-
Notifications
You must be signed in to change notification settings - Fork 340
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add sidecar metadata service for credential provisioning
- Loading branch information
1 parent
6d5e189
commit e51b676
Showing
8 changed files
with
232 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
169 changes: 169 additions & 0 deletions
169
...rc/main/java/io/cdap/cdap/internal/app/worker/sidecar/GCPMetadataHttpHandlerInternal.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,169 @@ | ||
/* | ||
* Copyright © 2023 Cask Data, Inc. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); you may not | ||
* use this file except in compliance with the License. You may obtain a copy of | ||
* the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
* License for the specific language governing permissions and limitations under | ||
* the License. | ||
*/ | ||
|
||
package io.cdap.cdap.internal.app.worker.sidecar; | ||
|
||
import com.google.gson.Gson; | ||
import com.google.gson.GsonBuilder; | ||
import com.google.inject.Singleton; | ||
import io.cdap.cdap.common.ForbiddenException; | ||
import io.cdap.cdap.common.conf.CConfiguration; | ||
import io.cdap.cdap.common.conf.Constants; | ||
import io.cdap.cdap.common.id.Id.Namespace; | ||
import io.cdap.cdap.proto.BasicThrowable; | ||
import io.cdap.cdap.proto.codec.BasicThrowableCodec; | ||
import io.cdap.common.http.HttpRequests; | ||
import io.cdap.common.http.HttpResponse; | ||
import io.cdap.http.AbstractHttpHandler; | ||
import io.cdap.http.HttpHandler; | ||
import io.cdap.http.HttpResponder; | ||
import io.netty.handler.codec.http.DefaultHttpHeaders; | ||
import io.netty.handler.codec.http.HttpRequest; | ||
import io.netty.handler.codec.http.HttpResponseStatus; | ||
import java.net.URL; | ||
import javax.ws.rs.DELETE; | ||
import javax.ws.rs.GET; | ||
import javax.ws.rs.PUT; | ||
import javax.ws.rs.Path; | ||
import javax.ws.rs.PathParam; | ||
import javax.ws.rs.QueryParam; | ||
import javax.ws.rs.core.HttpHeaders; | ||
import joptsimple.internal.Strings; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
|
||
/** | ||
* Internal {@link HttpHandler} for Artifact Localizer. | ||
*/ | ||
@Singleton | ||
@Path("/") | ||
public class GCPMetadataHttpHandlerInternal extends AbstractHttpHandler { | ||
|
||
private static final String METADATA_FLAVOR = "Metadata-Flavor"; | ||
private static final String GOOGLE = "Google"; | ||
private static final Logger LOG = LoggerFactory.getLogger(GCPMetadataHttpHandlerInternal.class); | ||
private static final Gson GSON = new GsonBuilder().registerTypeAdapter(BasicThrowable.class, | ||
new BasicThrowableCodec()).create(); | ||
private final CConfiguration cConf; | ||
private final String metadataServiceEndpoint; | ||
private Namespace namespace; | ||
|
||
public GCPMetadataHttpHandlerInternal(CConfiguration cConf) { | ||
this.cConf = cConf; | ||
this.metadataServiceEndpoint = cConf.get( | ||
Constants.TaskWorker.METADATA_SERVICE_END_POINT); | ||
} | ||
|
||
/** | ||
* Returns the status of metadata server. | ||
* | ||
* @param request The {@link HttpRequest}. | ||
* @param responder a {@link HttpResponder} for sending response. | ||
* @throws Exception if there is any error. | ||
*/ | ||
@GET | ||
@Path("/") | ||
public void status(HttpRequest request, HttpResponder responder) throws Exception { | ||
|
||
// check that metadata header is present in the request. | ||
if (!request.headers().contains(METADATA_FLAVOR, GOOGLE, true)) { | ||
throw new ForbiddenException( | ||
String.format("Request is missing required %s header. To access the metadata server, " | ||
+ "you must add the %s: %s header to your request.", METADATA_FLAVOR, | ||
METADATA_FLAVOR, GOOGLE)); | ||
} | ||
responder.sendStatus(HttpResponseStatus.OK, | ||
new DefaultHttpHeaders().add(METADATA_FLAVOR, GOOGLE)); | ||
} | ||
|
||
@GET | ||
@Path("/computeMetadata/v1/instance/service-accounts/default/token") | ||
public void token(HttpRequest request, HttpResponder responder, | ||
@QueryParam("scopes") String scopes) throws Exception { | ||
|
||
LOG.info("Token requested"); | ||
// check that metadata header is present in the request. | ||
if (!request.headers().contains(METADATA_FLAVOR, GOOGLE, true)) { | ||
throw new ForbiddenException( | ||
String.format("Request is missing required %s header. To access the metadata server, " | ||
+ "you must add the %s: %s header to your request.", METADATA_FLAVOR, | ||
METADATA_FLAVOR, GOOGLE)); | ||
} | ||
|
||
// TODO: CDAP-20750 | ||
if (metadataServiceEndpoint == null) { | ||
responder.sendString(HttpResponseStatus.NOT_IMPLEMENTED, | ||
String.format("%s has not been set", | ||
Constants.TaskWorker.METADATA_SERVICE_END_POINT)); | ||
return; | ||
} | ||
|
||
try { | ||
URL url = new URL(metadataServiceEndpoint); | ||
if (!Strings.isNullOrEmpty(scopes)) { | ||
url = new URL(String.format("%s?scopes=%s", metadataServiceEndpoint, scopes)); | ||
} | ||
io.cdap.common.http.HttpRequest tokenRequest = io.cdap.common.http.HttpRequest.get(url) | ||
.addHeader(METADATA_FLAVOR, GOOGLE) | ||
.build(); | ||
HttpResponse tokenResponse = HttpRequests.execute(tokenRequest); | ||
responder.sendJson(HttpResponseStatus.OK, tokenResponse.getResponseBodyAsString()); | ||
} catch (Exception ex) { | ||
LOG.warn("Failed to fetch token from metadata service", ex); | ||
responder.sendString(HttpResponseStatus.INTERNAL_SERVER_ERROR, exceptionToJson(ex), | ||
new DefaultHttpHeaders().set(HttpHeaders.CONTENT_TYPE, "application/json")); | ||
} | ||
} | ||
|
||
/** | ||
* Sets the CDAP Namespace information. | ||
* | ||
* @param request The {@link HttpRequest}. | ||
* @param namespaceId Namespace id string. | ||
* @param responder a {@link HttpResponder} for sending response. | ||
*/ | ||
@PUT | ||
@Path("/set-namespace/{namespace-id}") | ||
public void setNamespace(HttpRequest request, HttpResponder responder, | ||
@PathParam("namespace-id") String namespaceId) { | ||
LOG.info("Set namespace {}", namespaceId); | ||
this.namespace = new Namespace(namespaceId); | ||
responder.sendStatus(HttpResponseStatus.OK); | ||
} | ||
|
||
/** | ||
* Clears the CDAP Namespace information. | ||
* | ||
* @param request The {@link HttpRequest}. | ||
* @param responder a {@link HttpResponder} for sending response. | ||
*/ | ||
@DELETE | ||
@Path("/clear-namespace") | ||
public void clearNamespace(HttpRequest request, HttpResponder responder) { | ||
LOG.info("Clear namespace"); | ||
this.namespace = null; | ||
responder.sendStatus(HttpResponseStatus.OK); | ||
} | ||
|
||
/** | ||
* Return json representation of an exception. Used to propagate exception across network for | ||
* better surfacing errors and debuggability. | ||
*/ | ||
private String exceptionToJson(Exception ex) { | ||
BasicThrowable basicThrowable = new BasicThrowable(ex); | ||
return GSON.toJson(basicThrowable); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters