----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/60173/ -----------------------------------------------------------
(Updated June 19, 2017, 6:03 p.m.) Review request for Aurora, David McLaughlin, Santhosh Kumar Shanmugham, Stephan Erb, and Zameer Manji. Changes ------- Added the testing done on the Vagrant box Repository: aurora Description ------- Allow for custom Thrift method interceptors to be injected via Guice modules. Cluster operators might use this feature to inject interceptors that only allow certain roles to call certain endpoints, or to dynamically check if a job should be able to use a constraint. Diffs ----- RELEASE-NOTES.md e032f7927a68b00401ea8f073ff52b5def74f3ce docs/reference/scheduler-configuration.md 3d53c5a552e06f62a7572591fb0c92ccae42c54b src/main/java/org/apache/aurora/scheduler/thrift/aop/AopModule.java f59ee1a0514a6dc52573c0b932cba755e0a10e18 Diff: https://reviews.apache.org/r/60173/diff/2/ Testing (updated) ------- Unit + integration tests pass. Injected a custom module on a Vagrant box -- added a simple class and included the module when starting up the scheduler: ``` diff --git a/examples/vagrant/upstart/aurora-scheduler.conf b/examples/vagrant/upstart/aurora-scheduler.conf index 63fcc87..18521af 100644 --- a/examples/vagrant/upstart/aurora-scheduler.conf +++ b/examples/vagrant/upstart/aurora-scheduler.conf @@ -56,4 +56,5 @@ exec bin/aurora-scheduler \ -allow_container_volumes=true \ -offer_filter_duration=0secs \ -mesos_driver=V1_DRIVER \ - -unavailability_threshold=1mins + -unavailability_threshold=1mins \ + -thrift_method_interceptor_modules=org.apache.aurora.scheduler.thrift.aop.ThriftWhitelistInterceptorModule diff --git a/src/main/java/org/apache/aurora/scheduler/thrift/aop/ThriftWhitelistInterceptorModule.java b/src/main/java/org/apache/aurora/scheduler/thrift/aop/ThriftWhitelistInterceptorModule.java new file mode 100644 index 0000000..4296f81 --- /dev/null +++ b/src/main/java/org/apache/aurora/scheduler/thrift/aop/ThriftWhitelistInterceptorModule.java @@ -0,0 +1,46 @@ +package org.apache.aurora.scheduler.thrift.aop; + +import java.util.ArrayList; +import java.util.List; + +import com.google.inject.AbstractModule; + +import org.aopalliance.intercept.MethodInterceptor; +import org.aopalliance.intercept.MethodInvocation; +import org.apache.aurora.gen.JobConfiguration; +import org.apache.aurora.gen.Response; +import org.apache.aurora.gen.ResponseCode; +import org.apache.aurora.gen.ResponseDetail; +import org.apache.aurora.gen.TaskConfig; + +/** Module that checks if a role is allowed to do a specific action */ +public class ThriftWhitelistInterceptorModule extends AbstractModule { + + @Override + protected void configure() { + AopModule.bindThriftDecorator(binder(), AopModule.THRIFT_IFACE_MATCHER, + new ThriftWhitelistInterceptor()); + } + + private class ThriftWhitelistInterceptor implements MethodInterceptor { + + @Override + public Object invoke(MethodInvocation invocation) throws Throwable { + Object[] args = invocation.getArguments(); + switch(invocation.getMethod().getName()) { + case "createJob": + JobConfiguration config = (JobConfiguration) args[0]; + TaskConfig task = config.getTaskConfig(); + String role = task.getJob().getRole(); + if (role.equals("vagrant")) { + ResponseDetail detail = new ResponseDetail("Test response."); + List<ResponseDetail> details = new ArrayList<>(); + details.add(detail); + return new Response(ResponseCode.ERROR, null, details); + } + } + + return (Response) invocation.proceed(); + } + } +} ``` Tried to create a job with two different roles: ``` vagrant@aurora:~$ aurora job create devcluster/vagrant/test/http_example /vagrant/src/test/sh/org/apache/aurora/e2e/http/http_example.aurora INFO] Creating job http_example Job creation failed due to error: Test response. vagrant@aurora:~$ aurora job create devcluster/www-data/test/http_example /vagrant/src/test/sh/org/apache/aurora/e2e/http/http_example.aurora INFO] Creating job http_example INFO] Checking status of devcluster/www-data/test/http_example Job create succeeded: job url=http://aurora.local:8081/scheduler/www-data/test/http_example ``` Thanks, Jordan Ly
