CB-18258 Generate ECDSA based access key if it is enabled in UMS and packages on image support it.

Author: foldik

auth-connector/src/generated/main/java/com/cloudera/thunderhead/service/usermanagement/UserManagementProto.java

@@ -1,5 +1,6 @@
 package com.sequenceiq.cloudbreak.auth.altus;
 
+import static com.sequenceiq.cloudbreak.auth.altus.model.Entitlement.ACCESS_KEY_ECDSA;
 import static com.sequenceiq.cloudbreak.auth.altus.model.Entitlement.AUDIT_ARCHIVING_GCP;
 import static com.sequenceiq.cloudbreak.auth.altus.model.Entitlement.CDP_ALLOW_DIFFERENT_DATAHUB_VERSION_THAN_DATALAKE;
 import static com.sequenceiq.cloudbreak.auth.altus.model.Entitlement.CDP_ALLOW_HA_REPAIR;
@@ -558,6 +559,10 @@ public boolean isLongTimeBackupEnabled(String accountId) {
         return isEntitlementRegistered(accountId, CDP_DATALAKE_BACKUP_LONG_TIMEOUT);
     }
 
+    public boolean isECDSABasedAccessKeyEnabled(String accountId) {
+        return isEntitlementRegistered(accountId, ACCESS_KEY_ECDSA);
+    }
+
     public List<String> getEntitlements(String accountId) {
         Account accountDetails = umsClient.getAccountDetails(
                 accountId,

auth-connector/src/main/java/com/sequenceiq/cloudbreak/auth/altus/EntitlementService.java

@@ -1,4 +1,4 @@
-package com.sequenceiq.common.api.telemetry.model;
+package com.sequenceiq.cloudbreak.auth.altus.model;
 
 public enum CdpAccessKeyType {
     ED25519("Ed25519"), ECDSA("ECDSA"), RSA("RSA");

common-model/src/main/java/com/sequenceiq/common/api/telemetry/model/CdpAccessKeyType.java auth-connector/src/main/java/com/sequenceiq/cloudbreak/auth/altus/model/CdpAccessKeyType.java

@@ -114,5 +114,6 @@ public enum Entitlement {
     CDP_POSTGRES_UPGRADE_EMBEDDED,
     CDP_POSTGRES_UPGRADE_EXCEPTION,
     CDP_USERSYNC_SPLIT_FREEIPA_USER_RETRIEVAL,
-    CDP_DATALAKE_BACKUP_LONG_TIMEOUT
+    CDP_DATALAKE_BACKUP_LONG_TIMEOUT,
+    ACCESS_KEY_ECDSA
 }

auth-connector/src/main/java/com/sequenceiq/cloudbreak/auth/altus/model/Entitlement.java

@@ -0,0 +1,48 @@
+package com.sequenceiq.cloudbreak.auth.altus.model;
+
+public class MachineUserRequest {
+
+    private String name;
+
+    private String actorCrn;
+
+    private String accountId;
+
+    private CdpAccessKeyType cdpAccessKeyType;
+
+    public String getName() {
+        return name;
+    }
+
+    public MachineUserRequest setName(String name) {
+        this.name = name;
+        return this;
+    }
+
+    public String getActorCrn() {
+        return actorCrn;
+    }
+
+    public MachineUserRequest setActorCrn(String actorCrn) {
+        this.actorCrn = actorCrn;
+        return this;
+    }
+
+    public String getAccountId() {
+        return accountId;
+    }
+
+    public MachineUserRequest setAccountId(String accountId) {
+        this.accountId = accountId;
+        return this;
+    }
+
+    public CdpAccessKeyType getCdpAccessKeyType() {
+        return cdpAccessKeyType;
+    }
+
+    public MachineUserRequest setCdpAccessKeyType(CdpAccessKeyType cdpAccessKeyType) {
+        this.cdpAccessKeyType = cdpAccessKeyType;
+        return this;
+    }
+}

auth-connector/src/main/java/com/sequenceiq/cloudbreak/auth/altus/model/MachineUserRequest.java

@@ -12,6 +12,8 @@
 import com.cloudera.thunderhead.service.usermanagement.UserManagementProto;
 import com.sequenceiq.cloudbreak.auth.altus.GrpcUmsClient;
 import com.sequenceiq.cloudbreak.auth.altus.model.AltusCredential;
+import com.sequenceiq.cloudbreak.auth.altus.model.CdpAccessKeyType;
+import com.sequenceiq.cloudbreak.auth.altus.model.MachineUserRequest;
 import com.sequenceiq.cloudbreak.auth.crn.RegionAwareInternalCrnGeneratorFactory;
 import com.sequenceiq.common.api.telemetry.model.AnonymizationRule;
 
@@ -55,32 +57,30 @@ public AltusCredential generateMachineUserWithAccessKeyForLegacyCm(String machin
     /**
      * Generate databus machine user with access keys
      */
-    public Optional<AltusCredential> generateDatabusMachineUserWithAccessKey(String machineUserName, String actorCrn, String accountId,
-            boolean useSharedCredential) {
+    public Optional<AltusCredential> generateDatabusMachineUserWithAccessKey(MachineUserRequest machineUserRequest, boolean useSharedCredential) {
         return Optional.ofNullable(sharedAltusCredentialProvider.getSharedCredentialIfConfigured(useSharedCredential)
                 .orElse(umsClient.createMachineUserAndGenerateKeys(
-                        machineUserName,
-                        actorCrn,
-                        accountId,
-                        roleCrnGenerator.getBuiltInDatabusRoleCrn(accountId),
+                        machineUserRequest.getName(),
+                        machineUserRequest.getActorCrn(),
+                        machineUserRequest.getAccountId(),
+                        roleCrnGenerator.getBuiltInDatabusRoleCrn(machineUserRequest.getAccountId()),
                         Collections.emptyMap(),
-                        UserManagementProto.AccessKeyType.Value.ED25519,
+                        mapToAccessKeyType(machineUserRequest.getCdpAccessKeyType()),
                         regionAwareInternalCrnGeneratorFactory)));
     }
 
     /**
      * Generate monitoring machine user with access keys
      */
-    public Optional<AltusCredential> generateMonitoringMachineUserWithAccessKey(String machineUserName, String actorCrn, String accountId,
-            boolean useSharedCredential) {
+    public Optional<AltusCredential> generateMonitoringMachineUserWithAccessKey(MachineUserRequest machineUserRequest, boolean useSharedCredential) {
         return Optional.ofNullable(sharedAltusCredentialProvider.getSharedCredentialIfConfigured(useSharedCredential)
                 .orElse(umsClient.createMachineUserAndGenerateKeys(
-                        machineUserName,
-                        actorCrn,
-                        accountId,
-                        roleCrnGenerator.getBuiltInDatabusRoleCrn(accountId),
+                        machineUserRequest.getName(),
+                        machineUserRequest.getActorCrn(),
+                        machineUserRequest.getAccountId(),
+                        roleCrnGenerator.getBuiltInDatabusRoleCrn(machineUserRequest.getAccountId()),
                         Collections.emptyMap(),
-                        UserManagementProto.AccessKeyType.Value.ED25519,
+                        mapToAccessKeyType(machineUserRequest.getCdpAccessKeyType()),
                         regionAwareInternalCrnGeneratorFactory)));
     }
 
@@ -141,4 +141,17 @@ public void clearMachineUser(String machineUserName, String actorCrn, String acc
     public List<UserManagementProto.MachineUser> getAllMachineUsersForAccount(String accountId) {
         return umsClient.listAllMachineUsers(accountId, true, true, regionAwareInternalCrnGeneratorFactory);
     }
+
+    private UserManagementProto.AccessKeyType.Value mapToAccessKeyType(CdpAccessKeyType cdpAccessKeyType) {
+        switch (cdpAccessKeyType) {
+            case ED25519:
+                return UserManagementProto.AccessKeyType.Value.ED25519;
+            case RSA:
+                return UserManagementProto.AccessKeyType.Value.RSA;
+            case ECDSA:
+                return UserManagementProto.AccessKeyType.Value.ECDSA;
+            default:
+                return UserManagementProto.AccessKeyType.Value.ED25519;
+        }
+    }
 }

auth-connector/src/main/java/com/sequenceiq/cloudbreak/auth/altus/service/AltusIAMService.java

@@ -732,6 +732,9 @@ message AccessKeyType {
     // Private keys are 32 bytes encoded in base64 (44 bytes)
     // Public keys are 32 bytes
     ED25519 = 2;
+    // Private keys are encoded in PKCS#8
+    // Public keys are encoded in X.509
+    ECDSA = 3;
   }
 }
 

auth-connector/src/main/proto/usermanagement.proto

@@ -23,7 +23,7 @@ public abstract class CdpCredential implements Serializable {
     private String privateKey;
 
     @JsonProperty("accessKeyType")
-    private String accessKeyType;
+    private String accessKeyType = "Ed25519";
 
     public String getMachineUserName() {
         return machineUserName;

common-model/src/main/java/com/sequenceiq/common/api/telemetry/model/CdpCredential.java

@@ -0,0 +1,45 @@
+package com.sequenceiq.cloudbreak.telemetry;
+
+import java.util.List;
+import java.util.Map;
+
+import org.apache.commons.lang3.tuple.Pair;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+
+import com.sequenceiq.cloudbreak.common.type.Versioned;
+import com.sequenceiq.cloudbreak.util.VersionComparator;
+
+@Component
+public class TelemetryFeatureService {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(TelemetryFeatureService.class);
+
+    private static final List<Pair<String, Versioned>> ECDSA_PACKAGE_VERSION_REQUIREMENTS = List.of(
+            Pair.of("cdp-logging-agent", () -> "0.3.3"),
+            Pair.of("cdp-request-signer", () -> "0.2.3"),
+            Pair.of("cdp-telemetry", () -> "0.4.30"));
+
+    public boolean isECDSAAccessKeyTypeSupported(Map<String, String> packages) {
+        if (packages == null) {
+            return false;
+        }
+        for (Pair<String, Versioned> packageWithVersion : ECDSA_PACKAGE_VERSION_REQUIREMENTS) {
+            String packageName = packageWithVersion.getKey();
+            Versioned minimumVersion = packageWithVersion.getValue();
+            if (!packages.containsKey(packageName)) {
+                LOGGER.info("Image doesn't contain {} package which is required for ECDSA.", packageName);
+                return false;
+            }
+            String packageVersion = packages.get(packageName);
+            if (new VersionComparator().compare(() -> packageVersion, minimumVersion) < 0) {
+                LOGGER.info("{} package's version {} is smaller than {}. Therefore ECDSA based access key is not enabled.",
+                        packageName, packageVersion, minimumVersion.getVersion());
+                return false;
+            }
+        }
+        LOGGER.info("ECDSA based access key type is enabled by package versions.");
+        return true;
+    }
+}

common/src/main/java/com/sequenceiq/cloudbreak/telemetry/TelemetryFeatureService.java

@@ -0,0 +1,17 @@
+package com.sequenceiq.cloudbreak.telemetry;
+
+import java.util.stream.Collectors;
+
+public class UMSSecretKeyFormatter {
+
+    private UMSSecretKeyFormatter() {
+    }
+
+    public static String formatSecretKey(String keyType, String secretKey) {
+        if ("ECDSA".equals(keyType)) {
+            return secretKey.trim().lines().collect(Collectors.joining("\\n"));
+        } else {
+            return secretKey;
+        }
+    }
+}

common/src/main/java/com/sequenceiq/cloudbreak/telemetry/UMSSecretKeyFormatter.java

@@ -6,28 +6,31 @@
 import org.springframework.stereotype.Service;
 
 import com.sequenceiq.cloudbreak.telemetry.TelemetryPillarConfigGenerator;
+import com.sequenceiq.cloudbreak.telemetry.UMSSecretKeyFormatter;
 import com.sequenceiq.cloudbreak.telemetry.context.DatabusContext;
 import com.sequenceiq.cloudbreak.telemetry.context.TelemetryContext;
-import com.sequenceiq.common.api.telemetry.model.CdpAccessKeyType;
 import com.sequenceiq.common.api.telemetry.model.DataBusCredential;
 
 @Service
 public class DatabusConfigService implements TelemetryPillarConfigGenerator<DatabusConfigView> {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(DatabusConfigService.class);
 
+    private static final String ED25519 = "Ed25519";
+
     private static final String SALT_STATE = "databus";
 
     @Override
     public DatabusConfigView createConfigs(TelemetryContext context) {
         final DatabusContext databusContext = context.getDatabusContext();
         final DataBusCredential dataBusCredential = databusContext.getCredential();
+        String accessKeySecretAlgorithm = StringUtils.defaultIfBlank(dataBusCredential.getAccessKeyType(), ED25519);
         return new DatabusConfigView.Builder()
                 .withEnabled(databusContext.isEnabled())
                 .withEndpoint(databusContext.getEndpoint())
                 .withAccessKeyId(dataBusCredential.getAccessKey())
-                .withAccessKeySecret(dataBusCredential.getPrivateKey().toCharArray())
-                .withAccessKeySecretAlgorithm(StringUtils.defaultIfBlank(dataBusCredential.getAccessKeyType(), CdpAccessKeyType.ED25519.getValue()))
+                .withAccessKeySecret(UMSSecretKeyFormatter.formatSecretKey(accessKeySecretAlgorithm, dataBusCredential.getPrivateKey()).toCharArray())
+                .withAccessKeySecretAlgorithm(accessKeySecretAlgorithm)
                 .build();
     }
 

common/src/main/java/com/sequenceiq/cloudbreak/telemetry/databus/DatabusConfigService.java

@@ -6,15 +6,17 @@
 import org.springframework.stereotype.Service;
 
 import com.sequenceiq.cloudbreak.telemetry.TelemetryPillarConfigGenerator;
+import com.sequenceiq.cloudbreak.telemetry.UMSSecretKeyFormatter;
 import com.sequenceiq.cloudbreak.telemetry.context.MonitoringContext;
 import com.sequenceiq.cloudbreak.telemetry.context.TelemetryContext;
-import com.sequenceiq.common.api.telemetry.model.CdpAccessKeyType;
 
 @Service
 public class MonitoringConfigService implements TelemetryPillarConfigGenerator<MonitoringConfigView> {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(MonitoringConfigService.class);
 
+    private static final String ED25519 = "Ed25519";
+
     private static final String SALT_STATE = "monitoring";
 
     private final MonitoringConfiguration monitoringConfiguration;
@@ -50,9 +52,10 @@ public MonitoringConfigView createConfigs(TelemetryContext context) {
         builder.withMinBackoff(monitoringConfiguration.getAgent().getMinBackoff());
         builder.withMaxBackoff(monitoringConfiguration.getAgent().getMaxBackoff());
         if (monitoringContext.getCredential() != null) {
+            String accessKeyType = StringUtils.defaultIfBlank(monitoringContext.getCredential().getAccessKeyType(), ED25519);
             builder.withAccessKeyId(monitoringContext.getCredential().getAccessKey())
-                    .withPrivateKey(monitoringContext.getCredential().getPrivateKey().toCharArray())
-                    .withAccessKeyType(StringUtils.defaultIfBlank(monitoringContext.getCredential().getAccessKeyType(), CdpAccessKeyType.ED25519.getValue()));
+                    .withPrivateKey(UMSSecretKeyFormatter.formatSecretKey(accessKeyType, monitoringContext.getCredential().getPrivateKey()).toCharArray())
+                    .withAccessKeyType(accessKeyType);
         }
         fillExporterConfigs(builder, monitoringContext.getSharedPassword());
         fillRequestSignerConfigs(monitoringConfiguration.getRequestSigner(), builder);

common/src/main/java/com/sequenceiq/cloudbreak/telemetry/monitoring/MonitoringConfigService.java

@@ -283,7 +283,7 @@ public Map<String, Object> toMap() {
         map.put("token", this.token != null ? new String(this.token) : EMPTY_CONFIG_DEFAULT);
         map.put("monitoringAccessKeyId", defaultIfNull(this.accessKeyId, EMPTY_CONFIG_DEFAULT));
         map.put("monitoringPrivateKey", this.privateKey != null ? new String(this.privateKey) : EMPTY_CONFIG_DEFAULT);
-        map.put("accessKeyType", defaultIfNull(this.accessKeyType, EMPTY_CONFIG_DEFAULT));
+        map.put("monitoringAccessKeyType", defaultIfNull(this.accessKeyType, EMPTY_CONFIG_DEFAULT));
         if (this.clusterDetails != null) {
             map.putAll(clusterDetails.toMap());
         }

common/src/main/java/com/sequenceiq/cloudbreak/telemetry/monitoring/MonitoringConfigView.java

@@ -0,0 +1,29 @@
+package com.sequenceiq.cloudbreak.telemetry;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import org.junit.jupiter.api.Test;
+
+class UMSSecretKeyFormatterTest {
+
+    @Test
+    public void testECDSAKeyIsFormattedInOneLine() {
+        String secretKey = "-----BEGIN PRIVATE KEY-----\n" +
+                "MIH3AgEAMBAGByqGSM49AgEGBSuBBAAjBIHfMIHcAgEBBEIA/aEOb3cox2HlI8OV\n" +
+                "citV0heZE3++uAu2HmkwNEMBMRDOGuSw+9YaoAc+k0nioxJZ/IRCt7KGkT2Zm5rO\n" +
+                "j6KS67agBwYFK4EEACOhgYkDgYYABAA798mhJb0V24eOfLmSpo4Odp+dgdc6DqlE\n" +
+                "piZXdHME1CvU96nPax8KUYG776GrqQsmSk36SjdiqYyNVnUGqHTOYgBPhaOX8JU0\n" +
+                "HlP8C4GzBCBoIJGE+ItGil6gO44Xzd3Phs8gnUOb2uhJKJ9niim1UCgT3UKk5HaY\n" +
+                "PDIxdZ0cCY/W0Q==\n" +
+                "-----END PRIVATE KEY-----";
+        assertEquals("-----BEGIN PRIVATE KEY-----\\n" +
+                "MIH3AgEAMBAGByqGSM49AgEGBSuBBAAjBIHfMIHcAgEBBEIA/aEOb3cox2HlI8OV\\n" +
+                "citV0heZE3++uAu2HmkwNEMBMRDOGuSw+9YaoAc+k0nioxJZ/IRCt7KGkT2Zm5rO\\n" +
+                "j6KS67agBwYFK4EEACOhgYkDgYYABAA798mhJb0V24eOfLmSpo4Odp+dgdc6DqlE\\n" +
+                "piZXdHME1CvU96nPax8KUYG776GrqQsmSk36SjdiqYyNVnUGqHTOYgBPhaOX8JU0\\n" +
+                "HlP8C4GzBCBoIJGE+ItGil6gO44Xzd3Phs8gnUOb2uhJKJ9niim1UCgT3UKk5HaY\\n" +
+                "PDIxdZ0cCY/W0Q==\\n" +
+                "-----END PRIVATE KEY-----", UMSSecretKeyFormatter.formatSecretKey("ECDSA", secretKey));
+    }
+
+}

common/src/test/java/com/sequenceiq/cloudbreak/telemetry/UMSSecretKeyFormatterTest.java

@@ -105,7 +105,7 @@ public void testCreateConfigs() {
         // THEN
         assertEquals("myendpoint", result.get("remoteWriteUrl"));
         assertEquals(true, result.get("cmAutoTls"));
-        assertEquals(ACCESS_KEY_TYPE, result.get("accessKeyType"));
+        assertEquals(ACCESS_KEY_TYPE, result.get("monitoringAccessKeyType"));
         assertEquals(true, result.get("enabled"));
         assertEquals("user", result.get("cmUsername"));
         assertEquals(1000, result.get("blackboxExporterClouderaIntervalSeconds"));

common/src/test/java/com/sequenceiq/cloudbreak/telemetry/monitoring/MonitoringConfigServiceTest.java

@@ -548,17 +548,6 @@ private void addClouderaManagerConfig(StackDto stackDto, Map<String, SaltPillarP
         servicePillar.putAll(createPillarWithClouderaManagerSettings(clouderaManagerRepo, stackDto, primaryGatewayConfig));
     }
 
-    private <T> T convertOrReturnNull(String value, Class<T> type) {
-        if (StringUtils.isNotBlank(value)) {
-            try {
-                return new Json(value).get(type);
-            } catch (IOException e) {
-                LOGGER.error("Cannot read {} from cluster entity. Continue without value.", type.getSimpleName(), e);
-            }
-        }
-        return null;
-    }
-
     private VirtualGroupRequest getVirtualGroupRequest(String virtualGroupsEnvironmentCrn, Optional<LdapView> ldapView) {
         String adminGroup = ldapView.isPresent() ? ldapView.get().getAdminGroup() : "";
         return new VirtualGroupRequest(virtualGroupsEnvironmentCrn, adminGroup);