Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Motivation: The DssContextFactory is a heavy weight object to load as it involves loading credentials and certificates from disk. Modification: Moves the creation of the factory into the FtpInterpreterFactory subclass, thus allowing the DssContextFactory to be reused by all FTP sessions. Result: Less per session overhead. Target: trunk Require-notes: yes Require-book: no Acked-by: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de> Patch: https://rb.dcache.org/r/8638/
- Loading branch information
Showing
8 changed files
with
124 additions
and
107 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
42 changes: 3 additions & 39 deletions
42
modules/dcache-ftp/src/main/java/org/dcache/ftp/door/GsiFtpDoorV1.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,57 +1,21 @@ | ||
package org.dcache.ftp.door; | ||
|
||
import org.dcache.dss.DssContextFactory; | ||
|
||
import javax.security.auth.Subject; | ||
|
||
import org.dcache.auth.Subjects; | ||
import org.dcache.util.Option; | ||
import org.dcache.util.Crypto; | ||
import org.dcache.dss.GsiEngineDssContextFactory; | ||
import org.dcache.dss.DssContextFactory; | ||
import org.dcache.util.NetLoggerBuilder; | ||
|
||
public class GsiFtpDoorV1 extends GssFtpDoorV1 | ||
{ | ||
@Option( | ||
name="service-key", | ||
required=true | ||
) | ||
protected String service_key; | ||
|
||
@Option( | ||
name="service-cert", | ||
required=true | ||
) | ||
protected String service_cert; | ||
|
||
@Option( | ||
name="service-trusted-certs", | ||
required=true | ||
) | ||
protected String service_trusted_certs; | ||
|
||
@Option( | ||
name="gridftp.security.ciphers", | ||
required=true | ||
) | ||
protected String cipherFlags; | ||
|
||
public GsiFtpDoorV1() | ||
public GsiFtpDoorV1(DssContextFactory dssContextFactory) | ||
{ | ||
super("GSI FTP", "gsiftp", "gsi"); | ||
super("GSI FTP", "gsiftp", "gsi", dssContextFactory); | ||
} | ||
|
||
@Override | ||
protected void logSubject(NetLoggerBuilder log, Subject subject) | ||
{ | ||
log.add("user.dn", Subjects.getDn(subject)); | ||
} | ||
|
||
@Override | ||
protected DssContextFactory createFactory() throws Exception | ||
{ | ||
return new GsiEngineDssContextFactory(service_key, service_cert, service_trusted_certs, | ||
Crypto.getBannedCipherSuitesFromConfigurationValue(cipherFlags)); | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
46 changes: 3 additions & 43 deletions
46
modules/dcache-ftp/src/main/java/org/dcache/ftp/door/KerberosFtpDoorV1.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,61 +1,21 @@ | ||
package org.dcache.ftp.door; | ||
|
||
import org.dcache.dss.DssContextFactory; | ||
import org.dcache.dss.KerberosDssContextFactory; | ||
import org.ietf.jgss.GSSException; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
|
||
import javax.security.auth.Subject; | ||
|
||
import java.io.IOException; | ||
|
||
import org.dcache.auth.Subjects; | ||
import org.dcache.util.Option; | ||
import org.dcache.dss.DssContextFactory; | ||
import org.dcache.util.NetLoggerBuilder; | ||
|
||
public class KerberosFtpDoorV1 extends GssFtpDoorV1 | ||
{ | ||
private static final Logger LOGGER = LoggerFactory.getLogger(KerberosFtpDoorV1.class); | ||
|
||
@Option(name = "svc-principal", | ||
required = true) | ||
private String servicePrincipal; | ||
|
||
@Option(name = "kdc-list") | ||
private String kdcList; | ||
|
||
public KerberosFtpDoorV1() | ||
public KerberosFtpDoorV1(DssContextFactory dssContextFactory) | ||
{ | ||
super("Kerberos FTP", "krbftp", "k5"); | ||
super("Kerberos FTP", "krbftp", "k5", dssContextFactory); | ||
} | ||
|
||
@Override | ||
protected void logSubject(NetLoggerBuilder log, Subject subject) | ||
{ | ||
log.add("user.kerberos", Subjects.getKerberosName(subject)); | ||
} | ||
|
||
@Override | ||
protected DssContextFactory createFactory() throws IOException, GSSException | ||
{ | ||
int nretry = 10; | ||
String[] kdcList = (this.kdcList != null) ? this.kdcList.split(",") : new String[0]; | ||
GSSException error; | ||
do { | ||
if (kdcList.length > 0) { | ||
String kdc = kdcList[nretry % kdcList.length]; | ||
System.getProperties().put("java.security.krb5.kdc", kdc); | ||
} | ||
try { | ||
return new KerberosDssContextFactory(servicePrincipal); | ||
} catch (GSSException e) { | ||
LOGGER.debug("KerberosFTPDoorV1::getServiceContext: got exception " + | ||
" while looking up credential: {}", e.getMessage()); | ||
error = e; | ||
} | ||
--nretry; | ||
} while (nretry > 0); | ||
throw error; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters