affo commented on code in PR #2506: URL: https://github.com/apache/fluss/pull/2506#discussion_r2905869926
########## helm/templates/_security.tpl: ########## @@ -0,0 +1,149 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{/* +Returns the authentication mechanism value of a given listener. +Allowed mechanism values: 'none', 'plain' +Usage: + include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "client") + +Explanation: +(dict "Values" .Values "listener" "client") is a Helm template map, literally passed as a single argument to include. + +- dict: creates a key value map +- "Values": is a key, .Values is its value +- "listener": is a key, "client" is its value + +So this builds an object like: +{ + Values: .Values, + listener: "client" +} + +Inside the called helper, in this case, 'fluss.security.listener.mechanism', it is accessed as: +- .Values -> the chart values +- .listener -> "client" + +The reason for this is that include can only pass one argument, so dict is a standard way to pass multiple named inputs. Review Comment: I don't think this explanation is relevant ########## helm/templates/_security.tpl: ########## @@ -0,0 +1,149 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{/* +Returns the authentication mechanism value of a given listener. +Allowed mechanism values: 'none', 'plain' +Usage: + include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "client") + +Explanation: +(dict "Values" .Values "listener" "client") is a Helm template map, literally passed as a single argument to include. + +- dict: creates a key value map +- "Values": is a key, .Values is its value +- "listener": is a key, "client" is its value + +So this builds an object like: +{ + Values: .Values, + listener: "client" +} + +Inside the called helper, in this case, 'fluss.security.listener.mechanism', it is accessed as: +- .Values -> the chart values +- .listener -> "client" + +The reason for this is that include can only pass one argument, so dict is a standard way to pass multiple named inputs. +*/}} +{{- define "fluss.security.listener.mechanism" -}} +{{- $listener := index .Values.security .listener | default (dict) -}} +{{- $sasl := $listener.sasl | default (dict) -}} +{{- $mechanism := lower (default "" $sasl.mechanism) -}} +{{- if not (has $mechanism (list "none" "plain")) -}} Review Comment: I would also accept an empty mechanism as `none` ########## helm/templates/_security.tpl: ########## @@ -0,0 +1,149 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{/* +Returns the authentication mechanism value of a given listener. +Allowed mechanism values: 'none', 'plain' +Usage: + include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "client") + +Explanation: +(dict "Values" .Values "listener" "client") is a Helm template map, literally passed as a single argument to include. + +- dict: creates a key value map +- "Values": is a key, .Values is its value +- "listener": is a key, "client" is its value + +So this builds an object like: +{ + Values: .Values, + listener: "client" +} + +Inside the called helper, in this case, 'fluss.security.listener.mechanism', it is accessed as: +- .Values -> the chart values +- .listener -> "client" + +The reason for this is that include can only pass one argument, so dict is a standard way to pass multiple named inputs. +*/}} +{{- define "fluss.security.listener.mechanism" -}} +{{- $listener := index .Values.security .listener | default (dict) -}} +{{- $sasl := $listener.sasl | default (dict) -}} +{{- $mechanism := lower (default "" $sasl.mechanism) -}} +{{- if not (has $mechanism (list "none" "plain")) -}} +{{- fail (printf "security.%s.sasl.mechanism must be one of: none, plain" .listener) -}} +{{- end -}} +{{- $mechanism -}} +{{- end -}} + +{{/* +Returns true if any of the listeners uses SASL based authentication mechanism ('plain' for now). +Usage: + include "fluss.security.sasl.enabled" . +*/}} +{{- define "fluss.security.sasl.enabled" -}} +{{- $internal := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "internal") -}} +{{- $client := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "client") -}} +{{- if or (ne $internal "none") (ne $client "none") -}}true{{- end -}} +{{- end -}} + +{{/* +Returns true if any of the listeners uses 'plain' authentication mechanism. +Usage: + include "fluss.security.sasl.plain.enabled" . +*/}} +{{- define "fluss.security.sasl.plain.enabled" -}} +{{- $internal := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "internal") -}} +{{- $client := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "client") -}} +{{- if or (eq $internal "plain") (eq $client "plain") -}}true{{- end -}} +{{- end -}} + +{{/* +Returns protocol value derived from listener mechanism. +Usage: + include "fluss.security.listener.protocol" (dict "Values" .Values "listener" "internal") +*/}} +{{- define "fluss.security.listener.protocol" -}} +{{- $mechanism := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" .listener) -}} +{{- if eq $mechanism "none" -}}PLAINTEXT{{- else -}}SASL{{- end -}} +{{- end -}} + +{{/* +Returns comma separated list of enabled mechanisms. +Usage: + include "fluss.security.sasl.enabledMechanisms" . + +Example usage: + echo "security.sasl.enabled.mechanisms: {{ include "fluss.security.sasl.enabledMechanisms" . | trim }}" +*/}} +{{- define "fluss.security.sasl.enabledMechanisms" -}} +{{- $mechanisms := list -}} +{{- range $listener := list "internal" "client" -}} + {{- $current := include "fluss.security.listener.mechanism" (dict "Values" $.Values "listener" $listener) -}} + {{- if and (ne $current "none") (not (has (upper $current) $mechanisms)) -}} + {{- $mechanisms = append $mechanisms (upper $current) -}} + {{- end -}} +{{- end -}} +{{- join "," $mechanisms -}} +{{- end -}} + +{{/* +Validates that the client PLAIN mechanism block contains the required users. + +Usage: + include "fluss.security.sasl.validateClientPlainUsers" . +*/}} +{{- define "fluss.security.sasl.validateClientPlainUsers" -}} Review Comment: I would suggest to also check here if the internal username/password did change from the default one. If not, you can template it under `NOTES.txt` (see https://helm.sh/docs/chart_template_guide/notes_files/) to raise a warning to the user. In general, I suggest a pattern similar to Bitnami's: They perform all validation in a single place in _helpers: https://github.com/bitnami/charts/blob/main/bitnami/zookeeper/templates/_helpers.tpl#L294 They fail and output in NOTES.txt: https://github.com/bitnami/charts/blob/main/bitnami/zookeeper/templates/NOTES.txt#L79 In this way you are sure that validation always runs and that the output is entirely visible to the user. ########## helm/templates/secret-jaas-config.yaml: ########## @@ -0,0 +1,50 @@ +{{- if (include "fluss.security.sasl.plain.enabled" .) -}} +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +{{ include "fluss.security.sasl.validateClientPlainUsers" . }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "fluss.fullname" . }}-sasl-jaas-config + labels: + {{- include "fluss.labels" . | nindent 4 }} +type: Opaque +stringData: + jaas.conf: | +{{- if eq (include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "internal")) "plain" }} Review Comment: Here I would like to have variable definitions at the top, e.g.: ``` {{- $internalMechanism := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "internal") | trim -}} ``` ########## helm/templates/_security.tpl: ########## @@ -0,0 +1,149 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{/* +Returns the authentication mechanism value of a given listener. +Allowed mechanism values: 'none', 'plain' +Usage: + include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "client") + +Explanation: +(dict "Values" .Values "listener" "client") is a Helm template map, literally passed as a single argument to include. + +- dict: creates a key value map +- "Values": is a key, .Values is its value +- "listener": is a key, "client" is its value + +So this builds an object like: +{ + Values: .Values, + listener: "client" +} + +Inside the called helper, in this case, 'fluss.security.listener.mechanism', it is accessed as: +- .Values -> the chart values +- .listener -> "client" + +The reason for this is that include can only pass one argument, so dict is a standard way to pass multiple named inputs. +*/}} +{{- define "fluss.security.listener.mechanism" -}} +{{- $listener := index .Values.security .listener | default (dict) -}} +{{- $sasl := $listener.sasl | default (dict) -}} +{{- $mechanism := lower (default "" $sasl.mechanism) -}} +{{- if not (has $mechanism (list "none" "plain")) -}} +{{- fail (printf "security.%s.sasl.mechanism must be one of: none, plain" .listener) -}} +{{- end -}} +{{- $mechanism -}} +{{- end -}} + +{{/* +Returns true if any of the listeners uses SASL based authentication mechanism ('plain' for now). +Usage: + include "fluss.security.sasl.enabled" . +*/}} +{{- define "fluss.security.sasl.enabled" -}} +{{- $internal := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "internal") -}} +{{- $client := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "client") -}} +{{- if or (ne $internal "none") (ne $client "none") -}}true{{- end -}} +{{- end -}} + +{{/* +Returns true if any of the listeners uses 'plain' authentication mechanism. +Usage: + include "fluss.security.sasl.plain.enabled" . +*/}} +{{- define "fluss.security.sasl.plain.enabled" -}} +{{- $internal := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "internal") -}} +{{- $client := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "client") -}} +{{- if or (eq $internal "plain") (eq $client "plain") -}}true{{- end -}} +{{- end -}} + +{{/* +Returns protocol value derived from listener mechanism. +Usage: + include "fluss.security.listener.protocol" (dict "Values" .Values "listener" "internal") +*/}} +{{- define "fluss.security.listener.protocol" -}} +{{- $mechanism := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" .listener) -}} +{{- if eq $mechanism "none" -}}PLAINTEXT{{- else -}}SASL{{- end -}} +{{- end -}} + +{{/* +Returns comma separated list of enabled mechanisms. +Usage: + include "fluss.security.sasl.enabledMechanisms" . + +Example usage: + echo "security.sasl.enabled.mechanisms: {{ include "fluss.security.sasl.enabledMechanisms" . | trim }}" +*/}} +{{- define "fluss.security.sasl.enabledMechanisms" -}} +{{- $mechanisms := list -}} +{{- range $listener := list "internal" "client" -}} + {{- $current := include "fluss.security.listener.mechanism" (dict "Values" $.Values "listener" $listener) -}} + {{- if and (ne $current "none") (not (has (upper $current) $mechanisms)) -}} + {{- $mechanisms = append $mechanisms (upper $current) -}} + {{- end -}} +{{- end -}} +{{- join "," $mechanisms -}} +{{- end -}} + +{{/* +Validates that the client PLAIN mechanism block contains the required users. + +Usage: + include "fluss.security.sasl.validateClientPlainUsers" . +*/}} +{{- define "fluss.security.sasl.validateClientPlainUsers" -}} +{{- $clientMechanism := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "client") -}} + +{{- if eq $clientMechanism "plain" -}} + {{- $users := .Values.security.client.sasl.plain.users | default (list) -}} + {{- if eq (len $users) 0 -}} + {{- fail "security.client.sasl.plain.users must contain at least one user when security.client.sasl.mechanism is plain" -}} + {{- end -}} + {{- range $idx, $user := $users -}} + {{- if or (empty $user.username) (empty $user.password) -}} + {{- fail (printf "security.client.sasl.plain.users[%d] must set both username and password" $idx) -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Renders security configuration lines that are appended to the server.yaml file. +Usage: + include "fluss.security.renderSecurityOptions" . +*/}} +{{- define "fluss.security.renderSecurityOptions" -}} +{{- $internalProtocol := include "fluss.security.listener.protocol" (dict "Values" .Values "listener" "internal") | trim -}} +{{- $enabledMechanisms := include "fluss.security.sasl.enabledMechanisms" . | trim }} +{{- $internalClientMechanism := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "internal") | upper }} + +{{- if (include "fluss.security.sasl.enabled" .) }} Review Comment: What if we do something similar to metrics here and render to dict to yaml directly in the configmap? It would seem to me way more readable 🤝 ########## helm/templates/sts-coordinator.yaml: ########## @@ -109,6 +119,11 @@ spec: - name: data emptyDir: {} {{- end }} + {{- if (include "fluss.security.sasl.plain.enabled" .) }} + - name: sasl-config + secret: + secretName: {{ include "fluss.fullname" . }}-sasl-jaas-config Review Comment: I suggest to template this and re-use across files. ########## helm/templates/_security.tpl: ########## @@ -0,0 +1,149 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{/* +Returns the authentication mechanism value of a given listener. +Allowed mechanism values: 'none', 'plain' +Usage: + include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "client") + +Explanation: +(dict "Values" .Values "listener" "client") is a Helm template map, literally passed as a single argument to include. + +- dict: creates a key value map +- "Values": is a key, .Values is its value +- "listener": is a key, "client" is its value + +So this builds an object like: +{ + Values: .Values, + listener: "client" +} + +Inside the called helper, in this case, 'fluss.security.listener.mechanism', it is accessed as: +- .Values -> the chart values +- .listener -> "client" + +The reason for this is that include can only pass one argument, so dict is a standard way to pass multiple named inputs. +*/}} +{{- define "fluss.security.listener.mechanism" -}} +{{- $listener := index .Values.security .listener | default (dict) -}} Review Comment: I would argue we don't need to pass `Values` in as this function is only used in this chart and does not need to be re-used. You may access it directly via `$.Values` or `.Values`. ########## helm/templates/sts-coordinator.yaml: ########## @@ -95,12 +100,17 @@ spec: tcpSocket: port: {{ .Values.listeners.client.port }} resources: - {{- toYaml .Values.resources.tabletServer | nindent 12 }} + {{- toYaml .Values.resources.coordinatorServer | nindent 12 }} Review Comment: I think this line may be offloaded to a separate PR ########## helm/templates/_security.tpl: ########## @@ -0,0 +1,149 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{/* +Returns the authentication mechanism value of a given listener. +Allowed mechanism values: 'none', 'plain' +Usage: + include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "client") + +Explanation: +(dict "Values" .Values "listener" "client") is a Helm template map, literally passed as a single argument to include. + +- dict: creates a key value map +- "Values": is a key, .Values is its value +- "listener": is a key, "client" is its value + +So this builds an object like: +{ + Values: .Values, + listener: "client" +} + +Inside the called helper, in this case, 'fluss.security.listener.mechanism', it is accessed as: +- .Values -> the chart values +- .listener -> "client" + +The reason for this is that include can only pass one argument, so dict is a standard way to pass multiple named inputs. +*/}} +{{- define "fluss.security.listener.mechanism" -}} +{{- $listener := index .Values.security .listener | default (dict) -}} +{{- $sasl := $listener.sasl | default (dict) -}} +{{- $mechanism := lower (default "" $sasl.mechanism) -}} +{{- if not (has $mechanism (list "none" "plain")) -}} +{{- fail (printf "security.%s.sasl.mechanism must be one of: none, plain" .listener) -}} +{{- end -}} +{{- $mechanism -}} +{{- end -}} + +{{/* +Returns true if any of the listeners uses SASL based authentication mechanism ('plain' for now). +Usage: + include "fluss.security.sasl.enabled" . +*/}} +{{- define "fluss.security.sasl.enabled" -}} +{{- $internal := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "internal") -}} +{{- $client := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "client") -}} +{{- if or (ne $internal "none") (ne $client "none") -}}true{{- end -}} +{{- end -}} + +{{/* +Returns true if any of the listeners uses 'plain' authentication mechanism. +Usage: + include "fluss.security.sasl.plain.enabled" . +*/}} +{{- define "fluss.security.sasl.plain.enabled" -}} +{{- $internal := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "internal") -}} +{{- $client := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "client") -}} +{{- if or (eq $internal "plain") (eq $client "plain") -}}true{{- end -}} +{{- end -}} + +{{/* +Returns protocol value derived from listener mechanism. +Usage: + include "fluss.security.listener.protocol" (dict "Values" .Values "listener" "internal") +*/}} +{{- define "fluss.security.listener.protocol" -}} +{{- $mechanism := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" .listener) -}} +{{- if eq $mechanism "none" -}}PLAINTEXT{{- else -}}SASL{{- end -}} +{{- end -}} + +{{/* +Returns comma separated list of enabled mechanisms. +Usage: + include "fluss.security.sasl.enabledMechanisms" . + +Example usage: + echo "security.sasl.enabled.mechanisms: {{ include "fluss.security.sasl.enabledMechanisms" . | trim }}" +*/}} +{{- define "fluss.security.sasl.enabledMechanisms" -}} +{{- $mechanisms := list -}} +{{- range $listener := list "internal" "client" -}} + {{- $current := include "fluss.security.listener.mechanism" (dict "Values" $.Values "listener" $listener) -}} + {{- if and (ne $current "none") (not (has (upper $current) $mechanisms)) -}} + {{- $mechanisms = append $mechanisms (upper $current) -}} + {{- end -}} +{{- end -}} +{{- join "," $mechanisms -}} +{{- end -}} + +{{/* +Validates that the client PLAIN mechanism block contains the required users. + +Usage: + include "fluss.security.sasl.validateClientPlainUsers" . +*/}} +{{- define "fluss.security.sasl.validateClientPlainUsers" -}} +{{- $clientMechanism := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "client") -}} + +{{- if eq $clientMechanism "plain" -}} + {{- $users := .Values.security.client.sasl.plain.users | default (list) -}} + {{- if eq (len $users) 0 -}} + {{- fail "security.client.sasl.plain.users must contain at least one user when security.client.sasl.mechanism is plain" -}} + {{- end -}} + {{- range $idx, $user := $users -}} + {{- if or (empty $user.username) (empty $user.password) -}} + {{- fail (printf "security.client.sasl.plain.users[%d] must set both username and password" $idx) -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Renders security configuration lines that are appended to the server.yaml file. +Usage: + include "fluss.security.renderSecurityOptions" . +*/}} +{{- define "fluss.security.renderSecurityOptions" -}} +{{- $internalProtocol := include "fluss.security.listener.protocol" (dict "Values" .Values "listener" "internal") | trim -}} +{{- $enabledMechanisms := include "fluss.security.sasl.enabledMechanisms" . | trim }} +{{- $internalClientMechanism := include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "internal") | upper }} + +{{- if (include "fluss.security.sasl.enabled" .) }} +echo "security.sasl.enabled.mechanisms: {{ $enabledMechanisms }}" >> $FLUSS_HOME/conf/server.yaml && \ +{{- if eq $internalProtocol "SASL" }} +echo "client.security.protocol: SASL" >> $FLUSS_HOME/conf/server.yaml && \ +echo "client.security.sasl.mechanism: {{ $internalClientMechanism }}" >> $FLUSS_HOME/conf/server.yaml && \ +{{- end }} + +{{- if (include "fluss.security.sasl.plain.enabled" .) }} +export FLUSS_ENV_JAVA_OPTS="-Djava.security.auth.login.config=/etc/fluss/conf/jaas.conf ${FLUSS_ENV_JAVA_OPTS}" && \ Review Comment: also this one, it would be nice to have it under `env` in the sts templates ########## helm/templates/sts-coordinator.yaml: ########## @@ -16,6 +16,9 @@ # limitations under the License. # +{{ include "fluss.security.sasl.validateClientPlainUsers" . }} Review Comment: why is this happening twice? It was also happening in the secret ########## helm/templates/secret-jaas-config.yaml: ########## @@ -0,0 +1,50 @@ +{{- if (include "fluss.security.sasl.plain.enabled" .) -}} +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +{{ include "fluss.security.sasl.validateClientPlainUsers" . }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "fluss.fullname" . }}-sasl-jaas-config + labels: + {{- include "fluss.labels" . | nindent 4 }} +type: Opaque +stringData: + jaas.conf: | +{{- if eq (include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "internal")) "plain" }} + internal.FlussServer { + org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required + user_{{ .Values.security.internal.sasl.plain.username }}="{{ .Values.security.internal.sasl.plain.password }}"; + }; +{{- end }} +{{- if eq (include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "client")) "plain" }} + client.FlussServer { + org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required +{{- range .Values.security.client.sasl.plain.users | default (list) }} + user_{{ .username }}="{{ .password }}" +{{- end }}; + }; +{{- end }} +{{- if eq (include "fluss.security.listener.mechanism" (dict "Values" .Values "listener" "internal")) "plain" }} Review Comment: Why this block is not rendered together with the server side on top? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
