Search in sources :

Example 1 with DataprocUtils

use of io.cdap.cdap.runtime.spi.common.DataprocUtils in project cdap by caskdata.

the class DataprocClient method getFirewallTargetTags.

/**
 * Finds ingress firewall rules for the configured network that matches the required firewall port as
 * defined in {@link FirewallPort}.
 *
 * @return a {@link Collection} of tags that need to be added to the VM to have those firewall rules applies
 * @throws IOException If failed to discover those firewall rules
 */
private List<String> getFirewallTargetTags(Network network, boolean useInternalIP) throws IOException, RetryableProvisionException {
    FirewallList firewalls;
    try {
        firewalls = compute.firewalls().list(conf.getNetworkHostProjectID()).execute();
    } catch (Exception e) {
        handleRetryableExceptions(e);
        throw e;
    }
    List<String> tags = new ArrayList<>();
    Set<FirewallPort> requiredPorts = EnumSet.allOf(FirewallPort.class);
    // Iterate all firewall rules and see if it has ingress rules for all required firewall port.
    for (Firewall firewall : Optional.ofNullable(firewalls.getItems()).orElse(Collections.emptyList())) {
        // network is a url like https://www.googleapis.com/compute/v1/projects/<project>/<region>/networks/<name>
        // we want to get the last section of the path and compare to the configured network name
        int idx = firewall.getNetwork().lastIndexOf('/');
        String networkName = idx >= 0 ? firewall.getNetwork().substring(idx + 1) : firewall.getNetwork();
        if (!networkName.equals(network.getName())) {
            continue;
        }
        String direction = firewall.getDirection();
        if (!"INGRESS".equals(direction) || firewall.getAllowed() == null) {
            continue;
        }
        if (useInternalIP) {
            // private IP blocks in order to be able to communicate with Dataproc.
            try {
                List<IPRange> sourceRanges = Optional.ofNullable(firewall.getSourceRanges()).map(DataprocUtils::parseIPRanges).orElse(Collections.emptyList());
                if (!sourceRanges.isEmpty()) {
                    boolean isPrivate = PRIVATE_IP_RANGES.stream().anyMatch(privateRange -> sourceRanges.stream().anyMatch(privateRange::isOverlap));
                    if (!isPrivate) {
                        continue;
                    }
                }
            } catch (Exception e) {
                LOG.warn("Failed to parse source ranges from firewall rule {}", firewall.getName(), e);
            }
        }
        for (Firewall.Allowed allowed : firewall.getAllowed()) {
            String protocol = allowed.getIPProtocol();
            boolean addTag = false;
            if ("all".equalsIgnoreCase(protocol)) {
                requiredPorts.clear();
                addTag = true;
            } else if ("tcp".equalsIgnoreCase(protocol) && isPortAllowed(allowed.getPorts(), FirewallPort.SSH.port)) {
                requiredPorts.remove(FirewallPort.SSH);
                addTag = true;
            }
            if (addTag && firewall.getTargetTags() != null && !firewall.getTargetTags().isEmpty()) {
                tags.add(firewall.getTargetTags().iterator().next());
            }
        }
    }
    if (!requiredPorts.isEmpty()) {
        String portList = requiredPorts.stream().map(p -> String.valueOf(p.port)).collect(Collectors.joining(","));
        throw new IllegalArgumentException(String.format("Could not find an ingress firewall rule for network '%s' in project '%s' for ports '%s'. " + "Please create a rule to allow incoming traffic on those ports for your IP range.", network.getName(), conf.getNetworkHostProjectID(), portList));
    }
    return tags;
}
Also used : FirewallList(com.google.api.services.compute.model.FirewallList) HttpURLConnection(java.net.HttpURLConnection) NetworkPeering(com.google.api.services.compute.model.NetworkPeering) Arrays(java.util.Arrays) OperationFuture(com.google.api.gax.longrunning.OperationFuture) NotFoundException(com.google.api.gax.rpc.NotFoundException) LoggerFactory(org.slf4j.LoggerFactory) HttpStatus(org.apache.http.HttpStatus) FixedCredentialsProvider(com.google.api.gax.core.FixedCredentialsProvider) Network(com.google.api.services.compute.model.Network) DeleteClusterRequest(com.google.cloud.dataproc.v1.DeleteClusterRequest) GoogleJsonResponseException(com.google.api.client.googleapis.json.GoogleJsonResponseException) GeneralSecurityException(java.security.GeneralSecurityException) GetClusterRequest(com.google.cloud.dataproc.v1.GetClusterRequest) Cluster(com.google.cloud.dataproc.v1.Cluster) NodeInitializationAction(com.google.cloud.dataproc.v1.NodeInitializationAction) Map(java.util.Map) CredentialsProvider(com.google.api.gax.core.CredentialsProvider) ParseException(java.text.ParseException) EnumSet(java.util.EnumSet) AutoscalingConfig(com.google.cloud.dataproc.v1.AutoscalingConfig) ImmutableSet(com.google.common.collect.ImmutableSet) ClusterStatus(com.google.cloud.dataproc.v1.ClusterStatus) JacksonFactory(com.google.api.client.json.jackson2.JacksonFactory) Predicate(java.util.function.Predicate) Collection(java.util.Collection) HttpTransport(com.google.api.client.http.HttpTransport) Status(com.google.rpc.Status) Set(java.util.Set) GoogleNetHttpTransport(com.google.api.client.googleapis.javanet.GoogleNetHttpTransport) HttpResponseException(com.google.api.client.http.HttpResponseException) Collectors(java.util.stream.Collectors) AlreadyExistsException(com.google.api.gax.rpc.AlreadyExistsException) Node(io.cdap.cdap.runtime.spi.provisioner.Node) InstanceGroupConfig(com.google.cloud.dataproc.v1.InstanceGroupConfig) Objects(java.util.Objects) List(java.util.List) HttpStatusCodes(com.google.api.client.http.HttpStatusCodes) Stream(java.util.stream.Stream) OperationsClient(com.google.longrunning.OperationsClient) HttpCredentialsAdapter(com.google.auth.http.HttpCredentialsAdapter) FirewallList(com.google.api.services.compute.model.FirewallList) FieldMask(com.google.protobuf.FieldMask) IPRange(io.cdap.cdap.runtime.spi.common.IPRange) SSHPublicKey(io.cdap.cdap.runtime.spi.ssh.SSHPublicKey) Optional(java.util.Optional) Compute(com.google.api.services.compute.Compute) SoftwareConfig(com.google.cloud.dataproc.v1.SoftwareConfig) DataprocUtils(io.cdap.cdap.runtime.spi.common.DataprocUtils) Instance(com.google.api.services.compute.model.Instance) ClusterConfig(com.google.cloud.dataproc.v1.ClusterConfig) SimpleDateFormat(java.text.SimpleDateFormat) HashMap(java.util.HashMap) HttpRequest(com.google.api.client.http.HttpRequest) UpdateClusterRequest(com.google.cloud.dataproc.v1.UpdateClusterRequest) Operation(com.google.longrunning.Operation) GceClusterConfig(com.google.cloud.dataproc.v1.GceClusterConfig) ArrayList(java.util.ArrayList) ClusterOperationMetadata(com.google.cloud.dataproc.v1.ClusterOperationMetadata) HashSet(java.util.HashSet) Strings(com.google.common.base.Strings) NetworkList(com.google.api.services.compute.model.NetworkList) DiskConfig(com.google.cloud.dataproc.v1.DiskConfig) HttpRequestInitializer(com.google.api.client.http.HttpRequestInitializer) AccessConfig(com.google.api.services.compute.model.AccessConfig) Firewall(com.google.api.services.compute.model.Firewall) SocketTimeoutException(java.net.SocketTimeoutException) ShieldedInstanceConfig(com.google.cloud.dataproc.v1.ShieldedInstanceConfig) StreamSupport(java.util.stream.StreamSupport) Nullable(javax.annotation.Nullable) ClusterControllerClient(com.google.cloud.dataproc.v1.ClusterControllerClient) RetryableProvisionException(io.cdap.cdap.runtime.spi.provisioner.RetryableProvisionException) Logger(org.slf4j.Logger) EncryptionConfig(com.google.cloud.dataproc.v1.EncryptionConfig) IOException(java.io.IOException) ApiException(com.google.api.gax.rpc.ApiException) ClusterControllerSettings(com.google.cloud.dataproc.v1.ClusterControllerSettings) ExecutionException(java.util.concurrent.ExecutionException) TimeUnit(java.util.concurrent.TimeUnit) Duration(com.google.protobuf.Duration) EndpointConfig(com.google.cloud.dataproc.v1.EndpointConfig) LifecycleConfig(com.google.cloud.dataproc.v1.LifecycleConfig) Collections(java.util.Collections) ArrayList(java.util.ArrayList) IPRange(io.cdap.cdap.runtime.spi.common.IPRange) NotFoundException(com.google.api.gax.rpc.NotFoundException) GoogleJsonResponseException(com.google.api.client.googleapis.json.GoogleJsonResponseException) GeneralSecurityException(java.security.GeneralSecurityException) ParseException(java.text.ParseException) HttpResponseException(com.google.api.client.http.HttpResponseException) AlreadyExistsException(com.google.api.gax.rpc.AlreadyExistsException) SocketTimeoutException(java.net.SocketTimeoutException) RetryableProvisionException(io.cdap.cdap.runtime.spi.provisioner.RetryableProvisionException) IOException(java.io.IOException) ApiException(com.google.api.gax.rpc.ApiException) ExecutionException(java.util.concurrent.ExecutionException) Firewall(com.google.api.services.compute.model.Firewall)

Aggregations

GoogleNetHttpTransport (com.google.api.client.googleapis.javanet.GoogleNetHttpTransport)1 GoogleJsonResponseException (com.google.api.client.googleapis.json.GoogleJsonResponseException)1 HttpRequest (com.google.api.client.http.HttpRequest)1 HttpRequestInitializer (com.google.api.client.http.HttpRequestInitializer)1 HttpResponseException (com.google.api.client.http.HttpResponseException)1 HttpStatusCodes (com.google.api.client.http.HttpStatusCodes)1 HttpTransport (com.google.api.client.http.HttpTransport)1 JacksonFactory (com.google.api.client.json.jackson2.JacksonFactory)1 CredentialsProvider (com.google.api.gax.core.CredentialsProvider)1 FixedCredentialsProvider (com.google.api.gax.core.FixedCredentialsProvider)1 OperationFuture (com.google.api.gax.longrunning.OperationFuture)1 AlreadyExistsException (com.google.api.gax.rpc.AlreadyExistsException)1 ApiException (com.google.api.gax.rpc.ApiException)1 NotFoundException (com.google.api.gax.rpc.NotFoundException)1 Compute (com.google.api.services.compute.Compute)1 AccessConfig (com.google.api.services.compute.model.AccessConfig)1 Firewall (com.google.api.services.compute.model.Firewall)1 FirewallList (com.google.api.services.compute.model.FirewallList)1 Instance (com.google.api.services.compute.model.Instance)1 Network (com.google.api.services.compute.model.Network)1