[fix] Add token as authentication for python gateway (#12893)

zhongjiajie · web-flow · commit 6d8befa0752c · 2022-11-14T18:43:08.000+08:00
separate from #6407. Authentication, add secret to ensure only trusted people could connect to gateway. fix: #8255
diff --git a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/configuration/PythonGatewayConfiguration.java b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/configuration/PythonGatewayConfiguration.java
@@ -17,13 +17,14 @@
 
 package org.apache.dolphinscheduler.api.configuration;
 
+import lombok.Data;
+
 import org.springframework.boot.context.properties.ConfigurationProperties;
-import org.springframework.boot.context.properties.EnableConfigurationProperties;
-import org.springframework.stereotype.Component;
+import org.springframework.context.annotation.Configuration;
 
-@Component
-@EnableConfigurationProperties
-@ConfigurationProperties(value = "python-gateway", ignoreUnknownFields = false)
+@Data
+@Configuration
+@ConfigurationProperties(value = "python-gateway")
 public class PythonGatewayConfiguration {
 
     private boolean enabled;
@@ -33,60 +34,5 @@ public class PythonGatewayConfiguration {
     private int pythonPort;
     private int connectTimeout;
     private int readTimeout;
-
-    public boolean getEnabled() {
-        return enabled;
-    }
-
-    public void setEnabled(boolean enabled) {
-        this.enabled = enabled;
-    }
-
-    public String getGatewayServerAddress() {
-        return gatewayServerAddress;
-    }
-
-    public void setGatewayServerAddress(String gatewayServerAddress) {
-        this.gatewayServerAddress = gatewayServerAddress;
-    }
-
-    public int getGatewayServerPort() {
-        return gatewayServerPort;
-    }
-
-    public void setGatewayServerPort(int gatewayServerPort) {
-        this.gatewayServerPort = gatewayServerPort;
-    }
-
-    public String getPythonAddress() {
-        return pythonAddress;
-    }
-
-    public void setPythonAddress(String pythonAddress) {
-        this.pythonAddress = pythonAddress;
-    }
-
-    public int getPythonPort() {
-        return pythonPort;
-    }
-
-    public void setPythonPort(int pythonPort) {
-        this.pythonPort = pythonPort;
-    }
-
-    public int getConnectTimeout() {
-        return connectTimeout;
-    }
-
-    public void setConnectTimeout(int connectTimeout) {
-        this.connectTimeout = connectTimeout;
-    }
-
-    public int getReadTimeout() {
-        return readTimeout;
-    }
-
-    public void setReadTimeout(int readTimeout) {
-        this.readTimeout = readTimeout;
-    }
+    private String authToken;
 }
diff --git a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/python/PythonGateway.java b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/python/PythonGateway.java
@@ -62,8 +62,10 @@
 import org.apache.dolphinscheduler.spi.enums.ResourceType;
 
 import py4j.GatewayServer;
+import py4j.GatewayServer.GatewayServerBuilder;
 
 import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang3.StringUtils;
 
 import java.io.IOException;
 import java.net.InetAddress;
@@ -657,28 +659,27 @@ public Integer createOrUpdateResource(
 
     @PostConstruct
     public void init() {
-        if (pythonGatewayConfiguration.getEnabled()) {
+        if (pythonGatewayConfiguration.isEnabled()) {
             this.start();
         }
     }
 
     private void start() {
-        GatewayServer server;
         try {
             InetAddress gatewayHost = InetAddress.getByName(pythonGatewayConfiguration.getGatewayServerAddress());
-            InetAddress pythonHost = InetAddress.getByName(pythonGatewayConfiguration.getPythonAddress());
-            server = new GatewayServer(
-                    this,
-                    pythonGatewayConfiguration.getGatewayServerPort(),
-                    pythonGatewayConfiguration.getPythonPort(),
-                    gatewayHost,
-                    pythonHost,
-                    pythonGatewayConfiguration.getConnectTimeout(),
-                    pythonGatewayConfiguration.getReadTimeout(),
-                    null);
+            GatewayServerBuilder serverBuilder = new GatewayServer.GatewayServerBuilder()
+                    .entryPoint(this)
+                    .javaAddress(gatewayHost)
+                    .javaPort(pythonGatewayConfiguration.getGatewayServerPort())
+                    .connectTimeout(pythonGatewayConfiguration.getConnectTimeout())
+                    .readTimeout(pythonGatewayConfiguration.getReadTimeout());
+            if (!StringUtils.isEmpty(pythonGatewayConfiguration.getAuthToken())) {
+                serverBuilder.authToken(pythonGatewayConfiguration.getAuthToken());
+            }
+
             GatewayServer.turnLoggingOn();
             logger.info("PythonGatewayService started on: " + gatewayHost.toString());
-            server.start();
+            serverBuilder.build().start();
         } catch (UnknownHostException e) {
             logger.error("exception occurred while constructing PythonGatewayService().", e);
         }
diff --git a/dolphinscheduler-api/src/main/resources/application.yaml b/dolphinscheduler-api/src/main/resources/application.yaml
@@ -127,6 +127,9 @@ metrics:
 python-gateway:
   # Weather enable python gateway server or not. The default value is true.
   enabled: true
+  # Authentication token for connection from python api to python gateway server. Should be changed the default value
+  # when you deploy in public network.
+  auth-token: jwUDzpLsNKEFER4*a8gruBH_GsAurNxU7A@Xc
   # The address of Python gateway server start. Set its value to `0.0.0.0` if your Python API run in different
   # between Python gateway server. It could be be specific to other address like `127.0.0.1` or `localhost`
   gateway-server-address: 0.0.0.0
diff --git a/dolphinscheduler-standalone-server/src/main/resources/application.yaml b/dolphinscheduler-standalone-server/src/main/resources/application.yaml
@@ -188,6 +188,9 @@ alert:
 python-gateway:
   # Weather enable python gateway server or not. The default value is true.
   enabled: true
+  # Authentication token for connection from python api to python gateway server. Should be changed the default value
+  # when you deploy in public network.
+  auth-token: jwUDzpLsNKEFER4*a8gruBH_GsAurNxU7A@Xc
   # The address of Python gateway server start. Set its value to `0.0.0.0` if your Python API run in different
   # between Python gateway server. It could be be specific to other address like `127.0.0.1` or `localhost`
   gateway-server-address: 0.0.0.0
