Add optional HTTP Basic Authentication

mbabineau · Oct 8, 2014 · 7f4e1a3 · 7f4e1a3
1 parent 16024f8
commit 7f4e1a3
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 4 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -7,7 +7,7 @@ FROM thefactory/java
 MAINTAINER Mike Babineau [email protected]
 
 # Get ZK
-ADD http://www.apache.org/dist/zookeeper/zookeeper-3.4.6/zookeeper-3.4.6.tar.gz /tmp/zookeeper-3.4.6.tar.gz
+RUN curl -o /tmp/zookeeper-3.4.6.tar.gz http://www.apache.org/dist/zookeeper/zookeeper-3.4.6/zookeeper-3.4.6.tar.gz
 RUN tar -xzf /tmp/zookeeper-3.4.6.tar.gz -C /opt && rm /tmp/zookeeper-3.4.6.tar.gz
 RUN ln -s /opt/zookeeper-3.4.6 /opt/zookeeper
 RUN mkdir /opt/zookeeper/transactions /opt/zookeeper/snapshots
@@ -21,8 +21,11 @@ RUN ln -s /opt/exhibitor/target/exhibitor-1.0-jar-with-dependencies.jar /opt/exh
 # Add the wrapper script to setup configs and exec exhibitor
 ADD include/wrapper.sh /opt/exhibitor/wrapper.sh
 
+# Add the optional web.xml for authentication
+ADD include/web.xml /opt/exhibitor/web.xml
+
 USER root
 WORKDIR /opt/exhibitor
 EXPOSE 2181 2888 3888 8181
 
-ENTRYPOINT ["bash", "-ex", "/opt/exhibitor/wrapper.sh"]
+ENTRYPOINT ["bash", "-ex", "/opt/exhibitor/wrapper.sh"]
diff --git a/README.md b/README.md
@@ -18,6 +18,7 @@ The container expects the following environment variables to be passed in:
 * `AWS_SECRET_ACCESS_KEY` - secret key for `AWS_ACCESS_KEY_ID`
 * `HOSTNAME` - addressable hostname for this node (Exhibitor will forward users of the UI to this address)
 * `AWS_REGION` - (optional) the AWS region of the S3 bucket (defaults to `us-west-2`)
+* `ZK_PASSWORD` - (optional) the HTTP Basic Auth password for the "zk" user
 
 Starting the container:
 

diff --git a/include/web.xml b/include/web.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+    http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+    version="2.5">
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>A Protected Page</web-resource-name>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>zk</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>A Protected Page</web-resource-name>
+            <url-pattern>/exhibitor/v1/cluster/state</url-pattern>
+        </web-resource-collection>
+    </security-constraint>
+
+    <security-role>
+        <role-name>zk</role-name>
+    </security-role>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>Zookeeper</realm-name>
+    </login-config>
+</web-app>
diff --git a/include/wrapper.sh b/include/wrapper.sh
@@ -36,10 +36,15 @@ cat <<- EOF > /opt/exhibitor/credentials.properties
 	com.netflix.exhibitor.s3.access-secret-key=${AWS_SECRET_ACCESS_KEY}
 EOF
 
+if [[ -n ${ZK_PASSWORD} ]]; then
+	SECURITY="--security web.xml --realm Zookeeper:realm --remoteauth basic:zk"
+	echo "zk: ${ZK_PASSWORD},zk" > realm
+fi
+
 exec 2>&1
 
 # If we use exec and this is the docker entrypoint, Exhibitor fails to kill the ZK process on restart.
-# If we use /bin/bash as the entrypoint and run wrapper.sh by hand, we do not see this behavior. I suspect 
+# If we use /bin/bash as the entrypoint and run wrapper.sh by hand, we do not see this behavior. I suspect
 # some init or PID-related shenanigans, but I'm punting on further troubleshooting for now since dropping
 # the "exec" fixes it.
 #
@@ -53,4 +58,5 @@ java -jar /opt/exhibitor/exhibitor.jar \
 	--port 8181 --defaultconfig /opt/exhibitor/defaults.conf \
 	--configtype s3 --s3config ${S3_BUCKET}:${S3_PREFIX} \
 	--s3credentials /opt/exhibitor/credentials.properties \
-	--s3region ${AWS_REGION} --s3backup true --hostname ${HOSTNAME}
+	--s3region ${AWS_REGION} --s3backup true --hostname ${HOSTNAME} \
+	${SECURITY}