-
Notifications
You must be signed in to change notification settings - Fork 62
Added custom metrics binding credential generation and management in APIServer #376
Added custom metrics binding credential generation and management in APIServer #376
Conversation
Hey paltanmoy! Thanks for submitting this pull request! I'm here to inform the recipients of the pull request that you and the commit authors have already signed the CLA. |
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/159738594 The labels on this github issue will be updated when the story is started. |
@paltanmoy , Is that possible to break this PR with 2930 insertions into smaller ones , i.e. to handle credential generation and management only ? Regardless custom metric, credential generation is a "valid" topic in service broker and api server .. |
'username': creds.username, | ||
'password': creds.password | ||
}; | ||
var isCached = credentialCache.set(appId, cachedCred, cacheTTL); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
any reason the cred is not cached? if it is not cached, it is not good to have log message saying "credential cached"
var schema = { | ||
'type': 'object', | ||
'id':'/scaling_rules', | ||
'properties' : { | ||
'metric_type':{ 'type':'string' ,'enum':metricTypeEnum }, | ||
'metric_type':{ 'type':'string' }, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we probably will need to add a prefix for custom metrics, to distinguish whether it is custom metrics or not. This will also avoid conflict with built-in metrics.
We need to call this out in doc as well.
|
||
checkResponseContent(getPolicy, appId, http.StatusOK, expected, INTERNAL) | ||
}) | ||
}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
need to add another test case when custom metrics support for unbind
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added Unbind Test case
api/lib/routes/credentials.js
Outdated
var HttpStatus = require('http-status-codes'); | ||
var credHelper = require('./credentialHelper')(models, credentialCache, cacheTTL); | ||
|
||
router.get('/:app_id/creds', function(req, resp) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be it "POST /v1 /apps/:app_id/credentials" ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes , all endpoints have been modified as suggested
api/lib/routes/credentials.js
Outdated
}); | ||
}); | ||
|
||
router.delete('/:app_id/creds', function(req, res) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DELETE /v1 /apps/:app_id/credentials
api/lib/routes/credentials.js
Outdated
}); | ||
}); | ||
|
||
router.get('/:app_id/creds/validate', function(req, resp) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should it be "POST /v1 /apps/:app_id/credentials/validate" ?
}); | ||
} | ||
|
||
credhelper.deleteCredentials = function(req, callback) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
delete credential will need to invalidate the entry in cache
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cache invalidation added.
api/lib/routes/credentialHelper.js
Outdated
id: req.params.app_id, | ||
username: generateHash(username), | ||
password: generateHash(password) | ||
}).then(function(updatedData) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seems should be opposite.... if updatedData, then you should log the credential hasbeen updated succeesfully
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope, rather sequelize upsert returns a promise with a boolean indicating whether the data is created or not. So renamed updatedData to createdData
api/lib/routes/credentialHelper.js
Outdated
password: generateHash(password) | ||
}).then(function(updatedData) { | ||
if (updatedData) { | ||
logger.info('New credentials hasbeen generated successfully', { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if updatedData, cache entry needs to be invalidated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry I forgot there will be multiple instances of api server, so invalidate local cache will not invalidate cache of other instances. So if we don't have distributed remote cache, we will need to allow using old credentials until it expires in cache. However if the check with cache fails, we need to recheck with database to make sure we don't reject request which uses new credentials while the old credential is not expired in cache yet.
3425464
to
bfdb593
Compare
api/lib/routes/credentialHelper.js
Outdated
isValidCred = validateCredentialDetails(username, creds.username, password, creds.password); | ||
logger.info('Credentials hasbeen found successfully in cache', { | ||
'app_id': appId, | ||
'isValid': isValidCred |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if it is not valid, we may need to check with database... and refresh cache.
LGTM |
api/lib/routes/credentialHelper.js
Outdated
var password = uuidv4(); | ||
var appId = req.params.app_id; | ||
models.credentials.upsert({ | ||
id: req.params.app_id, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use appId.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
which one? id => appId or app_id => appId ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
var appId = req.params.app_id;
appId has been defined, so better to " id: appId" ?
api/lib/routes/credentialHelper.js
Outdated
password: generateHash(password) | ||
}).then(function(createdData) { | ||
if (createdData) { | ||
logger.info('New credentials hasbeen generated successfully', { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hasbeen -> has been?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
api/lib/routes/credentialHelper.js
Outdated
}); | ||
} | ||
else { | ||
logger.info('Existing credentials hasbeen updated successfully', { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hasbeen -> has been?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
@@ -87,6 +88,7 @@ describe('config setting Test Suite', function () { | |||
expect(settings.cfApi).to.equal("https://" + defaultConfig.cfApi.toLowerCase()); | |||
expect(settings.infoFilePath).to.equal(defaultConfig.infoFilePath); | |||
expect(settings.skipSSLValidation).to.equal(false); | |||
expect(settings.cacheTTL).to.equal(defaultConfig.cacheTTL); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
where is the test case for cacheTTL validation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test case added
} | ||
// Try to find credentials in cache | ||
try{ | ||
creds = credentialCache.get(appId, true); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it better to get data from database directly when there is not data in cache rather than throwing an error and catching it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As getting creds directly from database is being already handled in catch block ..tried handling in the same way.
}); | ||
}; | ||
|
||
apiUtil.validateCreds = function(parameters, callback){ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this function useful?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope. Removed the function.
binding.count({ where: { bindingId: bindingId } }).then(function(countRes) { | ||
expect(countRes).to.equal(1); | ||
done(); | ||
}) | ||
}); | ||
}); | ||
|
||
it("failed to create a new binding because of credential generation failure", function(done) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The binding creation only fails when enableCustomMetrics is true.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in test settings enableCustomMetrics is true only
74b5e65
to
a5bc4f0
Compare
LGTM |
* Consolidate all db maintenance of pruner to operator (#368) * Consolidate all db maintenance of pruner to operator * update per comments * wrong sample request in docs (#374) * Bug fix in liquibase change set when rename pruner to operator * Added DB schema for custom-metrics credentials management (#373) * Added DB schema for custom-metrics credentials management * Deleted binding_id column * Update api.db.changelog.yml * adapt public rest api to cf style (#371) * adapt public rest api to cf style [#159391488] * both order-direction and order are valid to compatible with old version * page * refactor router helper and update prevUrl&nextUrl method * add test cases for function getPageUrl * test case update * Instance metrics can be queried by instance index (#377) * Instance metrics can be queried by instance index [#159756219] * when instance-index is not provided, returns instance metrics of all instances * update for comments * update for comments * Added custom metrics binding credential generation and management in APIServer (#376) * Custom Metrics broker api changes * Modified Integration Test * Minor update * Incorporated Review comments * Updated Integration tests * credentials generated during binding without policy * Rechecking database for invalid credential cache entry * Incorporated Review comments * refactor config of go components (#378) * Add maven dependencies to scheduler to be compatible with JAVA9 or higher versions. (#380) [#160224877] * Check user authorization in apiserver with cc token_point instead of authorization_endpoint (#382) [#160438532] * prune non-existent application details (#381) * synchronize application details * Pruning apps only for CF-AppNotFound type of error * pruning of app is restricted to only 404 statusCode * Updated to incorporate review comments * cache metric data in metrics collector (#379) * cache metric data in metrics collector * update based on review comments * fix the race condition in test (#386) * Add http connection timeout as a configuration to all autoscaler components (#387) * Add http connection timeout as a configuration to all autoscaler components [#160241806] * rename http_request_timeout to http_client_timeout * typo * override tcp dial timeout of cfhttp httpclient (#389) * Added validation to restrict threshold value to be integer only (#392) * [auth] allow admin to access autoscaler (#393) * [auth] allow admin to access autoscaler * [auth] check token via uaa * [auth] add test cases * [auth] supplement test cases * [auth] update test * [auth] [7]string -> []string * Add db connection limitation configurations to scheduler (#395) [#161710050] * Add health endpoint for go component (#394) * Add health endpoint for go component * update for comments * Add health endpoint for scheduler (#397) [#161745454] * unify all the golang fakes (#398) [#161774071] * cut off duration of operator should be any duration rather than days (#399) * cut off duration of operator should be any duration rather than days [#161834647] * the default cut off duration is 30 days * enable cpu metric collection * Configuration enhancement for scheduler to prevent logjam vulnerability (#400) [#161873300] * Updated metric_type schema to support custom metrics (#404) * Updated metric_type schema to support custom metrics - metric_type can be alphanumeric characters and it can also have underscores * Updated apiserver policy validation * enhance integration test for bug "TLS handshake error between operator and scheduler" (#405) [#162230075]
Custom Metrics feature related changes[For ServiceBroker and APIServer only].