feat(gw): keep authenticator resource after gateway disabled
After a gateway is disabled, we should turn off the authenticator instead of destroying it. Once built-in-database authenticator is destroyed, it discards all user's data and can't be managed
This commit is contained in:
JianBo He
parent
6c465cfb8f
commit
7d38f83aef
|
|
@ -45,7 +45,7 @@
|
|||
name :: gateway_name(),
|
||||
config :: emqx_config:config(),
|
||||
ctx :: emqx_gateway_ctx:context(),
|
||||
authns :: [emqx_authentication:chain_name()],
|
||||
authns :: [{emqx_authentication:chain_name(), map()}],
|
||||
status :: stopped | running,
|
||||
child_pids :: [pid()],
|
||||
gw_state :: emqx_gateway_impl:state() | undefined,
|
||||
|
|
@ -115,11 +115,11 @@ init([Gateway, Ctx, _GwDscrptr]) ->
|
|||
}),
|
||||
{ok, State};
|
||||
true ->
|
||||
case cb_gateway_load(State) of
|
||||
case cb_gateway_load(ensure_authn_created(State)) of
|
||||
{error, Reason} ->
|
||||
{stop, Reason};
|
||||
{ok, NState} ->
|
||||
{ok, NState}
|
||||
{ok, NState1} ->
|
||||
{ok, NState1}
|
||||
end
|
||||
end.
|
||||
|
||||
|
|
@ -130,7 +130,7 @@ handle_call(disable, _From, State = #state{status = Status}) ->
|
|||
running ->
|
||||
case cb_gateway_unload(State) of
|
||||
{ok, NState} ->
|
||||
{reply, ok, NState};
|
||||
{reply, ok, disable_authns(NState)};
|
||||
{error, Reason} ->
|
||||
{reply, {error, Reason}, State}
|
||||
end;
|
||||
|
|
@ -140,11 +140,11 @@ handle_call(disable, _From, State = #state{status = Status}) ->
|
|||
handle_call(enable, _From, State = #state{status = Status}) ->
|
||||
case Status of
|
||||
stopped ->
|
||||
case cb_gateway_load(State) of
|
||||
case cb_gateway_load(ensure_authn_running(State)) of
|
||||
{error, Reason} ->
|
||||
{reply, {error, Reason}, State};
|
||||
{ok, NState} ->
|
||||
{reply, ok, NState}
|
||||
{ok, NState1} ->
|
||||
{reply, ok, NState1}
|
||||
end;
|
||||
_ ->
|
||||
{reply, {error, already_started}, State}
|
||||
|
|
@ -233,15 +233,52 @@ detailed_gateway_info(State) ->
|
|||
%% Internal funcs
|
||||
%%--------------------------------------------------------------------
|
||||
|
||||
%%--------------------------------------------------------------------
|
||||
%% Authn resources managing funcs
|
||||
|
||||
%% ensure authentication chain, authenticator created and keep its status
|
||||
%% as expected
|
||||
ensure_authn_created(State = #state{ctx = Ctx, name = GwName, config = Config}) ->
|
||||
Authns = init_authn(GwName, Config),
|
||||
AuthnNames = lists:map(fun({ChainName, _}) -> ChainName end, Authns),
|
||||
State#state{authns = Authns, ctx = maps:put(auth, AuthnNames, Ctx)}.
|
||||
|
||||
%% temporarily disable authenticators after gateway disabled
|
||||
disable_authns(State = #state{ctx = Ctx, authns = Authns}) ->
|
||||
lists:foreach(
|
||||
fun({ChainName, AuthConf}) ->
|
||||
TempConf = maps:put(enable, false, AuthConf),
|
||||
do_update_authenticator(ChainName, TempConf)
|
||||
end,
|
||||
Authns
|
||||
),
|
||||
State#state{ctx = maps:remove(auth, Ctx)}.
|
||||
|
||||
%% keep authenticators running as expected
|
||||
ensure_authn_running(State = #state{ctx = Ctx, authns = Authns}) ->
|
||||
AuthnNames = lists:map(
|
||||
fun({ChainName, AuthConf}) ->
|
||||
ok = do_update_authenticator(ChainName, AuthConf),
|
||||
ChainName
|
||||
end,
|
||||
Authns
|
||||
),
|
||||
State#state{ctx = maps:put(auth, AuthnNames, Ctx)}.
|
||||
|
||||
do_update_authenticator(ChainName, Confs) ->
|
||||
[#{id := AuthenticatorId}] = emqx_authentication:list_authenticators(ChainName),
|
||||
{ok, _} = emqx_authentication:update_authenticator(ChainName, AuthenticatorId, Confs),
|
||||
ok.
|
||||
|
||||
%% There are two layer authentication configs
|
||||
%% stomp.authn
|
||||
%% / \
|
||||
%% listeners.tcp.default.authn *.ssl.default.authn
|
||||
%%
|
||||
|
||||
init_authn(GwName, Config) ->
|
||||
Authns = authns(GwName, Config),
|
||||
try
|
||||
_ = application:ensure_all_started(emqx_authn),
|
||||
do_init_authn(Authns, [])
|
||||
catch
|
||||
throw:Reason = {badauth, _} ->
|
||||
|
|
@ -249,19 +286,17 @@ init_authn(GwName, Config) ->
|
|||
throw(Reason)
|
||||
end.
|
||||
|
||||
do_init_authn([], Names) ->
|
||||
Names;
|
||||
do_init_authn([{_ChainName, _AuthConf = #{enable := false}} | More], Names) ->
|
||||
do_init_authn(More, Names);
|
||||
do_init_authn([{ChainName, AuthConf} | More], Names) when is_map(AuthConf) ->
|
||||
_ = application:ensure_all_started(emqx_authn),
|
||||
do_create_authn_chain(ChainName, AuthConf),
|
||||
do_init_authn(More, [ChainName | Names]);
|
||||
do_init_authn([_BadConf | More], Names) ->
|
||||
do_init_authn(More, Names).
|
||||
do_init_authn([], Authns) ->
|
||||
lists:reverse(Authns);
|
||||
do_init_authn([{ChainName, AuthConf} | More], Authns) when is_map(AuthConf) ->
|
||||
ok = do_create_authn_chain(ChainName, AuthConf),
|
||||
do_init_authn(More, [{ChainName, AuthConf} | Authns]);
|
||||
do_init_authn([_BadConf | More], Authns) ->
|
||||
do_init_authn(More, Authns).
|
||||
|
||||
authns(GwName, Config) ->
|
||||
Listeners = maps:to_list(maps:get(listeners, Config, #{})),
|
||||
Authns0 =
|
||||
lists:append(
|
||||
[
|
||||
[
|
||||
|
|
@ -271,10 +306,17 @@ authns(GwName, Config) ->
|
|||
|| {LisType, LisNames} <- Listeners
|
||||
]
|
||||
) ++
|
||||
[{emqx_gateway_utils:global_chain(GwName), authn_conf(Config)}].
|
||||
[{emqx_gateway_utils:global_chain(GwName), authn_conf(Config)}],
|
||||
lists:filter(
|
||||
fun
|
||||
({_, undefined}) -> false;
|
||||
(_) -> true
|
||||
end,
|
||||
Authns0
|
||||
).
|
||||
|
||||
authn_conf(Conf) ->
|
||||
maps:get(authentication, Conf, #{enable => false}).
|
||||
maps:get(authentication, Conf, undefined).
|
||||
|
||||
do_create_authn_chain(ChainName, AuthConf) ->
|
||||
case emqx_authentication:create_authenticator(ChainName, AuthConf) of
|
||||
|
|
@ -325,7 +367,7 @@ do_update_one_by_one(
|
|||
case {Status, NEnable} of
|
||||
{stopped, true} ->
|
||||
NState = State#state{config = NCfg},
|
||||
cb_gateway_load(NState);
|
||||
cb_gateway_load(ensure_authn_running(NState));
|
||||
{stopped, false} ->
|
||||
{ok, State#state{config = NCfg}};
|
||||
{running, true} ->
|
||||
|
|
@ -336,14 +378,14 @@ do_update_one_by_one(
|
|||
false ->
|
||||
%% Reset Authentication first
|
||||
_ = do_deinit_authn(State#state.authns),
|
||||
AuthnNames = init_authn(State#state.name, NCfg),
|
||||
State#state{authns = AuthnNames}
|
||||
Authns = init_authn(State#state.name, NCfg),
|
||||
State#state{authns = Authns}
|
||||
end,
|
||||
%% TODO: minimum impact update ???
|
||||
cb_gateway_update(NCfg, NState);
|
||||
{running, false} ->
|
||||
case cb_gateway_unload(State) of
|
||||
{ok, NState} -> {ok, NState#state{config = NCfg}};
|
||||
{ok, NState} -> {ok, disable_authns(NState#state{config = NCfg})};
|
||||
{error, Reason} -> {error, Reason}
|
||||
end;
|
||||
_ ->
|
||||
|
|
@ -378,8 +420,6 @@ cb_gateway_unload(
|
|||
stacktrace => Stk
|
||||
}),
|
||||
{error, Reason}
|
||||
after
|
||||
_ = do_deinit_authn(State#state.authns)
|
||||
end.
|
||||
|
||||
%% @doc 1. Create Authentcation Context
|
||||
|
|
@ -389,24 +429,19 @@ cb_gateway_unload(
|
|||
cb_gateway_load(
|
||||
State = #state{
|
||||
name = GwName,
|
||||
config = Config,
|
||||
ctx = Ctx
|
||||
}
|
||||
) ->
|
||||
Gateway = detailed_gateway_info(State),
|
||||
try
|
||||
AuthnNames = init_authn(GwName, Config),
|
||||
NCtx = Ctx#{auth => AuthnNames},
|
||||
#{cbkmod := CbMod} = emqx_gateway_registry:lookup(GwName),
|
||||
case CbMod:on_gateway_load(Gateway, NCtx) of
|
||||
case CbMod:on_gateway_load(Gateway, Ctx) of
|
||||
{error, Reason} ->
|
||||
do_deinit_authn(AuthnNames),
|
||||
{error, Reason};
|
||||
{ok, ChildPidOrSpecs, GwState} ->
|
||||
ChildPids = start_child_process(ChildPidOrSpecs),
|
||||
{ok, State#state{
|
||||
ctx = NCtx,
|
||||
authns = AuthnNames,
|
||||
ctx = Ctx,
|
||||
status = running,
|
||||
child_pids = ChildPids,
|
||||
gw_state = GwState,
|
||||
|
|
|
|||
Loading…
Reference in New Issue