You are viewing a plain text version of this content. The canonical link for it is here.
Posted to pr@cassandra.apache.org by GitBox <gi...@apache.org> on 2022/04/25 12:43:51 UTC

[GitHub] [cassandra] driftx commented on a diff in pull request #949: CASSANDRA-16555 - Add out-of-the-box snitch for Ec2 IMDSv2

driftx commented on code in PR #949:
URL: https://github.com/apache/cassandra/pull/949#discussion_r606232190


##########
src/java/org/apache/cassandra/locator/Ec2MultiRegionSnitchIMDSv2.java:
##########
@@ -0,0 +1,63 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.cassandra.locator;
+
+import java.io.IOException;
+import java.net.InetAddress;
+
+
+import org.apache.cassandra.config.DatabaseDescriptor;
+import org.apache.cassandra.exceptions.ConfigurationException;
+import org.apache.cassandra.gms.ApplicationState;
+import org.apache.cassandra.gms.Gossiper;
+import org.apache.cassandra.service.StorageService;
+
+/**
+ * Is exactly the same as the Ec2MultiRegionSnitch except it uses the Instance MetaData Service v2 (IMDSv2) which
+ * requires you to get a session token first.
+ */
+public class Ec2MultiRegionSnitchIMDSv2 extends Ec2SnitchIMDSv2
+{
+
+    private static final String PUBLIC_IP_QUERY_URL = "http://169.254.169.254/latest/meta-data/public-ipv4";
+    private static final String PRIVATE_IP_QUERY_URL = "http://169.254.169.254/latest/meta-data/local-ipv4";
+    private final String localPrivateAddress;
+
+    public Ec2MultiRegionSnitchIMDSv2() throws IOException, ConfigurationException
+    {
+        super();
+        InetAddress localPublicAddress = InetAddress.getByName(awsApiCall(PUBLIC_IP_QUERY_URL));
+        logger.info("EC2Snitch using publicIP as identifier: {}", localPublicAddress);
+        localPrivateAddress = awsApiCall(PRIVATE_IP_QUERY_URL);
+        // use the Public IP to broadcast Address to other nodes.
+        DatabaseDescriptor.setBroadcastAddress(localPublicAddress);

Review Comment:
   It looks like you are setting this before checking it for null right afterward, is that intentional?



##########
src/java/org/apache/cassandra/locator/Ec2SnitchIMDSv2.java:
##########
@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.locator;
+import java.io.DataInputStream;
+import java.io.FilterInputStream;
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+
+import org.apache.cassandra.exceptions.ConfigurationException;
+import org.apache.cassandra.io.util.FileUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * An implementation of the Ec2Snitch which uses Instance Meta Data Service v2 (IMDSv2) which requires you
+ * to get a session token first before calling the metaData service
+ */
+public class Ec2SnitchIMDSv2 extends Ec2Snitch
+{
+    protected static final Logger logger = LoggerFactory.getLogger(Ec2SnitchIMDSv2.class);
+    private static final long REFRESH_TOKEN_TIME = 21600;
+    private static final String AWS_EC2_METADATA_HEADER_TTL = "X-aws-ec2-metadata-token-ttl-seconds";
+    private static final String TOKEN_TTL_SECONDS = String.valueOf(REFRESH_TOKEN_TIME);
+    private static final String AWS_EC2_METADATA_HEADER = "X-aws-ec2-metadata-token";
+    private static final String TOKEN_ENDPOINT = "http://169.254.169.254/latest/api/token";
+
+    private String myToken;
+    private Long myLastTokenTime;
+
+
+    public Ec2SnitchIMDSv2() throws IOException, ConfigurationException
+    {
+        super();
+    }
+
+    @Override
+    String awsApiCall(final String url) throws IOException, ConfigurationException
+    {
+        // Populate the region and zone by introspection, fail if 404 on metadata
+        if (myToken == null || myLastTokenTime == null
+            || System.currentTimeMillis() - myLastTokenTime > (REFRESH_TOKEN_TIME - 100))
+        {
+            getAndSetNewToken();
+        }
+        final HttpURLConnection conn = (HttpURLConnection) new URL(url).openConnection();
+        conn.setRequestProperty(AWS_EC2_METADATA_HEADER, myToken);
+        return getContent(conn);
+    }
+
+    /**
+     * Get a session token to enable requests to the meta data service.
+     * https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
+     *
+     * @throws IOException
+     */
+    private void getAndSetNewToken() throws IOException
+    {
+        final URL url = new URL(TOKEN_ENDPOINT);
+        final HttpURLConnection http = (HttpURLConnection) url.openConnection();
+        http.setRequestProperty(AWS_EC2_METADATA_HEADER_TTL, TOKEN_TTL_SECONDS);
+        http.setRequestMethod("PUT");
+
+        myToken = getContent(http);
+        myLastTokenTime = System.currentTimeMillis();
+    }
+
+    private String getContent(final HttpURLConnection conn) throws IOException
+    {
+        DataInputStream d = null;
+        try
+        {
+            if (conn.getResponseCode() != 200)
+            {
+                throw new ConfigurationException(
+                "Ec2SnitchIMDSv2 was unable to execute the API call. Not an ec2 node?");
+            }
+            // Read the information. I wish I could say (String) conn.getContent() here...
+            final int cl = conn.getContentLength();
+            final byte[] b = new byte[cl];
+            d = new DataInputStream((FilterInputStream) conn.getContent());
+            d.readFully(b);
+            return new String(b, StandardCharsets.UTF_8);
+        }
+        finally

Review Comment:
   I think we should catch and log errors here.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org
For additional commands, e-mail: pr-help@cassandra.apache.org