-
Notifications
You must be signed in to change notification settings - Fork 136
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
dcache-xrootd: fix delegation client lifecycle management
Motivation: In GplazmaAwareChannelHandlerFactoryFactoryBean, a single delegation client is created and injected into LoginAuthenticationHandlerFactory, which in turn passes it into XrootdAuthenticationHandler. The XrootdAuthenticationHandler calls ProxyDelegationClient#close when the handler is removed. The problem with this is that the same ProxyDelegationClient instance is used for all xrootd clients connecting to the door. If no clients have connected, its close() method is never called (preventing clean shutdown of the dCache domain). Conversely, all clients see a closed client after the first connection disconnects. Modification: Abstract out and maintain as a separate bean the shared components of the client, and construct a new client per connection, passing in the shared components. This effectively means injecting the client factory, rather than the client, in the LoginAuthenticationHandlerFactory. The new component (GSIProxyDelegationProvider) is injected into the GplazmaAware bean, and then passed into GSI client factory from there. Result: dCache shuts down cleanly, and the client does not use a closed vomsValidator after the first connection. Target: master Requires-book: no Requires-notes: no Acked-by: Paul
- Loading branch information
Showing
6 changed files
with
237 additions
and
74 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
93 changes: 93 additions & 0 deletions
93
modules/dcache-xrootd/src/main/java/org/dcache/xrootd/security/ProxyDelegationStore.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
/* dCache - http://www.dcache.org/ | ||
* | ||
* Copyright (C) 2014 - 2017 Deutsches Elektronen-Synchrotron | ||
* | ||
* This program is free software: you can redistribute it and/or modify | ||
* it under the terms of the GNU Affero General Public License as | ||
* published by the Free Software Foundation, either version 3 of the | ||
* License, or (at your option) any later version. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* GNU Affero General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU Affero General Public License | ||
* along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
*/ | ||
package org.dcache.xrootd.security; | ||
|
||
import eu.emi.security.authn.x509.X509CertChainValidatorExt; | ||
import org.italiangrid.voms.VOMSValidators; | ||
import org.italiangrid.voms.ac.VOMSACValidator; | ||
import org.italiangrid.voms.store.VOMSTrustStore; | ||
import org.italiangrid.voms.store.VOMSTrustStores; | ||
import org.italiangrid.voms.util.CertificateValidatorBuilder; | ||
import org.springframework.beans.factory.annotation.Required; | ||
|
||
import java.util.Map; | ||
import java.util.concurrent.ConcurrentHashMap; | ||
|
||
import org.dcache.gsi.KeyPairCache; | ||
import org.dcache.gsi.X509Delegation; | ||
|
||
import static java.util.Arrays.asList; | ||
|
||
public class ProxyDelegationStore | ||
{ | ||
/* | ||
* Visible to the client this is used to initialize. | ||
*/ | ||
final Map<String, X509Delegation> delegations = new ConcurrentHashMap<>(); | ||
|
||
VOMSACValidator vomsValidator; | ||
KeyPairCache keyPairCache; | ||
|
||
private String vomsDir; | ||
private String caCertificatePath; | ||
private long trustAnchorRefreshInterval; | ||
|
||
public void initialize() | ||
{ | ||
VOMSTrustStore vomsTrustStore | ||
= VOMSTrustStores.newTrustStore(asList(vomsDir)); | ||
X509CertChainValidatorExt certChainValidator | ||
= new CertificateValidatorBuilder() | ||
.lazyAnchorsLoading(false) | ||
.trustAnchorsUpdateInterval(trustAnchorRefreshInterval) | ||
.trustAnchorsDir(caCertificatePath) | ||
.build(); | ||
vomsValidator = VOMSValidators.newValidator(vomsTrustStore, | ||
certChainValidator); | ||
} | ||
|
||
@Required | ||
public void setVomsDir(String vomsDir) | ||
{ | ||
this.vomsDir = vomsDir; | ||
} | ||
|
||
@Required | ||
public void setCaCertificatePath(String caCertificatePath) | ||
{ | ||
this.caCertificatePath = caCertificatePath; | ||
} | ||
|
||
public void setKeyPairCache(KeyPairCache keyPairCache) | ||
{ | ||
this.keyPairCache = keyPairCache; | ||
} | ||
|
||
@Required | ||
public void setTrustAnchorRefreshInterval(long trustAnchorRefreshInterval) | ||
{ | ||
this.trustAnchorRefreshInterval = trustAnchorRefreshInterval; | ||
} | ||
|
||
public void shutdown() | ||
{ | ||
if (vomsValidator != null) { | ||
vomsValidator.shutdown(); | ||
} | ||
} | ||
} |
Oops, something went wrong.