aurora-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jordan Ly <jordan....@gmail.com>
Subject Re: Review Request 60173: Allow custom Thrift method interceptors to be injected via Guice modules
Date Mon, 19 Jun 2017 18:03:54 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60173/
-----------------------------------------------------------

(Updated June 19, 2017, 6:03 p.m.)


Review request for Aurora, David McLaughlin, Santhosh Kumar Shanmugham, Stephan Erb, and Zameer
Manji.


Changes
-------

Added the testing done on the Vagrant box


Repository: aurora


Description
-------

Allow for custom Thrift method interceptors to be injected via Guice modules. Cluster operators
might use this feature to inject interceptors that only allow certain roles to call certain
endpoints, or to dynamically check if a job should be able to use a constraint.


Diffs
-----

  RELEASE-NOTES.md e032f7927a68b00401ea8f073ff52b5def74f3ce 
  docs/reference/scheduler-configuration.md 3d53c5a552e06f62a7572591fb0c92ccae42c54b 
  src/main/java/org/apache/aurora/scheduler/thrift/aop/AopModule.java f59ee1a0514a6dc52573c0b932cba755e0a10e18



Diff: https://reviews.apache.org/r/60173/diff/2/


Testing (updated)
-------

Unit + integration tests pass.

Injected a custom module on a Vagrant box -- added a simple class and included the module
when starting up the scheduler:
```
diff --git a/examples/vagrant/upstart/aurora-scheduler.conf b/examples/vagrant/upstart/aurora-scheduler.conf
index 63fcc87..18521af 100644
--- a/examples/vagrant/upstart/aurora-scheduler.conf
+++ b/examples/vagrant/upstart/aurora-scheduler.conf
@@ -56,4 +56,5 @@ exec bin/aurora-scheduler \
   -allow_container_volumes=true \
   -offer_filter_duration=0secs \
   -mesos_driver=V1_DRIVER \
-  -unavailability_threshold=1mins
+  -unavailability_threshold=1mins \
+  -thrift_method_interceptor_modules=org.apache.aurora.scheduler.thrift.aop.ThriftWhitelistInterceptorModule
diff --git a/src/main/java/org/apache/aurora/scheduler/thrift/aop/ThriftWhitelistInterceptorModule.java
b/src/main/java/org/apache/aurora/scheduler/thrift/aop/ThriftWhitelistInterceptorModule.java
new file mode 100644
index 0000000..4296f81
--- /dev/null
+++ b/src/main/java/org/apache/aurora/scheduler/thrift/aop/ThriftWhitelistInterceptorModule.java
@@ -0,0 +1,46 @@
+package org.apache.aurora.scheduler.thrift.aop;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import com.google.inject.AbstractModule;
+
+import org.aopalliance.intercept.MethodInterceptor;
+import org.aopalliance.intercept.MethodInvocation;
+import org.apache.aurora.gen.JobConfiguration;
+import org.apache.aurora.gen.Response;
+import org.apache.aurora.gen.ResponseCode;
+import org.apache.aurora.gen.ResponseDetail;
+import org.apache.aurora.gen.TaskConfig;
+
+/** Module that checks if a role is allowed to do a specific action */
+public class ThriftWhitelistInterceptorModule extends AbstractModule {
+
+  @Override
+  protected void configure() {
+    AopModule.bindThriftDecorator(binder(), AopModule.THRIFT_IFACE_MATCHER,
+        new ThriftWhitelistInterceptor());
+  }
+
+  private class ThriftWhitelistInterceptor implements MethodInterceptor {
+
+    @Override
+    public Object invoke(MethodInvocation invocation) throws Throwable {
+      Object[] args = invocation.getArguments();
+      switch(invocation.getMethod().getName()) {
+        case "createJob":
+          JobConfiguration config = (JobConfiguration) args[0];
+          TaskConfig task = config.getTaskConfig();
+          String role = task.getJob().getRole();
+          if (role.equals("vagrant")) {
+            ResponseDetail detail = new ResponseDetail("Test response.");
+            List<ResponseDetail> details = new ArrayList<>();
+            details.add(detail);
+            return new Response(ResponseCode.ERROR, null, details);
+          }
+      }
+
+      return (Response) invocation.proceed();
+    }
+  }
+}
```

Tried to create a job with two different roles:
```
vagrant@aurora:~$ aurora job create devcluster/vagrant/test/http_example /vagrant/src/test/sh/org/apache/aurora/e2e/http/http_example.aurora
 INFO] Creating job http_example
Job creation failed due to error:
	Test response.
    
vagrant@aurora:~$ aurora job create devcluster/www-data/test/http_example /vagrant/src/test/sh/org/apache/aurora/e2e/http/http_example.aurora
 INFO] Creating job http_example
 INFO] Checking status of devcluster/www-data/test/http_example
Job create succeeded: job url=http://aurora.local:8081/scheduler/www-data/test/http_example
```


Thanks,

Jordan Ly


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message