Martin Blanchard pushed to branch mablanch/147-authentication-configuration at BuildGrid / buildgrid
Commits:
-
ce5b55a7
by Martin Blanchard at 2018-12-06T13:51:36Z
-
97c46ac8
by Martin Blanchard at 2018-12-06T13:51:42Z
-
31ff0157
by Martin Blanchard at 2018-12-06T13:51:45Z
-
aebff219
by Martin Blanchard at 2018-12-06T13:51:48Z
-
9f5460cb
by Martin Blanchard at 2018-12-06T13:51:51Z
-
96e95270
by Martin Blanchard at 2018-12-06T13:51:55Z
-
2173528a
by Martin Blanchard at 2018-12-06T13:53:22Z
10 changed files:
- buildgrid/_app/commands/cmd_server.py
- buildgrid/_app/settings/cas.yml
- buildgrid/_app/settings/default.yml
- buildgrid/_app/settings/parser.py
- + buildgrid/_app/settings/reference.yml
- buildgrid/_app/settings/remote-storage.yml
- docs/source/data/bazel-example-server.conf
- docs/source/data/buildstream-example-server.conf
- docs/source/data/cas-example-server.conf
- docs/source/reference_server_config.rst
Changes:
| ... | ... | @@ -24,7 +24,9 @@ import sys |
| 24 | 24 |
|
| 25 | 25 |
import click
|
| 26 | 26 |
|
| 27 |
+from buildgrid.server._authentication import AuthMetadataMethod, AuthMetadataAlgorithm
|
|
| 27 | 28 |
from buildgrid.server.instance import BuildGridServer
|
| 29 |
+from buildgrid.utils import read_file
|
|
| 28 | 30 |
|
| 29 | 31 |
from ..cli import pass_context, setup_logging
|
| 30 | 32 |
from ..settings import parser
|
| ... | ... | @@ -38,11 +40,12 @@ def cli(context): |
| 38 | 40 |
|
| 39 | 41 |
@cli.command('start', short_help="Setup a new server instance.")
|
| 40 | 42 |
@click.argument('CONFIG',
|
| 41 |
- type=click.Path(file_okay=True, dir_okay=False, writable=False))
|
|
| 43 |
+ type=click.Path(file_okay=True, dir_okay=False, exists=True, writable=False))
|
|
| 42 | 44 |
@click.option('-v', '--verbose', count=True,
|
| 43 | 45 |
help='Increase log verbosity level.')
|
| 44 | 46 |
@pass_context
|
| 45 | 47 |
def start(context, config, verbose):
|
| 48 |
+ """Entry point for the bgd-server CLI command group."""
|
|
| 46 | 49 |
setup_logging(verbosity=verbose)
|
| 47 | 50 |
|
| 48 | 51 |
with open(config) as f:
|
| ... | ... | @@ -65,20 +68,40 @@ def start(context, config, verbose): |
| 65 | 68 |
server.stop()
|
| 66 | 69 |
|
| 67 | 70 |
|
| 68 |
-def _create_server_from_config(config):
|
|
| 69 |
- server_settings = config['server']
|
|
| 70 |
- |
|
| 71 |
- server = BuildGridServer()
|
|
| 71 |
+def _create_server_from_config(configuration):
|
|
| 72 |
+ """Parses configuration and setup a fresh server instance."""
|
|
| 73 |
+ kargs = {}
|
|
| 72 | 74 |
|
| 73 | 75 |
try:
|
| 74 |
- for channel in server_settings:
|
|
| 75 |
- server.add_port(channel.address, channel.credentials)
|
|
| 76 |
+ network = configuration['server']
|
|
| 77 |
+ instances = configuration['instances']
|
|
| 76 | 78 |
|
| 77 |
- except (AttributeError, TypeError) as e:
|
|
| 78 |
- click.echo("Error: Use list of `!channel` tags: {}.\n".format(e), err=True)
|
|
| 79 |
+ except KeyError as e:
|
|
| 80 |
+ click.echo("Error: Section missing from configuration: {}.".format(e), err=True)
|
|
| 79 | 81 |
sys.exit(-1)
|
| 80 | 82 |
|
| 81 |
- instances = config['instances']
|
|
| 83 |
+ if 'authorization' in configuration:
|
|
| 84 |
+ authorization = configuration['authorization']
|
|
| 85 |
+ |
|
| 86 |
+ try:
|
|
| 87 |
+ if 'method' in authorization:
|
|
| 88 |
+ kargs['auth_method'] = AuthMetadataMethod(authorization['method'])
|
|
| 89 |
+ |
|
| 90 |
+ if 'secret' in authorization:
|
|
| 91 |
+ kargs['auth_secret'] = read_file(authorization['secret'])
|
|
| 92 |
+ |
|
| 93 |
+ if 'algorithm' in authorization:
|
|
| 94 |
+ kargs['auth_algorithm'] = AuthMetadataAlgorithm(authorization['algorithm'])
|
|
| 95 |
+ |
|
| 96 |
+ except (ValueError, OSError) as e:
|
|
| 97 |
+ click.echo("Error: Configuration, {}.".format(e), err=True)
|
|
| 98 |
+ sys.exit(-1)
|
|
| 99 |
+ |
|
| 100 |
+ server = BuildGridServer(**kargs)
|
|
| 101 |
+ |
|
| 102 |
+ for channel in network:
|
|
| 103 |
+ server.add_port(channel.address, channel.credentials)
|
|
| 104 |
+ |
|
| 82 | 105 |
for instance in instances:
|
| 83 | 106 |
instance_name = instance['name']
|
| 84 | 107 |
services = instance['services']
|
| 1 | 1 |
server:
|
| 2 | 2 |
- !channel
|
| 3 | 3 |
port: 50052
|
| 4 |
- insecure_mode: true
|
|
| 5 |
-# credentials:
|
|
| 6 |
-# tls-server-key: null
|
|
| 7 |
-# tls-server-cert: null
|
|
| 8 |
-# tls-client-certs: null
|
|
| 4 |
+ insecure-mode: true
|
|
| 5 |
+ # credentials:
|
|
| 6 |
+ # tls-server-key: null
|
|
| 7 |
+ # tls-server-cert: null
|
|
| 8 |
+ # tls-client-certs: null
|
|
| 9 | 9 |
|
| 10 | 10 |
description: |
|
| 11 | 11 |
Just a CAS with some reference storage.
|
| ... | ... | @@ -16,8 +16,8 @@ instances: |
| 16 | 16 |
The main server
|
| 17 | 17 |
|
| 18 | 18 |
storages:
|
| 19 |
- - !disk-storage &main-storage
|
|
| 20 |
- path: !expand-path $HOME/cas/
|
|
| 19 |
+ - !disk-storage &main-storage
|
|
| 20 |
+ path: !expand-path $HOME/cas
|
|
| 21 | 21 |
|
| 22 | 22 |
services:
|
| 23 | 23 |
- !cas
|
| ... | ... | @@ -28,5 +28,5 @@ instances: |
| 28 | 28 |
|
| 29 | 29 |
- !reference-cache
|
| 30 | 30 |
storage: *main-storage
|
| 31 |
- max_cached_refs: 256
|
|
| 32 |
- allow_updates: true
|
|
| 31 |
+ max-cached-refs: 256
|
|
| 32 |
+ allow-updates: true
|
| 1 | 1 |
server:
|
| 2 | 2 |
- !channel
|
| 3 | 3 |
port: 50051
|
| 4 |
- insecure_mode: true
|
|
| 5 |
-# credentials:
|
|
| 6 |
-# tls-server-key: null
|
|
| 7 |
-# tls-server-cert: null
|
|
| 8 |
-# tls-client-certs: null
|
|
| 4 |
+ insecure-mode: true
|
|
| 9 | 5 |
|
| 10 | 6 |
description: |
|
| 11 |
- A single default instance
|
|
| 7 |
+ A single default instance.
|
|
| 12 | 8 |
|
| 13 | 9 |
instances:
|
| 14 | 10 |
- name: main
|
| ... | ... | @@ -16,18 +12,18 @@ instances: |
| 16 | 12 |
The main server
|
| 17 | 13 |
|
| 18 | 14 |
storages:
|
| 19 |
- - !disk-storage &main-storage
|
|
| 20 |
- path: !expand-path $HOME/cas/
|
|
| 15 |
+ - !disk-storage &main-storage
|
|
| 16 |
+ path: !expand-path $HOME/cas
|
|
| 21 | 17 |
|
| 22 | 18 |
services:
|
| 23 | 19 |
- !action-cache &main-action
|
| 24 | 20 |
storage: *main-storage
|
| 25 |
- max_cached_refs: 256
|
|
| 26 |
- allow_updates: true
|
|
| 21 |
+ max-cached-refs: 256
|
|
| 22 |
+ allow-updates: true
|
|
| 27 | 23 |
|
| 28 | 24 |
- !execution
|
| 29 | 25 |
storage: *main-storage
|
| 30 |
- action_cache: *main-action
|
|
| 26 |
+ action-cache: *main-action
|
|
| 31 | 27 |
|
| 32 | 28 |
- !cas
|
| 33 | 29 |
storage: *main-storage
|
| ... | ... | @@ -46,6 +46,8 @@ class YamlFactory(yaml.YAMLObject): |
| 46 | 46 |
|
| 47 | 47 |
else:
|
| 48 | 48 |
values = loader.construct_mapping(node, deep=True)
|
| 49 |
+ for key, value in dict(values).items():
|
|
| 50 |
+ values[key.replace('-', '_')] = values.pop(key)
|
|
| 49 | 51 |
return cls(**values)
|
| 50 | 52 |
|
| 51 | 53 |
|
| 1 |
+##
|
|
| 2 |
+# Server's configuration desciption.
|
|
| 3 |
+description: |
|
|
| 4 |
+ BuildGrid's server reference configuration.
|
|
| 5 |
+ |
|
| 6 |
+##
|
|
| 7 |
+# Server's network configuration.
|
|
| 8 |
+server:
|
|
| 9 |
+ - !channel
|
|
| 10 |
+ ##
|
|
| 11 |
+ # TCP port number.
|
|
| 12 |
+ port: 50051
|
|
| 13 |
+ ##
|
|
| 14 |
+ # Whether or not to activate SSL/TLS encryption.
|
|
| 15 |
+ insecure-mode: true
|
|
| 16 |
+ ##
|
|
| 17 |
+ # SSL/TLS credentials.
|
|
| 18 |
+ credentials:
|
|
| 19 |
+ tls-server-key: !expand-path ~/.config/buildgrid/server.key
|
|
| 20 |
+ tls-server-cert: !expand-path ~/.config/buildgrid/server.cert
|
|
| 21 |
+ tls-client-certs: !expand-path ~/.config/buildgrid/client.cert
|
|
| 22 |
+ |
|
| 23 |
+##
|
|
| 24 |
+# Server's authorization configuration.
|
|
| 25 |
+authorization:
|
|
| 26 |
+ ##
|
|
| 27 |
+ # Type of authorization method.
|
|
| 28 |
+ # none - Bypass the authorization mechanism
|
|
| 29 |
+ # jwt - OAuth 2.0 bearer with JWT tokens
|
|
| 30 |
+ method: jwt
|
|
| 31 |
+ ##
|
|
| 32 |
+ # Location for the file containing the secret, pass
|
|
| 33 |
+ # or key needed by 'method' to authorize requests.
|
|
| 34 |
+ secret: !expand-path ~/.config/buildgrid/auth.secret
|
|
| 35 |
+ ##
|
|
| 36 |
+ # Encryption algorithm to be used together with 'secret'
|
|
| 37 |
+ # by 'method' to authorize requests (optinal).
|
|
| 38 |
+ # hs256 - HMAC+SHA-256 for JWT method
|
|
| 39 |
+ # rs256 - RSASSA-PKCS1-v1_5+SHA-256 for JWT method
|
|
| 40 |
+ algorithm: rs256
|
|
| 41 |
+ |
|
| 42 |
+##
|
|
| 43 |
+# Server's instances configuration.
|
|
| 44 |
+instances:
|
|
| 45 |
+ - name: main
|
|
| 46 |
+ description: |
|
|
| 47 |
+ The 'main' server instance.
|
|
| 48 |
+ ##
|
|
| 49 |
+ # List of storage backends for the instance.
|
|
| 50 |
+ # disk - On-disk storage.
|
|
| 51 |
+ # lru-storage - In-memory storage (non-persistant).
|
|
| 52 |
+ # remote - Proxy to remote storage.
|
|
| 53 |
+ # s3-storage - Amazon S3 storage.
|
|
| 54 |
+ storages:
|
|
| 55 |
+ - !disk-storage &main-storage
|
|
| 56 |
+ ##
|
|
| 57 |
+ # Path to the local storage folder.
|
|
| 58 |
+ path: !expand-path $HOME/cas
|
|
| 59 |
+ ##
|
|
| 60 |
+ # List of services for the instance.
|
|
| 61 |
+ # action-cache - REAPI ActionCache service.
|
|
| 62 |
+ # bytestream - Google APIs ByteStream service.
|
|
| 63 |
+ # cas - REAPI ContentAddressableStorage service.
|
|
| 64 |
+ # execution - REAPI Execution + RWAPI ots services.
|
|
| 65 |
+ # reference-cache - BuildStream ReferenceStorage service.
|
|
| 66 |
+ services:
|
|
| 67 |
+ - !action-cache &main-action
|
|
| 68 |
+ ##
|
|
| 69 |
+ # Alias to a storage backend, see 'storages'.
|
|
| 70 |
+ storage: *memory-storage
|
|
| 71 |
+ ##
|
|
| 72 |
+ # Maximum number of entires kept in cache.
|
|
| 73 |
+ max-cached-refs: 256
|
|
| 74 |
+ ##
|
|
| 75 |
+ # Whether or not writing to the cache is allowed.
|
|
| 76 |
+ allow-updates: true
|
|
| 77 |
+ |
|
| 78 |
+ - !execution
|
|
| 79 |
+ ##
|
|
| 80 |
+ # Alias to a storage backend, see 'storages'.
|
|
| 81 |
+ storage: *main-storage
|
|
| 82 |
+ ##
|
|
| 83 |
+ # Alias to an action-cache service.
|
|
| 84 |
+ action-cache: *main-action
|
|
| 85 |
+ |
|
| 86 |
+ - !cas
|
|
| 87 |
+ ##
|
|
| 88 |
+ # Alias to a storage backend, see 'storages'.
|
|
| 89 |
+ storage: *main-storage
|
|
| 90 |
+ |
|
| 91 |
+ - !bytestream
|
|
| 92 |
+ ##
|
|
| 93 |
+ # Alias to a storage backend, see 'storages'.
|
|
| 94 |
+ storage: *main-storage
|
|
| 95 |
+ |
|
| 96 |
+ - !reference-cache
|
|
| 97 |
+ ##
|
|
| 98 |
+ # Alias to a storage backend, see 'storages'.
|
|
| 99 |
+ storage: *main-storage
|
|
| 100 |
+ ##
|
|
| 101 |
+ # Maximum number of entires kept in cache.
|
|
| 102 |
+ max-cached-refs: 256
|
|
| 103 |
+ ##
|
|
| 104 |
+ # Whether or not writing to the cache is allowed.
|
|
| 105 |
+ allow-updates: true
|
| 1 | 1 |
server:
|
| 2 | 2 |
- !channel
|
| 3 | 3 |
port: 50051
|
| 4 |
- insecure_mode: true
|
|
| 5 |
-# credentials:
|
|
| 6 |
-# tls-server-key: null
|
|
| 7 |
-# tls-server-cert: null
|
|
| 8 |
-# tls-client-certs: null
|
|
| 4 |
+ insecure-mode: true
|
|
| 9 | 5 |
|
| 10 | 6 |
description: |
|
| 11 | 7 |
A single default instance with remote storage.
|
| ... | ... | @@ -16,23 +12,23 @@ instances: |
| 16 | 12 |
The main server
|
| 17 | 13 |
|
| 18 | 14 |
storages:
|
| 19 |
- - !remote-storage &main-storage
|
|
| 20 |
- url: "http://localhost:50052"
|
|
| 21 |
- instance_name: main
|
|
| 22 |
-# credentials:
|
|
| 23 |
-# tls-client-key: null
|
|
| 24 |
-# tls-client-cert: null
|
|
| 25 |
-# tls-server-cert: null
|
|
| 15 |
+ - !remote-storage &main-storage
|
|
| 16 |
+ url: http://localhost:50052
|
|
| 17 |
+ instance-name: main
|
|
| 18 |
+ # credentials:
|
|
| 19 |
+ # tls-client-key: null
|
|
| 20 |
+ # tls-client-cert: null
|
|
| 21 |
+ # tls-server-cert: null
|
|
| 26 | 22 |
|
| 27 | 23 |
services:
|
| 28 | 24 |
- !action-cache &main-action
|
| 29 | 25 |
storage: *main-storage
|
| 30 |
- max_cached_refs: 256
|
|
| 31 |
- allow_updates: true
|
|
| 26 |
+ max-cached-refs: 256
|
|
| 27 |
+ allow-updates: true
|
|
| 32 | 28 |
|
| 33 | 29 |
- !execution
|
| 34 | 30 |
storage: *main-storage
|
| 35 |
- action_cache: *main-action
|
|
| 31 |
+ action-cache: *main-action
|
|
| 36 | 32 |
|
| 37 | 33 |
- !cas
|
| 38 | 34 |
storage: *main-storage
|
| 1 | 1 |
server:
|
| 2 | 2 |
- !channel
|
| 3 | 3 |
port: 50051
|
| 4 |
- insecure_mode: true
|
|
| 4 |
+ insecure-mode: true
|
|
| 5 | 5 |
|
| 6 | 6 |
instances:
|
| 7 | 7 |
- name: main
|
| ... | ... | @@ -13,12 +13,15 @@ instances: |
| 13 | 13 |
services:
|
| 14 | 14 |
- !action-cache &main-action
|
| 15 | 15 |
storage: *main-storage
|
| 16 |
- max_cached_refs: 256
|
|
| 17 |
- allow_updates: true
|
|
| 16 |
+ max-cached-refs: 256
|
|
| 17 |
+ allow-updates: true
|
|
| 18 |
+ |
|
| 18 | 19 |
- !execution
|
| 19 | 20 |
storage: *main-storage
|
| 20 |
- action_cache: *main-action
|
|
| 21 |
+ action-cache: *main-action
|
|
| 22 |
+ |
|
| 21 | 23 |
- !cas
|
| 22 | 24 |
storage: *main-storage
|
| 25 |
+ |
|
| 23 | 26 |
- !bytestream
|
| 24 | 27 |
storage: *main-storage
|
| \ No newline at end of file |
| 1 | 1 |
server:
|
| 2 | 2 |
- !channel
|
| 3 | 3 |
port: 50051
|
| 4 |
- insecure_mode: true
|
|
| 4 |
+ insecure-mode: true
|
|
| 5 | 5 |
|
| 6 | 6 |
instances:
|
| 7 |
- - name: ""
|
|
| 7 |
+ - name: ''
|
|
| 8 | 8 |
|
| 9 | 9 |
storages:
|
| 10 | 10 |
- !lru-storage &main-storage
|
| ... | ... | @@ -13,15 +13,19 @@ instances: |
| 13 | 13 |
services:
|
| 14 | 14 |
- !action-cache &main-action
|
| 15 | 15 |
storage: *main-storage
|
| 16 |
- max_cached_refs: 256
|
|
| 17 |
- allow_updates: true
|
|
| 16 |
+ max-cached-refs: 256
|
|
| 17 |
+ allow-updates: true
|
|
| 18 |
+ |
|
| 18 | 19 |
- !execution
|
| 19 | 20 |
storage: *main-storage
|
| 20 |
- action_cache: *main-action
|
|
| 21 |
+ action-cache: *main-action
|
|
| 22 |
+ |
|
| 21 | 23 |
- !cas
|
| 22 | 24 |
storage: *main-storage
|
| 25 |
+ |
|
| 26 |
+ - !bytestream
|
|
| 27 |
+ storage: *main-storage
|
|
| 28 |
+ |
|
| 23 | 29 |
- !reference-cache
|
| 24 | 30 |
storage: *main-storage
|
| 25 |
- max_cached_refs: 128
|
|
| 26 |
- - !bytestream
|
|
| 27 |
- storage: *main-storage
|
|
| \ No newline at end of file | ||
| 31 |
+ max-cached-refs: 128
|
| ... | ... | @@ -8,13 +8,15 @@ instances: |
| 8 | 8 |
|
| 9 | 9 |
storages:
|
| 10 | 10 |
- !disk-storage &main-storage
|
| 11 |
- path: !expand-path $HOME/cas
|
|
| 11 |
+ path: !expand-path $HOME/cas
|
|
| 12 | 12 |
|
| 13 | 13 |
services:
|
| 14 | 14 |
- !cas
|
| 15 |
- storage: *main-storage
|
|
| 15 |
+ storage: *main-storage
|
|
| 16 |
+ |
|
| 16 | 17 |
- !bytestream
|
| 17 |
- storage: *main-storage
|
|
| 18 |
+ storage: *main-storage
|
|
| 19 |
+ |
|
| 18 | 20 |
- !reference-cache
|
| 19 |
- storage: *main-storage
|
|
| 20 |
- max_cached_refs: 512
|
|
| 21 |
+ storage: *main-storage
|
|
| 22 |
+ max-cached-refs: 512
|
| 1 |
-.. _parser:
|
|
| 2 | 1 |
|
| 3 |
-Server configuration reference
|
|
| 4 |
-==============================
|
|
| 2 |
+.. _server-configuration:
|
|
| 5 | 3 |
|
| 6 |
-BuildGrid's server configuration. To be used with::
|
|
| 4 |
+Server configuration
|
|
| 5 |
+====================
|
|
| 7 | 6 |
|
| 8 |
- bgd server start server.conf
|
|
| 7 |
+BuildGrid's server YAML configuration format details.
|
|
| 8 |
+ |
|
| 9 |
+.. hint::
|
|
| 10 |
+ |
|
| 11 |
+ In order to spin-up a server instance using a given ``server.conf``
|
|
| 12 |
+ configuration file, run:
|
|
| 13 |
+ |
|
| 14 |
+ .. code-block:: sh
|
|
| 15 |
+ |
|
| 16 |
+ bgd server start server.conf
|
|
| 17 |
+ |
|
| 18 |
+ Please refer to the :ref:`CLI reference section <invoking-bgd-server>` for
|
|
| 19 |
+ command line interface details.
|
|
| 20 |
+ |
|
| 21 |
+ |
|
| 22 |
+.. _server-config-reference:
|
|
| 23 |
+ |
|
| 24 |
+Reference configuration
|
|
| 25 |
+-----------------------
|
|
| 26 |
+ |
|
| 27 |
+Below is an example of the full configuration reference:
|
|
| 28 |
+ |
|
| 29 |
+.. literalinclude:: ../../buildgrid/_app/settings/reference.yml
|
|
| 30 |
+ :language: yaml
|
|
| 31 |
+ |
|
| 32 |
+ |
|
| 33 |
+.. _server-config-parser:
|
|
| 34 |
+ |
|
| 35 |
+Parser API
|
|
| 36 |
+----------
|
|
| 37 |
+ |
|
| 38 |
+The tagged YAML nodes in the :ref:`reference above <server-config-reference>`
|
|
| 39 |
+are handled by the YAML parser using the following set of objects:
|
|
| 9 | 40 |
|
| 10 | 41 |
.. automodule:: buildgrid._app.settings.parser
|
| 11 | 42 |
:members:
|