remove default token (#5265)

* fix compile error

* fix token security

* fix token security

---------

Co-authored-by: aiceflower <kinsanities@sina.com>

Author: aiceflower

linkis-commons/linkis-common/src/main/scala/org/apache/linkis/common/conf/Configuration.scala

@@ -81,7 +81,7 @@ object Configuration extends Logging {
       "The request interface %s is abnormal. You can try to troubleshoot common problems in the knowledge base document"
     )
 
-  val LINKIS_TOKEN = CommonVars("wds.linkis.token", "LINKIS-AUTH")
+  val LINKIS_TOKEN = CommonVars("wds.linkis.token", "")
 
   val GLOBAL_CONF_CHN_NAME = "全局设置"
 

linkis-computation-governance/linkis-client/linkis-cli/src/test/resources/conf/linkis-cli.properties

@@ -17,7 +17,7 @@ wds.linkis.client.common.creator=LINKISCLI
 wds.linkis.client.common.gatewayUrl=http://127.0.0.1:9001
 wds.linkis.client.common.authStrategy=token
 wds.linkis.client.common.tokenKey=Validation-Code
-wds.linkis.client.common.tokenValue=LINKIS-AUTH
+wds.linkis.client.common.tokenValue=LINKIS-UNAVAILABLE-TOKEN
 wds.linkis.client.noncustomizable.enable.user.specification=true
 #wds.linkis.client.noncustomizable.enable.proxy.user=true
 #wds.linkis.client.common.submitUser

linkis-computation-governance/linkis-client/linkis-cli/src/test/resources/linkis-cli.properties

@@ -17,7 +17,7 @@
 wds.linkis.client.common.gatewayUrl=http://127.0.0.1:9001
 wds.linkis.client.common.authStrategy=token
 wds.linkis.client.common.tokenKey=Validation-Code
-wds.linkis.client.common.tokenValue=LINKIS-AUTH
+wds.linkis.client.common.tokenValue=LINKIS-UNAVAILABLE-TOKEN
 #
 #wds.linkis.client.common.submitUser
 #wds.linkis.client.common.submitPassword

linkis-computation-governance/linkis-client/linkis-computation-client/src/test/java/org/apache/linkis/ujes/client/JobObserveActionTest.scala

@@ -18,7 +18,7 @@
 package org.apache.linkis.ujes.client
 
 import org.apache.commons.io.IOUtils
-import org.apache.linkis.common.conf.CommonVars
+import org.apache.linkis.common.conf.{CommonVars, Configuration}
 import org.apache.linkis.httpclient.dws.authentication.{StaticAuthenticationStrategy, TokenAuthenticationStrategy}
 import org.apache.linkis.httpclient.dws.config.{DWSClientConfig, DWSClientConfigBuilder}
 import org.apache.linkis.ujes.client.request.{EmsListAction, JobExecuteAction, JobObserveAction, ResultSetAction}
@@ -29,7 +29,7 @@ import java.util.concurrent.TimeUnit
 @Deprecated
 object JobObserveActionTest extends App {
 
-  val bmlToken = CommonVars("wds.linkis.bml.auth.token.value", "LINKIS-AUTH").getValue
+  val bmlToken = CommonVars("wds.linkis.bml.auth.token.value", Configuration.LINKIS_TOKEN.getValue).getValue
 
   val clientConfig = DWSClientConfigBuilder.newBuilder()
     .addServerUrl("127.0.0.1:9001") // Change to test gateway address

linkis-dist/bin/install.sh

@@ -124,17 +124,34 @@ cp ${LINKIS_DB_CONFIG_PATH} $LINKIS_HOME/conf
 
 common_conf=$LINKIS_HOME/conf/linkis.properties
 
-RANDOM_BML_TOKEN="LINKIS-`cat /proc/sys/kernel/random/uuid | awk -F- '{print $1$2$3$4$5}'`"
-RANDOM_WS_TOKEN="WS-`cat /proc/sys/kernel/random/uuid | awk -F- '{print $1$2$3$4$5}'`"
-RANDOM_DSM_TOKEN="DSM-`cat /proc/sys/kernel/random/uuid | awk -F- '{print $1$2$3$4$5}'`"
-RANDOM_DSS_TOKEN="DSS-`cat /proc/sys/kernel/random/uuid | awk -F- '{print $1$2$3$4$5}'`"
-RANDOM_QUALITIS_TOKEN="QUALITIS-`cat /proc/sys/kernel/random/uuid | awk -F- '{print $1$2$3$4$5}'`"
-RANDOM_VALIDATOR_TOKEN="VALIDATOR-`cat /proc/sys/kernel/random/uuid | awk -F- '{print $1$2$3$4$5}'`"
-if [ $DEBUG_MODE != "true" ];then
-  sed -i ${txt}  "s#LINKIS-AUTH#$RANDOM_BML_TOKEN#g" $LINKIS_HOME/conf/linkis-cli/linkis-cli.properties
-  sed -i ${txt}  "s#LINKIS-AUTH#$RANDOM_BML_TOKEN#g" $common_conf
-  sed -i ${txt}  "s#LINKIS-AUTH#$RANDOM_BML_TOKEN#g" $LINKIS_HOME/admin/configuration_helper.sh
-fi
+echo "======= SECURITY: Generating secure random tokens =========="
+
+# SECURITY: Generate secure random tokens for all services using new secure placeholders
+LINKIS_GATEWAY_TOKEN="LINKIS-`cat /proc/sys/kernel/random/uuid | awk -F- '{print $1$2$3$4$5}'`"
+WS_SERVICE_TOKEN="WS-`cat /proc/sys/kernel/random/uuid | awk -F- '{print $1$2$3$4$5}'`"
+DSM_SERVICE_TOKEN="DSM-`cat /proc/sys/kernel/random/uuid | awk -F- '{print $1$2$3$4$5}'`"
+DSS_SERVICE_TOKEN="DSS-`cat /proc/sys/kernel/random/uuid | awk -F- '{print $1$2$3$4$5}'`"
+QUALITIS_SERVICE_TOKEN="QUALITIS-`cat /proc/sys/kernel/random/uuid | awk -F- '{print $1$2$3$4$5}'`"
+VALIDATOR_SERVICE_TOKEN="VALIDATOR-`cat /proc/sys/kernel/random/uuid | awk -F- '{print $1$2$3$4$5}'`"
+CLI_SERVICE_TOKEN="CLI-`cat /proc/sys/kernel/random/uuid | awk -F- '{print $1$2$3$4$5}'`"
+
+# SECURITY: Set secure user and host restrictions (no wildcards)
+echo "Generated secure tokens:"
+echo "- LINKIS Gateway Token: $LINKIS_GATEWAY_TOKEN"
+echo "- WS Service Token: $WS_SERVICE_TOKEN"
+echo "- DSM Service Token: $DSM_SERVICE_TOKEN"
+echo "- DSS Service Token: $DSS_SERVICE_TOKEN"
+echo "- QUALITIS Service Token: $QUALITIS_SERVICE_TOKEN"
+echo "- VALIDATOR Service Token: $VALIDATOR_SERVICE_TOKEN"
+echo "- CLI Service Token: $CLI_SERVICE_TOKEN"
+
+# SECURITY: Replace secure placeholders in all configuration files
+echo "Replacing secure placeholders in configuration files..."
+sed -i ${txt}  "s#LINKIS-UNAVAILABLE-TOKEN#$LINKIS_GATEWAY_TOKEN#g" $LINKIS_HOME/conf/linkis-cli/linkis-cli.properties 2>/dev/null || true
+sed -i ${txt}  "s#CLI-UNAVAILABLE-TOKEN#$CLI_SERVICE_TOKEN#g" $LINKIS_HOME/conf/linkis-cli/linkis-cli.properties 2>/dev/null || true
+sed -i ${txt}  "s#LINKIS-UNAVAILABLE-TOKEN#$LINKIS_GATEWAY_TOKEN#g" $common_conf 2>/dev/null || true
+sed -i ${txt}  "s#DSM-UNAVAILABLE-TOKEN#$DSM_SERVICE_TOKEN#g" $common_conf 2>/dev/null || true
+sed -i ${txt}  "s#LINKIS-UNAVAILABLE-TOKEN#$LINKIS_GATEWAY_TOKEN#g" $LINKIS_HOME/admin/configuration_helper.sh 2>/dev/null || true
 
 echo "======= Step 3: Create necessary directory =========="
 
@@ -219,13 +236,60 @@ dml_file_name=linkis_dml.sql
 if [[ 'postgresql' = "$dbType" ]];then
   dml_file_name=linkis_dml_pg.sql
 fi
-if [ $DEBUG_MODE != "true" ];then
-  sed -i ${txt}  "s#LINKIS-AUTH#$RANDOM_BML_TOKEN#g" $LINKIS_HOME/db/${dml_file_name}
-  sed -i ${txt}  "s#WS-AUTH#$RANDOM_WS_TOKEN#g" $LINKIS_HOME/db/${dml_file_name}
-  sed -i ${txt}  "s#DSM-AUTH#$RANDOM_DSM_TOKEN#g" $LINKIS_HOME/db/${dml_file_name}
-  sed -i ${txt}  "s#DSS-AUTH#$RANDOM_DSS_TOKEN#g" $LINKIS_HOME/db/${dml_file_name}
-  sed -i ${txt}  "s#QUALITIS-AUTH#$RANDOM_QUALITIS_TOKEN#g" $LINKIS_HOME/db/${dml_file_name}
-  sed -i ${txt}  "s#VALIDATOR-AUTH#$RANDOM_VALIDATOR_TOKEN#g" $LINKIS_HOME/db/${dml_file_name}
+echo "======= SECURITY: Replacing database placeholders with secure tokens =========="
+
+# SECURITY: Replace secure placeholders in database initialization file
+echo "Replacing secure placeholders in database file: $LINKIS_HOME/db/${dml_file_name}"
+sed -i ${txt}  "s#{{LINKIS_GATEWAY_TOKEN}}#$LINKIS_GATEWAY_TOKEN#g" $LINKIS_HOME/db/${dml_file_name} 2>/dev/null || true
+sed -i ${txt}  "s#{{WS_SERVICE_TOKEN}}#$WS_SERVICE_TOKEN#g" $LINKIS_HOME/db/${dml_file_name} 2>/dev/null || true
+sed -i ${txt}  "s#{{DSM_SERVICE_TOKEN}}#$DSM_SERVICE_TOKEN#g" $LINKIS_HOME/db/${dml_file_name} 2>/dev/null || true
+sed -i ${txt}  "s#{{DSS_SERVICE_TOKEN}}#$DSS_SERVICE_TOKEN#g" $LINKIS_HOME/db/${dml_file_name} 2>/dev/null || true
+sed -i ${txt}  "s#{{QUALITIS_SERVICE_TOKEN}}#$QUALITIS_SERVICE_TOKEN#g" $LINKIS_HOME/db/${dml_file_name} 2>/dev/null || true
+sed -i ${txt}  "s#{{VALIDATOR_SERVICE_TOKEN}}#$VALIDATOR_SERVICE_TOKEN#g" $LINKIS_HOME/db/${dml_file_name} 2>/dev/null || true
+sed -i ${txt}  "s#{{CLI_SERVICE_TOKEN}}#$CLI_SERVICE_TOKEN#g" $LINKIS_HOME/db/${dml_file_name} 2>/dev/null || true
+# Replace old insecure placeholder token with secure gateway token
+sed -i ${txt}  "s#LINKIS-UNAVAILABLE-TOKEN#$LINKIS_GATEWAY_TOKEN#g" $LINKIS_HOME/db/${dml_file_name} 2>/dev/null || true
+
+# SECURITY: Replace user and host placeholders with secure values
+sed -i ${txt}  "s#{{LINKIS_GATEWAY_USER}}#$LINKIS_GATEWAY_USER#g" $LINKIS_HOME/db/${dml_file_name} 2>/dev/null || true
+sed -i ${txt}  "s#{{LINKIS_GATEWAY_HOST}}#$LINKIS_GATEWAY_HOST#g" $LINKIS_HOME/db/${dml_file_name} 2>/dev/null || true
+
+echo "Database placeholder replacement completed."
+
+# SECURITY: Final verification - check for unreplaced placeholders
+remaining_placeholders=$(grep -o "{{[^}]*}}" $LINKIS_HOME/db/${dml_file_name} 2>/dev/null | wc -l)
+if [ $remaining_placeholders -gt 0 ]; then
+  echo "WARNING: Found $remaining_placeholders unreplaced placeholders in database file!"
+  echo "SECURITY RISK: Please review $LINKIS_HOME/db/${dml_file_name} manually."
+  grep "{{[^}]*}}" $LINKIS_HOME/db/${dml_file_name} 2>/dev/null || true
+else
+  echo "SUCCESS: All security placeholders in database file have been replaced with secure tokens."
+fi
+
+# SECURITY: Check for any remaining old insecure tokens
+old_tokens=$(grep -o "LINKIS-AUTH\|WS-AUTH\|DSS-AUTH\|QUALITIS-AUTH\|VALIDATOR-AUTH\|LINKISCLI-AUTH\|DSM-AUTH\|LINKIS-UNAVAILABLE-TOKEN" $LINKIS_HOME/db/${dml_file_name} 2>/dev/null | wc -l)
+if [ $old_tokens -gt 0 ]; then
+  echo "CRITICAL: Found $old_tokens old insecure tokens still in database file!"
+  echo "These should have been replaced with secure placeholders. Please check the file manually."
+  grep -o "LINKIS-AUTH\|WS-AUTH\|DSS-AUTH\|QUALITIS-AUTH\|VALIDATOR-AUTH\|LINKISCLI-AUTH\|DSM-AUTH\|LINKIS-UNAVAILABLE-TOKEN" $LINKIS_HOME/db/${dml_file_name} 2>/dev/null || true
+else
+  echo "SUCCESS: No old insecure tokens found in database file."
+fi
+
+# SECURITY: Final verification - check for unreplaced LINKIS-UNAVAILABLE-TOKEN in all configuration files
+echo "======= SECURITY: Final verification for remaining insecure tokens =========="
+remaining_insecure_config=$(grep -r "LINKIS-UNAVAILABLE-TOKEN" $LINKIS_HOME/conf/ 2>/dev/null | wc -l)
+remaining_insecure_admin=$(grep -o "LINKIS-UNAVAILABLE-TOKEN" $LINKIS_HOME/admin/configuration_helper.sh 2>/dev/null | wc -l)
+
+if [ $remaining_insecure_config -gt 0 ] || [ $remaining_insecure_admin -gt 0 ]; then
+  echo "WARNING: Found remaining LINKIS-UNAVAILABLE-TOKEN in configuration files!"
+  echo "Configuration files: $remaining_insecure_config occurrences"
+  echo "Admin scripts: $remaining_insecure_admin occurrences"
+  echo "SECURITY RISK: Please review these files manually:"
+  grep -r "LINKIS-UNAVAILABLE-TOKEN" $LINKIS_HOME/conf/ 2>/dev/null || true
+  grep -n "LINKIS-UNAVAILABLE-TOKEN" $LINKIS_HOME/admin/configuration_helper.sh 2>/dev/null || true
+else
+  echo "SUCCESS: All LINKIS-UNAVAILABLE-TOKEN placeholders have been replaced with secure tokens."
 fi
 
 

linkis-dist/helm/charts/linkis/templates/configmap-init-sql.yaml

@@ -1426,9 +1426,9 @@ data:
     INSERT INTO linkis_ps_error_code (error_code,error_desc,error_regex,error_type) VALUES ('91007','JobServer中不存在您的脚本文件，请将你的脚本文件放入对应的JobServer路径中', 'Could not open input file for reading%does not exist',0);
 
     -- ----------------------------
-    -- Default Tokens
+    -- Default Tokens 
     -- ----------------------------
-    REPLACE INTO `linkis_mg_gateway_auth_token`(`token_name`,`legal_users`,`legal_hosts`,`business_owner`,`create_time`,`update_time`,`elapse_day`,`update_by`) VALUES ('LINKIS-AUTH','*','*','BDP',curdate(),curdate(),-1,'LINKIS');
+    REPLACE INTO `linkis_mg_gateway_auth_token`(`token_name`,`legal_users`,`legal_hosts`,`business_owner`,`create_time`,`update_time`,`elapse_day`,`update_by`) VALUES ('LINKIS-UNAVAILABLE-TOKEN','*','*','BDP',curdate(),curdate(),-1,'LINKIS');
   
     INSERT INTO `linkis_ps_dm_datasource_type` (`name`, `description`, `option`, `classifier`, `icon`, `layers`) VALUES ('mysql', 'mysql数据库', 'mysql数据库', '关系型数据库', '', 3);
     INSERT INTO `linkis_ps_dm_datasource_type` (`name`, `description`, `option`, `classifier`, `icon`, `layers`) VALUES ('kafka', 'kafka', 'kafka', '消息队列', '', 2);

linkis-dist/helm/charts/linkis/templates/configmap-linkis-config.yaml

@@ -69,7 +69,7 @@ data:
     ## Token-Code=Token-User
     ## eg:TEST-AUTH=hadoop,root,user01
     ### http request with header { Token-Code:TEST-AUTH,Token-User:user01 }
-    LINKIS-AUTH=*
+    LINKIS-UNAVAILABLE-TOKEN=*
 
   application-linkis.yml: |
     debug: {{ .Values.linkis.featureGates.testMode }}
@@ -212,7 +212,7 @@ data:
     wds.linkis.client.common.gatewayUrl={{- include "linkis.gateway.url" . }}
     wds.linkis.client.common.authStrategy=token
     wds.linkis.client.common.tokenKey=Validation-Code
-    wds.linkis.client.common.tokenValue=LINKIS-AUTH
+    wds.linkis.client.common.tokenValue=LINKIS-UNAVAILABLE-TOKE
     spring.spring.mvc.pathmatch.matching-strategy=ant_path_matcher
     spring.spring.cloud.loadbalancer.cache.enabled=false
     springfox.documentation.enabled=false

linkis-dist/package/admin/configuration_helper.sh

@@ -61,21 +61,21 @@ fi
 get()
 {
   requestUrl="$gatewayUrl/api/rest_j/v1/configuration/keyvalue?creator=$creator&engineType=$engineType&version=$version&configKey=$configKey"
-  curl --location --request GET $requestUrl -H "Token-Code:LINKIS-AUTH" -H "Token-User:$user"
+  curl --location --request GET $requestUrl -H "Token-Code:LINKIS-UNAVAILABLE-TOKEN" -H "Token-User:$user"
 }
 
 delete()
 {
   requestUrl="$gatewayUrl/api/rest_j/v1/configuration/keyvalue"
   requestBody="{\"engineType\":\"$engineType\",\"version\":\"$version\",\"creator\":\"$creator\",\"configKey\":\"$configKey\"}"
-  curl -i -X DELETE $requestUrl  -H "Accept: application/json"  -H "Content-Type: application/json" -H "Token-Code:LINKIS-AUTH" -H "Token-User:$user" -d "$requestBody"
+  curl -i -X DELETE $requestUrl  -H "Accept: application/json"  -H "Content-Type: application/json" -H "Token-Code:LINKIS-UNAVAILABLE-TOKEN" -H "Token-User:$user" -d "$requestBody"
 }
 
 add()
 {
   requestUrl="$gatewayUrl/api/rest_j/v1/configuration/keyvalue"
   requestBody="{\"engineType\":\"$engineType\",\"version\":\"$version\",\"creator\":\"$creator\",\"configKey\":\"$configKey\",\"configValue\":\"$configValue\",\"force\":\"$force\",\"user\":\"$user\"}"
-  curl -i -X POST $requestUrl  -H "Accept: application/json"  -H "Content-Type: application/json" -H "Token-Code:LINKIS-AUTH" -H "Token-User:hadoop" -d "$requestBody"
+  curl -i -X POST $requestUrl  -H "Accept: application/json"  -H "Content-Type: application/json" -H "Token-Code:LINKIS-UNAVAILABLE-TOKEN" -H "Token-User:hadoop" -d "$requestBody"
 }
 
 case $COMMAND in

linkis-dist/package/conf/linkis-cli/linkis-cli.properties

@@ -17,6 +17,6 @@
 wds.linkis.client.common.gatewayUrl=http://127.0.0.1:9001
 wds.linkis.client.common.authStrategy=token
 wds.linkis.client.common.tokenKey=Validation-Code
-wds.linkis.client.common.tokenValue=LINKIS-AUTH
+wds.linkis.client.common.tokenValue=LINKIS-UNAVAILABLE-TOKEN
 wds.linkis.client.noncustomizable.enable.user.specification=true
 wds.linkis.client.noncustomizable.enable.proxy.user=true

linkis-dist/package/conf/linkis.properties

@@ -104,15 +104,15 @@ wds.linkis.workspace.filesystem.owner.check=true
 wds.linkis.workspace.filesystem.path.check=true
 
 #linkis token
-linkis.configuration.linkisclient.auth.token.value=LINKIS-AUTH
-wds.linkis.client.common.tokenValue=LINKIS-AUTH
-wds.linkis.bml.auth.token.value=LINKIS-AUTH
-wds.linkis.context.client.auth.value=LINKIS-AUTH
-wds.linkis.errorcode.auth.token=LINKIS-AUTH
-wds.linkis.client.test.common.tokenValue=LINKIS-AUTH
-wds.linkis.filesystem.token.value=LINKIS-AUTH
-wds.linkis.gateway.access.token=LINKIS-AUTH
-wds.linkis.server.dsm.auth.token.value=LINKIS-AUTH
+linkis.configuration.linkisclient.auth.token.value=LINKIS-UNAVAILABLE-TOKEN
+wds.linkis.client.common.tokenValue=LINKIS-UNAVAILABLE-TOKEN
+wds.linkis.bml.auth.token.value=LINKIS-UNAVAILABLE-TOKEN
+wds.linkis.context.client.auth.value=LINKIS-UNAVAILABLE-TOKEN
+wds.linkis.errorcode.auth.token=LINKIS-UNAVAILABLE-TOKEN
+wds.linkis.client.test.common.tokenValue=LINKIS-UNAVAILABLE-TOKEN
+wds.linkis.filesystem.token.value=LINKIS-UNAVAILABLE-TOKEN
+wds.linkis.gateway.access.token=LINKIS-UNAVAILABLE-TOKEN
+wds.linkis.server.dsm.auth.token.value=LINKIS-UNAVAILABLE-TOKEN
 
 
 # s3 file system