diff --git a/docker/configs/server1-conf/rest-server.properties b/docker/configs/server1-conf/rest-server.properties index 6e2257ce97..1fd064d88a 100644 --- a/docker/configs/server1-conf/rest-server.properties +++ b/docker/configs/server1-conf/rest-server.properties @@ -12,9 +12,10 @@ arthas.ip=127.0.0.1 arthas.disabled_commands=jad # authentication configs -# choose 'org.apache.hugegraph.auth.StandardAuthenticator' or -# 'org.apache.hugegraph.auth.ConfigAuthenticator' +# choose 'org.apache.hugegraph.auth.StandardAuthenticator' or a custom implementation #auth.authenticator= +# for admin password, By default, it is pa and takes effect upon the first startup +#auth.admin_pa=pa # rpc server configs for multi graph-servers or raft-servers rpc.server_host=127.0.0.1 diff --git a/docker/configs/server2-conf/rest-server.properties b/docker/configs/server2-conf/rest-server.properties index e55fb6b635..cff9405f5c 100644 --- a/docker/configs/server2-conf/rest-server.properties +++ b/docker/configs/server2-conf/rest-server.properties @@ -12,9 +12,10 @@ arthas.ip=127.0.0.1 arthas.disabled_commands=jad # authentication configs -# choose 'org.apache.hugegraph.auth.StandardAuthenticator' or -# 'org.apache.hugegraph.auth.ConfigAuthenticator' +# choose 'org.apache.hugegraph.auth.StandardAuthenticator' or a custom implementation #auth.authenticator= +# for admin password, By default, it is pa and takes effect upon the first startup +#auth.admin_pa=pa # rpc server configs for multi graph-servers or raft-servers rpc.server_host=127.0.0.1 diff --git a/docker/configs/server3-conf/rest-server.properties b/docker/configs/server3-conf/rest-server.properties index af1d7301db..6c158e6236 100644 --- a/docker/configs/server3-conf/rest-server.properties +++ b/docker/configs/server3-conf/rest-server.properties @@ -12,9 +12,10 @@ arthas.ip=127.0.0.1 arthas.disabled_commands=jad # authentication configs -# choose 'org.apache.hugegraph.auth.StandardAuthenticator' or -# 'org.apache.hugegraph.auth.ConfigAuthenticator' +# choose 'org.apache.hugegraph.auth.StandardAuthenticator' or a custom implementation #auth.authenticator= +# for admin password, By default, it is pa and takes effect upon the first startup +#auth.admin_pa=pa # rpc server configs for multi graph-servers or raft-servers rpc.server_host=127.0.0.1 diff --git a/hugegraph-cluster-test/hugegraph-clustertest-dist/src/assembly/static/conf/rest-server.properties.template b/hugegraph-cluster-test/hugegraph-clustertest-dist/src/assembly/static/conf/rest-server.properties.template index 8f4e9bf616..106b171767 100644 --- a/hugegraph-cluster-test/hugegraph-clustertest-dist/src/assembly/static/conf/rest-server.properties.template +++ b/hugegraph-cluster-test/hugegraph-clustertest-dist/src/assembly/static/conf/rest-server.properties.template @@ -34,19 +34,16 @@ arthas.ip=127.0.0.1 arthas.disabled_commands=jad # authentication configs -# choose 'org.apache.hugegraph.auth.StandardAuthenticator' or -# 'org.apache.hugegraph.auth.ConfigAuthenticator' +# choose 'org.apache.hugegraph.auth.StandardAuthenticator' or a custom implementation #auth.authenticator= +# for admin password, By default, it is pa and takes effect upon the first startup +#auth.admin_pa=pa # for StandardAuthenticator mode #auth.graph_store=hugegraph # auth client config #auth.remote_url=127.0.0.1:8899,127.0.0.1:8898,127.0.0.1:8897 -# for ConfigAuthenticator mode -#auth.admin_token= -#auth.user_tokens=[] - # rpc server configs for multi graph-servers or raft-servers rpc.server_host=127.0.0.1 rpc.server_port=$RPC_PORT$ diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/ConfigAuthenticator.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/ConfigAuthenticator.java deleted file mode 100644 index eaad573d5e..0000000000 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/ConfigAuthenticator.java +++ /dev/null @@ -1,111 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.hugegraph.auth; - -import java.net.InetAddress; -import java.util.HashMap; -import java.util.Map; -import java.util.Objects; - -import org.apache.commons.lang.NotImplementedException; -import org.apache.hugegraph.HugeGraph; -import org.apache.hugegraph.backend.id.IdGenerator; -import org.apache.hugegraph.config.HugeConfig; -import org.apache.hugegraph.config.ServerOptions; -import org.apache.hugegraph.util.E; -import org.apache.tinkerpop.gremlin.groovy.jsr223.dsl.credential.CredentialGraphTokens; - -import jakarta.ws.rs.core.SecurityContext; - -public class ConfigAuthenticator implements HugeAuthenticator { - - public static final String KEY_USERNAME = CredentialGraphTokens.PROPERTY_USERNAME; - public static final String KEY_PASSWORD = CredentialGraphTokens.PROPERTY_PASSWORD; - - private final Map tokens; - - public ConfigAuthenticator() { - this.tokens = new HashMap<>(); - } - - @Override - public void setup(HugeConfig config) { - this.tokens.putAll(config.getMap(ServerOptions.AUTH_USER_TOKENS)); - assert !this.tokens.containsKey(USER_ADMIN); - this.tokens.put(USER_ADMIN, config.get(ServerOptions.AUTH_ADMIN_TOKEN)); - } - - /** - * Verify if a user is legal - * - * @param username the username for authentication - * @param password the password for authentication - * @return String No permission if return ROLE_NONE else return a role - */ - @Override - public UserWithRole authenticate(final String username, - final String password, - final String token) { - E.checkArgumentNotNull(username, - "The username parameter can't be null"); - E.checkArgumentNotNull(password, - "The password parameter can't be null"); - E.checkArgument(token == null, "The token must be null"); - - RolePermission role; - if (password.equals(this.tokens.get(username))) { - if (username.equals(USER_ADMIN)) { - role = ROLE_ADMIN; - } else { - // Return role with all permission, set username as owner graph - role = RolePermission.all(username); - } - } else { - role = ROLE_NONE; - } - - return new UserWithRole(IdGenerator.of(username), username, role); - } - - @Override - public void unauthorize(SecurityContext context) { - } - - @Override - public AuthManager authManager() { - throw new NotImplementedException("AuthManager is unsupported by ConfigAuthenticator"); - } - - @Override - public HugeGraph graph() { - throw new NotImplementedException("graph() is unsupported by ConfigAuthenticator"); - } - - @Override - public void initAdminUser(String password) { - String adminToken = this.tokens.get(USER_ADMIN); - E.checkArgument(Objects.equals(adminToken, password), - "The password can't be changed for " + - "ConfigAuthenticator"); - } - - @Override - public SaslNegotiator newSaslNegotiator(InetAddress remoteAddress) { - throw new NotImplementedException("SaslNegotiator is unsupported by ConfigAuthenticator"); - } -} diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeFactoryAuthProxy.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeFactoryAuthProxy.java index 41e9186d7b..57486a4079 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeFactoryAuthProxy.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeFactoryAuthProxy.java @@ -129,7 +129,6 @@ private static void registerPrivateActions() { Reflection.registerFieldsToFilter(StandardAuthenticator.class, "graph"); Reflection.registerMethodsToFilter(StandardAuthenticator.class, "initAdminUser", "inputPassword", "graph"); - Reflection.registerFieldsToFilter(ConfigAuthenticator.class, "tokens"); Reflection.registerFieldsToFilter(HugeFactoryAuthProxy.class, "PROTECT_METHODS"); Reflection.registerMethodsToFilter(HugeFactoryAuthProxy.class, "genRegisterPrivateActions", "registerClass", "registerPrivateActions", @@ -508,7 +507,6 @@ private static void genRegisterPrivateActions() { registerPrivateActions(InheritableThreadLocal.class); registerPrivateActions(StandardAuthenticator.class); - registerPrivateActions(ConfigAuthenticator.class); registerPrivateActions(HugeFactoryAuthProxy.class); registerPrivateActions(HugeAuthenticator.User.class); diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java index 5a785eef4d..c94725737f 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java @@ -462,8 +462,7 @@ public class ServerOptions extends OptionHolder { new ConfigOption<>( "auth.authenticator", "The class path of authenticator implementation. " + - "e.g., org.apache.hugegraph.auth.StandardAuthenticator, " + - "or org.apache.hugegraph.auth.ConfigAuthenticator.", + "e.g., org.apache.hugegraph.auth.StandardAuthenticator.", null, "" ); @@ -471,31 +470,12 @@ public class ServerOptions extends OptionHolder { public static final ConfigOption ADMIN_PA = new ConfigOption<>( "auth.admin_pa", - "The class path of authenticator implementation. " + - "e.g., org.apache.hugegraph.auth.StandardAuthenticator, " + - "or org.apache.hugegraph.auth.ConfigAuthenticator.", + "The default password for built-in admin account, " + + "takes effect on first startup.", null, "pa" ); - public static final ConfigOption AUTH_ADMIN_TOKEN = - new ConfigOption<>( - "auth.admin_token", - "Token for administrator operations, " + - "only for org.apache.hugegraph.auth.ConfigAuthenticator.", - disallowEmpty(), - "162f7848-0b6d-4faf-b557-3a0797869c55" - ); - - public static final ConfigListOption AUTH_USER_TOKENS = - new ConfigListOption<>( - "auth.user_tokens", - "The map of user tokens with name and password, " + - "only for org.apache.hugegraph.auth.ConfigAuthenticator.", - disallowEmpty(), - "hugegraph:9fd95c9c-711b-415b-b85f-d4df46ba5c31" - ); - public static final ConfigOption SSL_KEYSTORE_FILE = new ConfigOption<>( "ssl.keystore_file", diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/core/GraphManager.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/core/GraphManager.java index a2659641be..eda050e16b 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/core/GraphManager.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/core/GraphManager.java @@ -1611,9 +1611,9 @@ private void checkBackendVersionOrExit(HugeConfig config) { if (!hugegraph.backendStoreFeatures().supportsPersistence()) { hugegraph.initBackend(); if (this.requireAuthentication()) { - String token = config.get(ServerOptions.AUTH_ADMIN_TOKEN); + String adminPassword = config.get(ServerOptions.ADMIN_PA); try { - this.authenticator().initAdminUser(token); + this.authenticator().initAdminUser(adminPassword); } catch (Exception e) { throw new BackendException( "The backend store of '%s' can't " + diff --git a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/config/AuthOptions.java b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/config/AuthOptions.java index c996082dab..5653c67885 100644 --- a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/config/AuthOptions.java +++ b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/config/AuthOptions.java @@ -44,8 +44,7 @@ public static synchronized AuthOptions instance() { new ConfigOption<>( "auth.authenticator", "The class path of authenticator implementation. " + - "e.g., org.apache.hugegraph.auth.StandardAuthenticator, " + - "or org.apache.hugegraph.auth.ConfigAuthenticator.", + "e.g., org.apache.hugegraph.auth.StandardAuthenticator.", null, "" ); @@ -59,24 +58,6 @@ public static synchronized AuthOptions instance() { "hugegraph" ); - public static final ConfigOption AUTH_ADMIN_TOKEN = - new ConfigOption<>( - "auth.admin_token", - "Token for administrator operations, " + - "only for org.apache.hugegraph.auth.ConfigAuthenticator.", - disallowEmpty(), - "162f7848-0b6d-4faf-b557-3a0797869c55" - ); - - public static final ConfigListOption AUTH_USER_TOKENS = - new ConfigListOption<>( - "auth.user_tokens", - "The map of user tokens with name and password, " + - "only for org.apache.hugegraph.auth.ConfigAuthenticator.", - disallowEmpty(), - "hugegraph:9fd95c9c-711b-415b-b85f-d4df46ba5c31" - ); - public static final ConfigOption AUTH_REMOTE_URL = new ConfigOption<>( "auth.remote_url", diff --git a/hugegraph-struct/src/main/java/org/apache/hugegraph/options/AuthOptions.java b/hugegraph-struct/src/main/java/org/apache/hugegraph/options/AuthOptions.java index 3ae732e2e2..c61946ae8b 100644 --- a/hugegraph-struct/src/main/java/org/apache/hugegraph/options/AuthOptions.java +++ b/hugegraph-struct/src/main/java/org/apache/hugegraph/options/AuthOptions.java @@ -19,7 +19,6 @@ package org.apache.hugegraph.options; -import org.apache.hugegraph.config.ConfigListOption; import org.apache.hugegraph.config.ConfigOption; import org.apache.hugegraph.config.OptionHolder; @@ -82,8 +81,7 @@ public static synchronized AuthOptions instance() { new ConfigOption<>( "auth.authenticator", "The class path of authenticator implementation. " + - "e.g., org.apache.hugegraph.auth.StandardAuthenticator, " + - "or org.apache.hugegraph.auth.ConfigAuthenticator.", + "e.g., org.apache.hugegraph.auth.StandardAuthenticator.", null, "" ); @@ -97,24 +95,6 @@ public static synchronized AuthOptions instance() { "hugegraph" ); - public static final ConfigOption AUTH_ADMIN_TOKEN = - new ConfigOption<>( - "auth.admin_token", - "Token for administrator operations, " + - "only for org.apache.hugegraph.auth.ConfigAuthenticator.", - disallowEmpty(), - "162f7848-0b6d-4faf-b557-3a0797869c55" - ); - - public static final ConfigListOption AUTH_USER_TOKENS = - new ConfigListOption<>( - "auth.user_tokens", - "The map of user tokens with name and password, " + - "only for org.apache.hugegraph.auth.ConfigAuthenticator.", - disallowEmpty(), - "hugegraph:9fd95c9c-711b-415b-b85f-d4df46ba5c31" - ); - public static final ConfigOption AUTH_REMOTE_URL = new ConfigOption<>( "auth.remote_url",