ft: ZENKO-404 service account support for lifecycle

conf/config.joi.js

@@ -16,21 +16,6 @@ const joiSchema = {
     },
     transport: transportJoi,
     s3: hostPortJoi.required(),
-    auth: joi.object({
-        type: joi.alternatives().try('account', 'vault').required(),
-        account: joi.string()
-            .when('type', { is: 'account', then: joi.required() }),
-        vault: joi.object({
-            host: joi.string().required(),
-            port: joi.number().greater(0).required(),
-            adminPort: joi.number().greater(0)
-                .when('adminCredentialsFile', {
-                    is: joi.exist(),
-                    then: joi.required(),
-                }),
-            adminCredentialsFile: joi.string().optional(),
-        }).when('type', { is: 'vault', then: joi.required() }),
-    }).required(),
     queuePopulator: {
         cronRule: joi.string().required(),
         batchMaxRead: joi.number().default(10000),

conf/config.json

@@ -10,15 +10,6 @@
         "host": "127.0.0.1",
         "port": 8000
     },
-    "auth": {
-        "type": "account",
-        "account": "bart",
-        "vault": {
-            "host": "127.0.0.1",
-            "port": 8500,
-            "adminPort": 8600
-        }
-    },
     "queuePopulator": {
         "cronRule": "*/5 * * * * *",
         "batchMaxRead": 10000,
@@ -93,6 +84,15 @@
             }
         },
         "lifecycle": {
+            "auth": {
+                "type": "service",
+                "account": "service-lifecycle",
+                "vault": {
+                    "host": "127.0.0.1",
+                    "port": 8500,
+                    "adminPort": 8600
+                }
+            },
             "zookeeperPath": "/lifecycle",
             "bucketTasksTopic": "backbeat-lifecycle-bucket-tasks",
             "objectTasksTopic": "backbeat-lifecycle-object-tasks",

docker-entrypoint.sh

@@ -6,6 +6,15 @@ set -e
 # modifying config.json
 JQ_FILTERS_CONFIG="."
 
+if [[ "$LOG_LEVEL" ]]; then
+    if [[ "$LOG_LEVEL" == "info" || "$LOG_LEVEL" == "debug" || "$LOG_LEVEL" == "trace" ]]; then
+        JQ_FILTERS_CONFIG="$JQ_FILTERS_CONFIG | .log.logLevel=\"$LOG_LEVEL\""
+        echo "Log level has been modified to $LOG_LEVEL"
+    else
+        echo "The log level you provided is incorrect (info/debug/trace)"
+    fi
+fi
+
 if [[ "$ZOOKEEPER_AUTO_CREATE_NAMESPACE" ]]; then
     JQ_FILTERS_CONFIG="$JQ_FILTERS_CONFIG | .zookeeper.autoCreateNamespace=true"
 fi
@@ -47,6 +56,14 @@ if [[ "$MONGODB_DATABASE" ]]; then
    JQ_FILTERS_CONFIG="$JQ_FILTERS_CONFIG | .queuePopulator.mongo.database=\"$MONGODB_DATABASE\""
 fi
 
+if [[ "$S3_HOST" ]]; then
+    JQ_FILTERS_CONFIG="$JQ_FILTERS_CONFIG | .s3.host=\"$S3_HOST\""
+fi
+
+if [[ "$S3_PORT" ]]; then
+    JQ_FILTERS_CONFIG="$JQ_FILTERS_CONFIG | .s3.port=\"$S3_PORT\""
+fi
+
 if [[ "$EXTENSIONS_REPLICATION_SOURCE_S3_HOST" ]]; then
     JQ_FILTERS_CONFIG="$JQ_FILTERS_CONFIG | .extensions.replication.source.s3.host=\"$EXTENSIONS_REPLICATION_SOURCE_S3_HOST\""
 fi
@@ -123,12 +140,12 @@ if [[ "$EXTENSIONS_LIFECYCLE_RULES_ABORT_INCOMPLETE_MPU_ENABLED" ]]; then
     JQ_FILTERS_CONFIG="$JQ_FILTERS_CONFIG | .extensions.lifecycle.rules.abortIncompleteMultipartUpload.enabled=\"$EXTENSIONS_LIFECYCLE_RULES_ABORT_INCOMPLETE_MPU_ENABLED\""
 fi
 
-if [[ "$AUTH_TYPE" ]]; then
-    JQ_FILTERS_CONFIG="$JQ_FILTERS_CONFIG | .auth.type=\"$AUTH_TYPE\""
+if [[ "$EXTENSIONS_LIFECYCLE_AUTH_TYPE" ]]; then
+    JQ_FILTERS_CONFIG="$JQ_FILTERS_CONFIG | .extensions.lifecycle.auth.type=\"$EXTENSIONS_LIFECYCLE_AUTH_TYPE\""
 fi
 
-if [[ "$AUTH_ACCOUNT" ]]; then
-    JQ_FILTERS_CONFIG="$JQ_FILTERS_CONFIG | .auth.account=\"$AUTH_ACCOUNT\""
+if [[ "$EXTENSIONS_LIFECYCLE_AUTH_ACCOUNT" ]]; then
+    JQ_FILTERS_CONFIG="$JQ_FILTERS_CONFIG | .extensions.lifecycle.auth.account=\"$EXTENSIONS_LIFECYCLE_AUTH_ACCOUNT\""
 fi
 
 if [[ $JQ_FILTERS_CONFIG != "." ]]; then

extensions/lifecycle/LifecycleConfigValidator.js

@@ -4,6 +4,23 @@ const joiSchema = {
     zookeeperPath: joi.string().required(),
     bucketTasksTopic: joi.string().required(),
     objectTasksTopic: joi.string().required(),
+    auth: joi.object({
+        type: joi.alternatives().try('account', 'service', 'vault')
+            .required(),
+        account: joi.string()
+            .when('type', { is: 'account', then: joi.required() })
+            .when('type', { is: 'service', then: joi.required() }),
+        vault: joi.object({
+            host: joi.string().required(),
+            port: joi.number().greater(0).required(),
+            adminPort: joi.number().greater(0)
+                .when('adminCredentialsFile', {
+                    is: joi.exist(),
+                    then: joi.required(),
+                }),
+            adminCredentialsFile: joi.string().optional(),
+        }).when('type', { is: 'vault', then: joi.required() }),
+    }).required(),
     backlogMetrics: {
         zkPath: joi.string().default('/lifecycle/run/backlog-metrics'),
         intervalS: joi.number().default(60),

extensions/lifecycle/lifecycleConsumer/LifecycleConsumer.js

@@ -22,6 +22,7 @@ class LifecycleConsumer extends EventEmitter {
      * @param {string} kafkaConfig.hosts - list of kafka brokers
      *   as "host:port[,host:port...]"
      * @param {Object} lcConfig - lifecycle configuration object
+     * @param {String} lcConfig.auth - authentication info
      * @param {String} lcConfig.objectTasksTopic - lifecycle object topic name
      * @param {Object} lcConfig.consumer - kafka consumer object
      * @param {String} lcConfig.consumer.groupId - kafka consumer group id
@@ -35,18 +36,17 @@ class LifecycleConsumer extends EventEmitter {
      * @param {Object} s3Config - S3 configuration
      * @param {Object} s3Config.host - s3 endpoint host
      * @param {Number} s3Config.port - s3 endpoint port
-     * @param {Object} authConfig - authentication info on source
      * @param {String} [transport="http"] - transport method ("http"
      *  or "https")
      */
-    constructor(zkConfig, kafkaConfig, lcConfig, s3Config, authConfig,
+    constructor(zkConfig, kafkaConfig, lcConfig, s3Config,
                 transport = 'http') {
         super();
         this.zkConfig = zkConfig;
         this.kafkaConfig = kafkaConfig;
         this.lcConfig = lcConfig;
+        this.authConfig = lcConfig.auth;
         this.s3Config = s3Config;
-        this.authConfig = authConfig;
         this._transport = transport;
         this._consumer = null;
 

extensions/lifecycle/lifecycleConsumer/task.js

@@ -1,25 +1,42 @@
 'use strict'; // eslint-disable-line
 const werelogs = require('werelogs');
 
+const { initManagement } = require('../../../lib/management');
 const LifecycleConsumer = require('./LifecycleConsumer');
 
 const config = require('../../../conf/Config');
 const zkConfig = config.zookeeper;
 const kafkaConfig = config.kafka;
 const lcConfig = config.extensions.lifecycle;
 const s3Config = config.s3;
-const authConfig = config.auth;
 const transport = config.transport;
 
 const log = new werelogs.Logger('Backbeat:Lifecycle:Consumer');
 
 const lifecycleConsumer = new LifecycleConsumer(
-    zkConfig, kafkaConfig, lcConfig, s3Config, authConfig, transport);
+    zkConfig, kafkaConfig, lcConfig, s3Config, transport);
 
 werelogs.configure({ level: config.log.logLevel,
     dump: config.log.dumpLevel });
 
-lifecycleConsumer.start();
+function initAndStart() {
+    initManagement({
+        serviceName: 'lifecycle',
+        serviceAccount: lcConfig.auth.account,
+    }, error => {
+        if (error) {
+            log.error('could not load management db',
+                      { error: error.message });
+            setTimeout(initAndStart, 5000);
+            return;
+        }
+        log.info('management init done');
+
+        lifecycleConsumer.start();
+    });
+}
+
+initAndStart();
 
 process.on('SIGTERM', () => {
     log.info('received SIGTERM, exiting');

extensions/lifecycle/lifecycleProducer/LifecycleProducer.js

@@ -10,6 +10,8 @@ const { errors } = require('arsenal');
 const BackbeatProducer = require('../../../lib/BackbeatProducer');
 const BackbeatConsumer = require('../../../lib/BackbeatConsumer');
 const LifecycleTask = require('../tasks/LifecycleTask');
+const { getAccountCredentials } =
+      require('../../../lib/credentials/AccountCredentials');
 const VaultClientCache = require('../../../lib/clients/VaultClientCache');
 const safeJsonParse = require('../util/safeJsonParse');
 
@@ -33,27 +35,20 @@ class LifecycleProducer {
      * @param {string} kafkaConfig.hosts - list of kafka brokers
      *   as "host:port[,host:port...]"
      * @param {Object} lcConfig - lifecycle config
+     * @param {Object} lcConfig.auth - authentication info
      * @param {Object} [lcConfig.backlogMetrics] - param object to
      * publish backlog metrics to zookeeper (see {@link
      * BackbeatConsumer} constructor)
      * @param {Object} s3Config - s3 config
      * @param {String} s3Config.host - host ip
      * @param {String} s3Config.port - port
-     * @param {Object} authConfig - auth config
-     * @param {String} [authConfig.account] - account name
-     * @param {Object} [authConfig.vault] - vault details
-     * @param {String} authConfig.vault.host - vault host ip
-     * @param {number} authConfig.vault.port - vault port
-     * @param {number} authConfig.vault.adminPort - vault admin port
      * @param {String} transport - http or https
      */
-    constructor(zkConfig, kafkaConfig, lcConfig, s3Config, authConfig,
-                transport) {
+    constructor(zkConfig, kafkaConfig, lcConfig, s3Config, transport) {
         this._log = new Logger('Backbeat:LifecycleProducer');
         this._zkConfig = zkConfig;
         this._kafkaConfig = kafkaConfig;
         this._lcConfig = lcConfig;
-        this._authConfig = authConfig;
         this._s3Endpoint = `${transport}://${s3Config.host}:${s3Config.port}`;
         this._transport = transport;
         this._bucketProducer = null;
@@ -284,12 +279,25 @@ class LifecycleProducer {
         });
     }
 
+    /**
+     * Set up the credentials (service account credentials or provided
+     * by vault depending on config)
+     * @return {undefined}
+     */
+    _setupCredentials() {
+        const { type } = this._lcConfig.auth;
+        if (type === 'vault') {
+            return this._setupVaultClientCache();
+        }
+        return undefined;
+    }
+
     /**
      * Set up the vault client cache for making requests to vault.
      * @return {undefined}
      */
     _setupVaultClientCache() {
-        const { vault } = this._authConfig;
+        const { vault } = this._lcConfig.auth;
         const { host, port, adminPort, adminCredentialsFile } = vault;
         const adminCredsJSON = fs.readFileSync(adminCredentialsFile);
         const adminCredsObj = JSON.parse(adminCredsJSON);
@@ -321,6 +329,21 @@ class LifecycleProducer {
         if (cachedAccountCreds) {
             return process.nextTick(() => cb(null, cachedAccountCreds));
         }
+        const credentials = getAccountCredentials(this._lcConfig.auth,
+                                                  this._log);
+        if (credentials) {
+            this.accountCredsCache[canonicalId] = credentials;
+            return process.nextTick(() => cb(null, credentials));
+        }
+        const { type } = this._lcConfig.auth;
+        if (type === 'vault') {
+            return this._generateVaultAdminCredentials(canonicalId, cb);
+        }
+        return cb(errors.InternalError.customizeDescription(
+            `invalid auth type ${type}`));
+    }
+
+    _generateVaultAdminCredentials(canonicalId, cb) {
         const vaultClient = this._vaultClientCache.getClient('lifecycle:s3');
         const vaultAdmin = this._vaultClientCache.getClient('lifecycle:admin');
         return async.waterfall([
@@ -366,7 +389,7 @@ class LifecycleProducer {
      * @return {undefined}
      */
     start() {
-        this._setupVaultClientCache();
+        this._setupCredentials();
         return async.parallel([
             // Set up producer to populate the lifecycle bucket task topic.
             next => this._setupProducer(this._lcConfig.bucketTasksTopic,

extensions/lifecycle/lifecycleProducer/task.js

@@ -1,8 +1,9 @@
 'use strict'; // eslint-disable-line
 const werelogs = require('werelogs');
+const { initManagement } = require('../../../lib/management');
 const LifecycleProducer = require('./LifecycleProducer');
-const { zookeeper, kafka, extensions, s3, auth, transport, log } =
-    require('../../../conf/Config');
+const { zookeeper, kafka, extensions, s3, transport, log } =
+      require('../../../conf/Config');
 
 werelogs.configure({ level: log.logLevel,
                      dump: log.dumpLevel });
@@ -11,9 +12,26 @@ const logger = new werelogs.Logger('Backbeat:Lifecycle:Producer');
 
 const lifecycleProducer =
     new LifecycleProducer(zookeeper, kafka, extensions.lifecycle,
-                          s3, auth, transport);
+                          s3, transport);
 
-lifecycleProducer.start();
+function initAndStart() {
+    initManagement({
+        serviceName: 'lifecycle',
+        serviceAccount: extensions.lifecycle.auth.account,
+    }, error => {
+        if (error) {
+            logger.error('could not load management db',
+                         { error: error.message });
+            setTimeout(initAndStart, 5000);
+            return;
+        }
+        logger.info('management init done');
+
+        lifecycleProducer.start();
+    });
+}
+
+initAndStart();
 
 process.on('SIGTERM', () => {
     logger.info('received SIGTERM, exiting');

extensions/lifecycle/tasks/LifecycleObjectTask.js

@@ -1,7 +1,10 @@
+const async = require('async');
 const AWS = require('aws-sdk');
 
+const errors = require('arsenal').errors;
 const BackbeatTask = require('../../../lib/tasks/BackbeatTask');
-const async = require('async');
+const { getAccountCredentials } =
+      require('../../../lib/credentials/AccountCredentials');
 const getVaultCredentials =
     require('../../../lib/credentials/getVaultCredentials');
 const { attachReqUids } = require('../../../lib/clients/utils');
@@ -23,17 +26,29 @@ class LifecycleObjectTask extends BackbeatTask {
         this.accountCredsCache = {};
     }
 
-    _getCredentials(canonicalId, cb) {
+    _getCredentials(canonicalId, log, cb) {
         const cachedCreds = this.accountCredsCache[canonicalId];
         if (cachedCreds) {
             return process.nextTick(() => cb(null, cachedCreds));
         }
-        return getVaultCredentials(this.authConfig, canonicalId, 'lifecycle',
-        (err, accountCreds) => cb(err, accountCreds));
+        const credentials = getAccountCredentials(this.lcConfig.auth, log);
+        if (credentials) {
+            this.accountCredsCache[canonicalId] = credentials;
+            return process.nextTick(() => cb(null, credentials));
+        }
+        const { type } = this.lcConfig.auth;
+        if (type === 'vault') {
+            return getVaultCredentials(
+                this.authConfig, canonicalId, 'lifecycle',
+                (err, accountCreds) => cb(err, accountCreds));
+        }
+        return process.nextTick(
+            () => cb(errors.InternalError.customizeDescription(
+                `invalid auth type ${type}`)));
     }
 
     _setupClients(canonicalId, log, done) {
-        this._getCredentials(canonicalId, (err, accountCreds) => {
+        this._getCredentials(canonicalId, log, (err, accountCreds) => {
             if (err) {
                 log.error('error generating new access key', {
                     error: err.message,

extensions/replication/ReplicationConfigValidator.js

@@ -16,7 +16,8 @@ const joiSchema = {
             type: joi.alternatives().try('account', 'role', 'service').
                 required(),
             account: joi.string()
-                .when('type', { is: 'account', then: joi.required() }),
+                .when('type', { is: 'account', then: joi.required() })
+                .when('type', { is: 'service', then: joi.required() }),
             vault: joi.object({
                 host: joi.string().required(),
                 port: joi.number().greater(0).required(),