appengine/chrome_infra_mon_proxy/vm_module.py - Issue 928043005: Monitoring proxy for time series data

Side by Side Diff: appengine/chrome_infra_mon_proxy/vm_module.py

Issue 928043005: Monitoring proxy for time series data (Closed) Base URL: https://chromium.googlesource.com/infra/infra.git@master

Patch Set: Responded to comments Created 5 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 # Copyright 2015 The Chromium Authors. All rights reserved.

	2 # Use of this source code is governed by a BSD-style license that can be

	3 # found in the LICENSE file.

	4

	5 import googleapiclient.http

	6 import httplib2

	7 import json

	8 import logging

	9 import os

	10 import traceback

	11 import webapp2

	12

	13 from google.appengine.api import app_identity

	14 from google.appengine.ext import ndb

	15

	16 import common

	17

	18

	19 def _get_config_data():

	20 data_entity = common.MonAcqData.get_by_id(common.CONFIG_DATA_KEY)

	21 logging.info('get_config_data(): entity = %r', data_entity)

	22 if not data_entity:

	23 return None

	24 return data_entity.to_dict()

	25

	26

	27 def _get_credentials(credentials_dict, scopes):

	28 """Obtain Aquisition API credentials as Credentials object."""

	29 from oauth2client.client import SignedJwtAssertionCredentials

	30

	31 # Ideally, we should have loaded credentials with GoogleCredentials.

	32 # However, it insists to load only from a file. So, here's a hack.

	33 return SignedJwtAssertionCredentials(

	34 service_account_name=credentials_dict['client_email'],

	35 private_key=credentials_dict['private_key'],

	36 scope=scopes,

	37 # Extra **kwargs, just in case.

	38 service_account_id=credentials_dict['client_id'],

	39 private_key_id=credentials_dict['private_key_id'],

	40 )

	41

	42

	43 class VMHandler(webapp2.RequestHandler):

	44

	45 def requester_is_me(self):

	46 requester_id = self.request.headers.get('X-Appengine-Inbound-Appid')

	47 return requester_id == app_identity.get_application_id()

	48

	49 def requester_is_task(self):

	50 return bool(self.request.headers.get('X-AppEngine-TaskName'))

	51

	52 def post(self):

	53 authorized = (

	54 common.is_development_server() or

	55 self.requester_is_task() or self.requester_is_me())

	56 if not authorized:

	57 self.abort(403)

	58 data = _get_config_data()

	59 if not data:

	60 self.abort_admin_error('Endpoint data is not set')

	61 if not all(f in data for f in ['credentials', 'url']):

	62 self.abort_admin_error('Missing required fields: credentials, url')

	63

	64 url = data['url']

	65 http_auth = httplib2.Http()

	66 try:

	67 credentials = _get_credentials(data['credentials'], data['scopes'])

	68 except KeyError as e:

	69 self.abort_admin_error('Bad credentials format: missing field %s' % e)

	70 http_auth = credentials.authorize(http_auth)
	Vadim Sh. 2015/04/28 18:10:43 this thing does RSA signing and calls google serve this thing does RSA signing and calls google servers (via urlfetch) to grab access_token _in each request_, no wonder it is slow SignedJwtAssertionCredentials object caches access_token internally. It is mutable stateful object. You need to cache it across requests, so that its access token is reused. Then you'll pay the penalty of token refresh only once an hour (when access token expires). Be careful with multithreading though, it is not thread safe (but request handlers are). (For high QPS it should be made even more carefully, to avoid multiple requests all start refreshing the token at once when it expiration comes). Also oauth2client library is not the best kind of library for writing this sort of logic in my opinion. It is very flexible and supports all kinds of flows and storage mechanisms, but when you need to implement something that works fast in multithreaded environment in very specific conditions (e.g. your case), the flexibility gets in the way. Sergey Berezin 2015/04/28 19:35:27 Thanks, this is great info. I'll definitely think Thanks, this is great info. I'll definitely think about this, and will fix it in future CLs. It is not mission-critical at the moment though, so I'd say it can wait for a bit. Can you suggest alternative libraries? Otherwise, I'll look for a way to store the token in the Datastore, and reconstruct SignedJwtAssertionCredentials with a cached token. Refreshing a token at 500 qps without a race storm will indeed be an interesting challenge. I'll think about it. Vadim Sh. 2015/04/28 20:28:52 Swarming components have simple "get_access_token( Show quoted text On 2015/04/28 19:35:27, Sergey Berezin wrote: > Thanks, this is great info. I'll definitely think about this, and will fix it in > future CLs. It is not mission-critical at the moment though, so I'd say it can > wait for a bit. > > Can you suggest alternative libraries? Otherwise, I'll look for a way to store > the token in the Datastore, and reconstruct SignedJwtAssertionCredentials with a > cached token. Refreshing a token at 500 qps without a race storm will indeed be > an interesting challenge. I'll think about it. Swarming components have simple "get_access_token(...)" function that works with service accounts and that uses memcache to store access token. It can be slightly adjusted to use local memory as yet another caching layer (for existing use cases memcache was more than enough, for long lived managed VM local cache is justifiable). We also have wrapper around URLfetch that knows how to use get_access_token and that implements retries. Roughly, the usage would be: from components import auth from components import net service_account_key = auth.ServiceAccountKey( client_email=..., private_key=..., private_key_id=...) response = net.request( url=url, method='POST', payload=self.request.body, headers={'Content-Type': 'application/x-protobuf'}, scopes=data['scopes'], service_account_key=service_account_key) (succeeds on 200 <= code <= 299) (raises net.Error on 300 <= code < 500) (retries >= 500 a bunch of times) net.py: https://github.com/luci/luci-py/blob/master/appengine/components/components/n... service_account.py: https://github.com/luci/luci-py/blob/master/appengine/components/components/a...
	71 def callback(response, _content):

	72 success = 200 <= response.status and response.status <= 299

	73 if not success:

	74 logging.error('Failed to send data to %s: %d %s',

	75 url, response.status, response.reason)

	76 # Important: set content-type to binary, otherwise httplib2 mangles it.

	77 data.setdefault('headers', {}).update({

	78 'content-length': str(len(self.request.body)),

	79 'content-type': 'application/x-protobuf',

	80 })

	81 request = googleapiclient.http.HttpRequest(

	82 http_auth, callback, url, method='POST', body=self.request.body,

	83 headers=data['headers'])

	84 logging.debug('Sending the payload (synchronously).')

	85 request.execute()

	86 logging.debug('Done sending the payload.')

	87

	88 def abort_admin_error(self, message):

	89 logging.error('%s; please visit https://%s/admin/',

	90 message, app_identity.get_default_version_hostname())

	91 self.abort(500)

	92

	93

	94 logging.basicConfig(level=logging.DEBUG)

	95 app = webapp2.WSGIApplication([

	96 ('/vm.*', VMHandler),

	97 ], debug=True)

OLD	NEW

« appengine/chrome_infra_mon_proxy/main.py ('K') | « appengine/chrome_infra_mon_proxy/vm3.yaml ('k') | no next file » | no next file with comments »