yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(gw): keep authenticator resource after gateway disabled 

After a gateway is disabled, we should turn off the authenticator instead of destroying it.
Once built-in-database authenticator is destroyed, it discards all
user's data and can't be managed
This commit is contained in:
JianBo He 2022-06-14 11:40:45 +08:00
parent 6c465cfb8f
commit 7d38f83aef
1 changed files with 76 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
apps/emqx_gateway/src/emqx_gateway_insta_sup.erl
View File

@ -45,7 +45,7 @@
name :: gateway_name(), name :: gateway_name(),
config :: emqx_config:config(), config :: emqx_config:config(),
ctx :: emqx_gateway_ctx:context(), ctx :: emqx_gateway_ctx:context(),
authns :: [emqx_authentication:chain_name()], authns :: [{emqx_authentication:chain_name(), map()}],
status :: stopped | running, status :: stopped | running,
child_pids :: [pid()], child_pids :: [pid()],
gw_state :: emqx_gateway_impl:state() | undefined, gw_state :: emqx_gateway_impl:state() | undefined,
@ -115,11 +115,11 @@ init([Gateway, Ctx, _GwDscrptr]) ->
}), }),
{ok, State}; {ok, State};
true -> true ->
case cb_gateway_load(State) of case cb_gateway_load(ensure_authn_created(State)) of
{error, Reason} -> {error, Reason} ->
{stop, Reason}; {stop, Reason};
{ok, NState} -> {ok, NState1} ->
{ok, NState} {ok, NState1}
end end
end. end.
@ -130,7 +130,7 @@ handle_call(disable, _From, State = #state{status = Status}) ->
running -> running ->
case cb_gateway_unload(State) of case cb_gateway_unload(State) of
{ok, NState} -> {ok, NState} ->
{reply, ok, NState}; {reply, ok, disable_authns(NState)};
{error, Reason} -> {error, Reason} ->
{reply, {error, Reason}, State} {reply, {error, Reason}, State}
end; end;
@ -140,11 +140,11 @@ handle_call(disable, _From, State = #state{status = Status}) ->
handle_call(enable, _From, State = #state{status = Status}) -> handle_call(enable, _From, State = #state{status = Status}) ->
case Status of case Status of
stopped -> stopped ->
case cb_gateway_load(State) of case cb_gateway_load(ensure_authn_running(State)) of
{error, Reason} -> {error, Reason} ->
{reply, {error, Reason}, State}; {reply, {error, Reason}, State};
{ok, NState} -> {ok, NState1} ->
{reply, ok, NState} {reply, ok, NState1}
end; end;
_ -> _ ->
{reply, {error, already_started}, State} {reply, {error, already_started}, State}
@ -233,15 +233,52 @@ detailed_gateway_info(State) ->
%% Internal funcs %% Internal funcs
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------
%%--------------------------------------------------------------------
%% Authn resources managing funcs
%% ensure authentication chain, authenticator created and keep its status
%% as expected
ensure_authn_created(State = #state{ctx = Ctx, name = GwName, config = Config}) ->
Authns = init_authn(GwName, Config),
AuthnNames = lists:map(fun({ChainName, _}) -> ChainName end, Authns),
State#state{authns = Authns, ctx = maps:put(auth, AuthnNames, Ctx)}.
%% temporarily disable authenticators after gateway disabled
disable_authns(State = #state{ctx = Ctx, authns = Authns}) ->
lists:foreach(
fun({ChainName, AuthConf}) ->
TempConf = maps:put(enable, false, AuthConf),
do_update_authenticator(ChainName, TempConf)
end,
Authns
),
State#state{ctx = maps:remove(auth, Ctx)}.
%% keep authenticators running as expected
ensure_authn_running(State = #state{ctx = Ctx, authns = Authns}) ->
AuthnNames = lists:map(
fun({ChainName, AuthConf}) ->
ok = do_update_authenticator(ChainName, AuthConf),
ChainName
end,
Authns
),
State#state{ctx = maps:put(auth, AuthnNames, Ctx)}.
do_update_authenticator(ChainName, Confs) ->
[#{id := AuthenticatorId}] = emqx_authentication:list_authenticators(ChainName),
{ok, _} = emqx_authentication:update_authenticator(ChainName, AuthenticatorId, Confs),
ok.
%% There are two layer authentication configs %% There are two layer authentication configs
%% stomp.authn %% stomp.authn
%% / \ %% / \
%% listeners.tcp.default.authn *.ssl.default.authn %% listeners.tcp.default.authn *.ssl.default.authn
%% %%
init_authn(GwName, Config) -> init_authn(GwName, Config) ->
Authns = authns(GwName, Config), Authns = authns(GwName, Config),
try try
_ = application:ensure_all_started(emqx_authn),
do_init_authn(Authns, []) do_init_authn(Authns, [])
catch catch
throw:Reason = {badauth, _} -> throw:Reason = {badauth, _} ->
@ -249,19 +286,17 @@ init_authn(GwName, Config) ->
throw(Reason) throw(Reason)
end. end.
do_init_authn([], Names) -> do_init_authn([], Authns) ->
Names; lists:reverse(Authns);
do_init_authn([{_ChainName, _AuthConf = #{enable := false}} | More], Names) -> do_init_authn([{ChainName, AuthConf} | More], Authns) when is_map(AuthConf) ->
do_init_authn(More, Names); ok = do_create_authn_chain(ChainName, AuthConf),
do_init_authn([{ChainName, AuthConf} | More], Names) when is_map(AuthConf) -> do_init_authn(More, [{ChainName, AuthConf} | Authns]);
_ = application:ensure_all_started(emqx_authn), do_init_authn([_BadConf | More], Authns) ->
do_create_authn_chain(ChainName, AuthConf), do_init_authn(More, Authns).
do_init_authn(More, [ChainName | Names]);
do_init_authn([_BadConf | More], Names) ->
do_init_authn(More, Names).
authns(GwName, Config) -> authns(GwName, Config) ->
Listeners = maps:to_list(maps:get(listeners, Config, #{})), Listeners = maps:to_list(maps:get(listeners, Config, #{})),
Authns0 =
lists:append( lists:append(
[ [
[ [
@ -271,10 +306,17 @@ authns(GwName, Config) ->
|| {LisType, LisNames} <- Listeners || {LisType, LisNames} <- Listeners
] ]
) ++ ) ++
[{emqx_gateway_utils:global_chain(GwName), authn_conf(Config)}]. [{emqx_gateway_utils:global_chain(GwName), authn_conf(Config)}],
lists:filter(
fun
({_, undefined}) -> false;
(_) -> true
end,
Authns0
).
authn_conf(Conf) -> authn_conf(Conf) ->
maps:get(authentication, Conf, #{enable => false}). maps:get(authentication, Conf, undefined).
do_create_authn_chain(ChainName, AuthConf) -> do_create_authn_chain(ChainName, AuthConf) ->
case emqx_authentication:create_authenticator(ChainName, AuthConf) of case emqx_authentication:create_authenticator(ChainName, AuthConf) of
@ -325,7 +367,7 @@ do_update_one_by_one(
case {Status, NEnable} of case {Status, NEnable} of
{stopped, true} -> {stopped, true} ->
NState = State#state{config = NCfg}, NState = State#state{config = NCfg},
cb_gateway_load(NState); cb_gateway_load(ensure_authn_running(NState));
{stopped, false} -> {stopped, false} ->
{ok, State#state{config = NCfg}}; {ok, State#state{config = NCfg}};
{running, true} -> {running, true} ->
@ -336,14 +378,14 @@ do_update_one_by_one(
false -> false ->
%% Reset Authentication first %% Reset Authentication first
_ = do_deinit_authn(State#state.authns), _ = do_deinit_authn(State#state.authns),
AuthnNames = init_authn(State#state.name, NCfg), Authns = init_authn(State#state.name, NCfg),
State#state{authns = AuthnNames} State#state{authns = Authns}
end, end,
%% TODO: minimum impact update ??? %% TODO: minimum impact update ???
cb_gateway_update(NCfg, NState); cb_gateway_update(NCfg, NState);
{running, false} -> {running, false} ->
case cb_gateway_unload(State) of case cb_gateway_unload(State) of
{ok, NState} -> {ok, NState#state{config = NCfg}}; {ok, NState} -> {ok, disable_authns(NState#state{config = NCfg})};
{error, Reason} -> {error, Reason} {error, Reason} -> {error, Reason}
end; end;
_ -> _ ->
@ -378,8 +420,6 @@ cb_gateway_unload(
stacktrace => Stk stacktrace => Stk
}), }),
{error, Reason} {error, Reason}
after
_ = do_deinit_authn(State#state.authns)
end. end.
%% @doc 1. Create Authentcation Context %% @doc 1. Create Authentcation Context
@ -389,24 +429,19 @@ cb_gateway_unload(
cb_gateway_load( cb_gateway_load(
State = #state{ State = #state{
name = GwName, name = GwName,
config = Config,
ctx = Ctx ctx = Ctx
} }
) -> ) ->
Gateway = detailed_gateway_info(State), Gateway = detailed_gateway_info(State),
try try
AuthnNames = init_authn(GwName, Config),
NCtx = Ctx#{auth => AuthnNames},
#{cbkmod := CbMod} = emqx_gateway_registry:lookup(GwName), #{cbkmod := CbMod} = emqx_gateway_registry:lookup(GwName),
case CbMod:on_gateway_load(Gateway, NCtx) of case CbMod:on_gateway_load(Gateway, Ctx) of
{error, Reason} -> {error, Reason} ->
do_deinit_authn(AuthnNames),
{error, Reason}; {error, Reason};
{ok, ChildPidOrSpecs, GwState} -> {ok, ChildPidOrSpecs, GwState} ->
ChildPids = start_child_process(ChildPidOrSpecs), ChildPids = start_child_process(ChildPidOrSpecs),
{ok, State#state{ {ok, State#state{
ctx = NCtx, ctx = Ctx,
authns = AuthnNames,
status = running, status = running,
child_pids = ChildPids, child_pids = ChildPids,
gw_state = GwState, gw_state = GwState,