Example 1 with Cache
use of com.netflix.titus.common.util.cache.Cache in project titus-control-plane by Netflix.
the class AwsIamConnector method canAgentAssume.
@Override
public Mono<Void> canAgentAssume(String iamRoleName) {
return Mono.defer(() -> {
long startTime = registry.clock().wallTime();
// Check cache first
Either<Boolean, Throwable> lastCheck = canAssumeCache.getIfPresent(iamRoleName);
if (lastCheck != null) {
return lastCheck.hasValue() ? Mono.empty() : Mono.error(lastCheck.getError());
}
// Must call AWS STS service
return AwsReactorExt.<AssumeRoleRequest, AssumeRoleResult>toMono(() -> new AssumeRoleRequest().withRoleSessionName("titusIamRoleValidation").withRoleArn(iamRoleName).withDurationSeconds(MIN_ASSUMED_ROLE_DURATION_SEC), stsAgentClient::assumeRoleAsync).flatMap(response -> {
logger.debug("Assumed into: {}", iamRoleName);
canAssumeCache.put(iamRoleName, Either.ofValue(true));
connectorMetrics.success(IamConnectorMetrics.IamMethods.CanAgentAssume, startTime);
return Mono.<Void>empty();
}).onErrorMap(error -> {
logger.debug("Error: {}", error.getMessage());
connectorMetrics.failure(IamConnectorMetrics.IamMethods.CanAgentAssume, error, startTime);
String errorCode = ((AWSSecurityTokenServiceException) error).getErrorCode();
if ("AccessDenied".equals(errorCode)) {
// STS service returns access denied error with no additional clues. To get more insight we
// would have to make a call to IAM service, but this would require access to all client accounts.
IamConnectorException cannotAssumeError = IamConnectorException.iamRoleCannotAssume(iamRoleName, configuration.getDataPlaneAgentRoleArn());
canAssumeCache.put(iamRoleName, Either.ofError(cannotAssumeError));
return cannotAssumeError;
}
return IamConnectorException.iamRoleUnexpectedError(iamRoleName, error.getMessage());
});
});
}
Also used :
AWSSecurityTokenServiceAsync(com.amazonaws.services.securitytoken.AWSSecurityTokenServiceAsync)
Cache(com.netflix.titus.common.util.cache.Cache)
ProxyType(com.netflix.titus.common.util.guice.ProxyType)
LoggerFactory(org.slf4j.LoggerFactory)
IamRole(com.netflix.titus.api.iam.model.IamRole)
Singleton(javax.inject.Singleton)
AwsReactorExt(com.netflix.titus.ext.aws.AwsReactorExt)
Inject(javax.inject.Inject)
PreDestroy(javax.annotation.PreDestroy)
AssumeRoleRequest(com.amazonaws.services.securitytoken.model.AssumeRoleRequest)
AmazonIdentityManagementAsync(com.amazonaws.services.identitymanagement.AmazonIdentityManagementAsync)
AWSSecurityTokenServiceException(com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException)
Duration(java.time.Duration)
Named(javax.inject.Named)
Either(com.netflix.titus.common.util.tuple.Either)
Logger(org.slf4j.Logger)
IamConnectorException(com.netflix.titus.api.iam.service.IamConnectorException)
Mono(reactor.core.publisher.Mono)
IamConnectorMetrics(com.netflix.titus.common.util.spectator.IamConnectorMetrics)
GetRoleResult(com.amazonaws.services.identitymanagement.model.GetRoleResult)
NoSuchEntityException(com.amazonaws.services.identitymanagement.model.NoSuchEntityException)
IamConnector(com.netflix.titus.api.connector.cloud.IamConnector)
AwsConfiguration(com.netflix.titus.ext.aws.AwsConfiguration)
AssumeRoleResult(com.amazonaws.services.securitytoken.model.AssumeRoleResult)
Registry(com.netflix.spectator.api.Registry)
ProxyConfiguration(com.netflix.titus.common.util.guice.annotation.ProxyConfiguration)
GetRoleRequest(com.amazonaws.services.identitymanagement.model.GetRoleRequest)
Caches(com.netflix.titus.common.util.cache.Caches)
AssumeRoleRequest(com.amazonaws.services.securitytoken.model.AssumeRoleRequest)
AWSSecurityTokenServiceException(com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException)
IamConnectorException(com.netflix.titus.api.iam.service.IamConnectorException)
AssumeRoleResult(com.amazonaws.services.securitytoken.model.AssumeRoleResult)
Aggregations
AmazonIdentityManagementAsync (com.amazonaws.services.identitymanagement.AmazonIdentityManagementAsync)1
GetRoleRequest (com.amazonaws.services.identitymanagement.model.GetRoleRequest)1
GetRoleResult (com.amazonaws.services.identitymanagement.model.GetRoleResult)1
NoSuchEntityException (com.amazonaws.services.identitymanagement.model.NoSuchEntityException)1
AWSSecurityTokenServiceAsync (com.amazonaws.services.securitytoken.AWSSecurityTokenServiceAsync)1
AWSSecurityTokenServiceException (com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException)1
AssumeRoleRequest (com.amazonaws.services.securitytoken.model.AssumeRoleRequest)1
AssumeRoleResult (com.amazonaws.services.securitytoken.model.AssumeRoleResult)1
Registry (com.netflix.spectator.api.Registry)1
IamConnector (com.netflix.titus.api.connector.cloud.IamConnector)1
IamRole (com.netflix.titus.api.iam.model.IamRole)1
IamConnectorException (com.netflix.titus.api.iam.service.IamConnectorException)1
Cache (com.netflix.titus.common.util.cache.Cache)1
Caches (com.netflix.titus.common.util.cache.Caches)1
ProxyType (com.netflix.titus.common.util.guice.ProxyType)1
ProxyConfiguration (com.netflix.titus.common.util.guice.annotation.ProxyConfiguration)1
IamConnectorMetrics (com.netflix.titus.common.util.spectator.IamConnectorMetrics)1
Either (com.netflix.titus.common.util.tuple.Either)1
AwsConfiguration (com.netflix.titus.ext.aws.AwsConfiguration)1
AwsReactorExt (com.netflix.titus.ext.aws.AwsReactorExt)1
