-
Notifications
You must be signed in to change notification settings - Fork 179
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add credential loading based on Configuration (either metadata server…
… or P12 keyfiles). By default, integration tests will not use any credentials. The jenkins instance has already been updated with new OAuth scopes and the system property -Dgoogle.anviltop.auth.service.account.enable can be set to true to get metadata server based credentials.
- Loading branch information
Angus Davis
committed
Oct 29, 2014
1 parent
180ec5b
commit 57aa880
Showing
5 changed files
with
241 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
127 changes: 127 additions & 0 deletions
127
src/main/java/com/google/cloud/anviltop/hbase/CredentialFactory.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,127 @@ | ||
package com.google.cloud.anviltop.hbase; | ||
|
||
import com.google.api.client.auth.oauth2.Credential; | ||
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential; | ||
import com.google.api.client.googleapis.compute.ComputeCredential; | ||
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport; | ||
import com.google.api.client.http.HttpTransport; | ||
import com.google.api.client.json.JsonFactory; | ||
import com.google.api.client.json.jackson2.JacksonFactory; | ||
import com.google.common.collect.ImmutableList; | ||
|
||
import java.io.File; | ||
import java.io.IOException; | ||
import java.security.GeneralSecurityException; | ||
import java.util.List; | ||
|
||
/** | ||
* Simple factory for creating OAuth Credential objects for use with anviltop. | ||
*/ | ||
public class CredentialFactory { | ||
|
||
/** | ||
* The OAuth scope required to perform administrator actions such as creating tables. | ||
*/ | ||
public static final String CLOUD_BIGTABLE_ADMIN_SCOPE = | ||
"https://www.googleapis.com/auth/cloud-bigtable.admin"; | ||
/** | ||
* The OAuth scope required to read data from tables. | ||
*/ | ||
public static final String CLOUD_BIGTABLE_READER_SCOPE = | ||
"https://www.googleapis.com/auth/cloud-bigtable.data.readonly"; | ||
/** | ||
* The OAuth scope required to write data to tables. | ||
*/ | ||
public static final String CLOUD_BIGTABLE_WRITER_SCOPE = | ||
"https://www.googleapis.com/auth/cloud-bigtable.data"; | ||
|
||
/** | ||
* Scopes required to read and write data from tables. | ||
*/ | ||
public static final List<String> CLOUD_BIGTABLE_READ_WRITE_SCOPES = | ||
ImmutableList.of( | ||
CLOUD_BIGTABLE_READER_SCOPE, | ||
CLOUD_BIGTABLE_WRITER_SCOPE); | ||
|
||
/** | ||
* Scopes required for full access to cloud bigtable. | ||
*/ | ||
public static final List<String> CLOUD_BIGTABLE_ALL_SCOPES = | ||
ImmutableList.of( | ||
CLOUD_BIGTABLE_READER_SCOPE, | ||
CLOUD_BIGTABLE_WRITER_SCOPE, | ||
CLOUD_BIGTABLE_ADMIN_SCOPE); | ||
|
||
// JSON factory used for formatting credential-handling payloads. | ||
private static final JsonFactory JSON_FACTORY = new JacksonFactory(); | ||
|
||
// HTTP transport used for created credentials to perform token-refresh handshakes with remote | ||
// credential servers. Initialized lazily to move the possibility of throwing | ||
// GeneralSecurityException to the time a caller actually tries to get a credential. | ||
private static HttpTransport httpTransport = null; | ||
|
||
/** | ||
* Returns shared httpTransport instance; initializes httpTransport if it hasn't already been | ||
* initialized. | ||
*/ | ||
private static synchronized HttpTransport getHttpTransport() | ||
throws IOException, GeneralSecurityException { | ||
if (httpTransport == null) { | ||
httpTransport = GoogleNetHttpTransport.newTrustedTransport(); | ||
} | ||
return httpTransport; | ||
} | ||
|
||
/** | ||
* Initializes OAuth2 credential using preconfigured ServiceAccount settings on the local | ||
* GCE VM. See: <a href="https://developers.google.com/compute/docs/authentication" | ||
* >Authenticating from Google Compute Engine</a>. | ||
*/ | ||
public static Credential getCredentialFromMetadataServiceAccount() | ||
throws IOException, GeneralSecurityException { | ||
Credential cred = new ComputeCredential(getHttpTransport(), JSON_FACTORY); | ||
try { | ||
cred.refreshToken(); | ||
} catch (IOException e) { | ||
throw new IOException("Error getting access token from metadata server at: " + | ||
ComputeCredential.TOKEN_SERVER_ENCODED_URL, e); | ||
} | ||
return cred; | ||
} | ||
|
||
/** | ||
* Initializes OAuth2 credential from a private keyfile, as described in | ||
* <a href="https://code.google.com/p/google-api-java-client/wiki/OAuth2#Service_Accounts" | ||
* > OAuth2 Service Accounts</a>. | ||
* | ||
* @param serviceAccountEmail Email address of the service account associated with the keyfile. | ||
* @param privateKeyFile Full local path to private keyfile. | ||
*/ | ||
public static Credential getCredentialFromPrivateKeyServiceAccount( | ||
String serviceAccountEmail, String privateKeyFile) | ||
throws IOException, GeneralSecurityException { | ||
return getCredentialFromPrivateKeyServiceAccount( | ||
serviceAccountEmail, privateKeyFile, CLOUD_BIGTABLE_ALL_SCOPES); | ||
} | ||
|
||
/** | ||
* Initializes OAuth2 credential from a private keyfile, as described in | ||
* <a href="https://code.google.com/p/google-api-java-client/wiki/OAuth2#Service_Accounts" | ||
* > OAuth2 Service Accounts</a>. | ||
* | ||
* @param serviceAccountEmail Email address of the service account associated with the keyfile. | ||
* @param privateKeyFile Full local path to private keyfile. | ||
* @param scopes List of well-formed desired scopes to use with the credential. | ||
*/ | ||
public static Credential getCredentialFromPrivateKeyServiceAccount( | ||
String serviceAccountEmail, String privateKeyFile, List<String> scopes) | ||
throws IOException, GeneralSecurityException { | ||
return new GoogleCredential.Builder() | ||
.setTransport(getHttpTransport()) | ||
.setJsonFactory(JSON_FACTORY) | ||
.setServiceAccountId(serviceAccountEmail) | ||
.setServiceAccountScopes(scopes) | ||
.setServiceAccountPrivateKeyFromP12File(new File(privateKeyFile)) | ||
.build(); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters