Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id BEC35200CBC for ; Tue, 20 Jun 2017 21:31:05 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id BC2A4160BE1; Tue, 20 Jun 2017 19:31:05 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id DB672160BCC for ; Tue, 20 Jun 2017 21:31:04 +0200 (CEST) Received: (qmail 17095 invoked by uid 500); 20 Jun 2017 19:31:04 -0000 Mailing-List: contact reviews-help@aurora.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: reviews@aurora.apache.org Delivered-To: mailing list reviews@aurora.apache.org Received: (qmail 17084 invoked by uid 99); 20 Jun 2017 19:31:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Jun 2017 19:31:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 602E1C25B6; Tue, 20 Jun 2017 19:31:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.241 X-Spam-Level: *** X-Spam-Status: No, score=3.241 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, KAM_LAZY_DOMAIN_SECURITY=1, KAM_LOTSOFHASH=0.25, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id wsVbbciAcqLz; Tue, 20 Jun 2017 19:31:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id B39CE5F23A; Tue, 20 Jun 2017 19:31:01 +0000 (UTC) Received: from reviews.apache.org (unknown [10.41.0.12]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 1A8A5E0026; Tue, 20 Jun 2017 19:30:59 +0000 (UTC) Received: from reviews-vm2.apache.org (localhost [IPv6:::1]) by reviews.apache.org (ASF Mail Server at reviews-vm2.apache.org) with ESMTP id CFD9AC402D5; Tue, 20 Jun 2017 19:30:57 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============4743642886445597688==" MIME-Version: 1.0 Subject: Re: Review Request 60173: Allow custom Thrift method interceptors to be injected via Guice modules From: Stephan Erb To: Santhosh Kumar Shanmugham , David McLaughlin , Zameer Manji Cc: Aurora , Jordan Ly Date: Tue, 20 Jun 2017 19:30:56 -0000 Message-ID: <20170620193056.1927.30072@reviews-vm2.apache.org> X-ReviewBoard-URL: https://reviews.apache.org/ Auto-Submitted: auto-generated Sender: Stephan Erb X-ReviewGroup: Aurora X-Auto-Response-Suppress: DR, RN, OOF, AutoReply X-ReviewRequest-URL: https://reviews.apache.org/r/60173/ X-Sender: Stephan Erb X-ReviewBoard-ShipIt: 1 References: <20170619180354.24478.38495@reviews-vm2.apache.org> In-Reply-To: <20170619180354.24478.38495@reviews-vm2.apache.org> X-ReviewBoard-ShipIt-Only: 1 Reply-To: Stephan Erb X-ReviewRequest-Repository: aurora archived-at: Tue, 20 Jun 2017 19:31:05 -0000 --===============4743642886445597688== MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/60173/#review178416 ----------------------------------------------------------- Ship it! Ship It! - Stephan Erb On June 19, 2017, 8:03 p.m., Jordan Ly wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/60173/ > ----------------------------------------------------------- > > (Updated June 19, 2017, 8:03 p.m.) > > > Review request for Aurora, David McLaughlin, Santhosh Kumar Shanmugham, Stephan Erb, and Zameer Manji. > > > Repository: aurora > > > Description > ------- > > Allow for custom Thrift method interceptors to be injected via Guice modules. Cluster operators might use this feature to inject interceptors that only allow certain roles to call certain endpoints, or to dynamically check if a job should be able to use a constraint. > > > Diffs > ----- > > RELEASE-NOTES.md e032f7927a68b00401ea8f073ff52b5def74f3ce > docs/reference/scheduler-configuration.md 3d53c5a552e06f62a7572591fb0c92ccae42c54b > src/main/java/org/apache/aurora/scheduler/thrift/aop/AopModule.java f59ee1a0514a6dc52573c0b932cba755e0a10e18 > > > Diff: https://reviews.apache.org/r/60173/diff/2/ > > > Testing > ------- > > Unit + integration tests pass. > > Injected a custom module on a Vagrant box -- added a simple class and included the module when starting up the scheduler: > ``` > diff --git a/examples/vagrant/upstart/aurora-scheduler.conf b/examples/vagrant/upstart/aurora-scheduler.conf > index 63fcc87..18521af 100644 > --- a/examples/vagrant/upstart/aurora-scheduler.conf > +++ b/examples/vagrant/upstart/aurora-scheduler.conf > @@ -56,4 +56,5 @@ exec bin/aurora-scheduler \ > -allow_container_volumes=true \ > -offer_filter_duration=0secs \ > -mesos_driver=V1_DRIVER \ > - -unavailability_threshold=1mins > + -unavailability_threshold=1mins \ > + -thrift_method_interceptor_modules=org.apache.aurora.scheduler.thrift.aop.ThriftWhitelistInterceptorModule > diff --git a/src/main/java/org/apache/aurora/scheduler/thrift/aop/ThriftWhitelistInterceptorModule.java b/src/main/java/org/apache/aurora/scheduler/thrift/aop/ThriftWhitelistInterceptorModule.java > new file mode 100644 > index 0000000..4296f81 > --- /dev/null > +++ b/src/main/java/org/apache/aurora/scheduler/thrift/aop/ThriftWhitelistInterceptorModule.java > @@ -0,0 +1,46 @@ > +package org.apache.aurora.scheduler.thrift.aop; > + > +import java.util.ArrayList; > +import java.util.List; > + > +import com.google.inject.AbstractModule; > + > +import org.aopalliance.intercept.MethodInterceptor; > +import org.aopalliance.intercept.MethodInvocation; > +import org.apache.aurora.gen.JobConfiguration; > +import org.apache.aurora.gen.Response; > +import org.apache.aurora.gen.ResponseCode; > +import org.apache.aurora.gen.ResponseDetail; > +import org.apache.aurora.gen.TaskConfig; > + > +/** Module that checks if a role is allowed to do a specific action */ > +public class ThriftWhitelistInterceptorModule extends AbstractModule { > + > + @Override > + protected void configure() { > + AopModule.bindThriftDecorator(binder(), AopModule.THRIFT_IFACE_MATCHER, > + new ThriftWhitelistInterceptor()); > + } > + > + private class ThriftWhitelistInterceptor implements MethodInterceptor { > + > + @Override > + public Object invoke(MethodInvocation invocation) throws Throwable { > + Object[] args = invocation.getArguments(); > + switch(invocation.getMethod().getName()) { > + case "createJob": > + JobConfiguration config = (JobConfiguration) args[0]; > + TaskConfig task = config.getTaskConfig(); > + String role = task.getJob().getRole(); > + if (role.equals("vagrant")) { > + ResponseDetail detail = new ResponseDetail("Test response."); > + List details = new ArrayList<>(); > + details.add(detail); > + return new Response(ResponseCode.ERROR, null, details); > + } > + } > + > + return (Response) invocation.proceed(); > + } > + } > +} > ``` > > Tried to create a job with two different roles: > ``` > vagrant@aurora:~$ aurora job create devcluster/vagrant/test/http_example /vagrant/src/test/sh/org/apache/aurora/e2e/http/http_example.aurora > INFO] Creating job http_example > Job creation failed due to error: > Test response. > > vagrant@aurora:~$ aurora job create devcluster/www-data/test/http_example /vagrant/src/test/sh/org/apache/aurora/e2e/http/http_example.aurora > INFO] Creating job http_example > INFO] Checking status of devcluster/www-data/test/http_example > Job create succeeded: job url=http://aurora.local:8081/scheduler/www-data/test/http_example > ``` > > > Thanks, > > Jordan Ly > > --===============4743642886445597688==--