, but not a big issue.) This change bled into a third class, PKIAuthenticationPlugin, which historically has kept a reference to PublicKeyHandler in order to access the key pair. Should we refactor this class to use our new key-generation utility, or should we let it keep its reference to PKH for now? I chose the latter: both out of concerns of scope-creep, and because PKIAuthPlugin is a public interface that seems more likely than most to be extended by plugin developers, and there's a slight risk that (e.g.) changing the ctor signature for that class would cause issues for that group of users. Not incredibly likely, and we don't technically promise backcompat for public classes in solr-core, but it seemed prudent at the time.
A tiny unit test for the new v2 binding. We're relying pretty heavily here on the existing PKIAuth and PublicKeyHandler tests catching any regressions here, but that's fine given the extremely limited functionality offered at this endpoint.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://issues.apache.org/jira/browse/SOLR-16491
Description
The /admin/info/key API used to retrieve a node's public key has no v2 equivalent.
Solution
This PR adds a v2 equivalent using the JAX-RS framework, the new endpoint is
GET /api/node/key
. In implementing this, some shared logic around key-creation was refactored into a separate class,SolrNodeKeyPair
, which is created by CoreContainer and made injectable to the JAX-RS framework to that a single instance (i.e. same key) can be used by both the existing v1 RH, and the new v2 binding.Tests
A new simple unit test in
PublicKeyAPITest
; existing tests for pki-auth and the PublicKeyHandler continue to pass.Checklist
Please review the following and check all that apply:
main
branch../gradlew check
.