[Notes] [Git][BuildGrid/buildgrid][mablanch/144-jwt-authentication] 17 c

Martin Blanchard pushed to branch mablanch/144-jwt-authentication at BuildGrid / buildgrid

Commits:

db53ffbc

by Martin Blanchard at 2018-11-29T08:59:48Z

execution/service.py: Calculate client counts

https://gitlab.com/BuildGrid/buildgrid/issues/132

5ecfb7f8

by Martin Blanchard at 2018-11-29T08:59:48Z

bots/service.py: Calculate bot counts

https://gitlab.com/BuildGrid/buildgrid/issues/132

df5b6a80

by Martin Blanchard at 2018-11-29T08:59:48Z

Expose scheduler from controller's service instances

https://gitlab.com/BuildGrid/buildgrid/issues/132

5e608d6b

by Martin Blanchard at 2018-11-29T08:59:48Z

.pylintrc: Add Duration to list of ignored classes

https://gitlab.com/BuildGrid/buildgrid/issues/132

c167a1d0

by Martin Blanchard at 2018-11-29T08:59:48Z

server/job.py: Calculate job queue time and retry count

https://gitlab.com/BuildGrid/buildgrid/issues/132

8fc6d17d

by Martin Blanchard at 2018-11-29T08:59:48Z

server/scheduler.py: Calculate job counts

https://gitlab.com/BuildGrid/buildgrid/issues/132

397f385b

by Martin Blanchard at 2018-11-29T08:59:48Z

setup.py: Introduce janus dependency (Python >= 3.5.3)

https://gitlab.com/BuildGrid/buildgrid/issues/132

dbbcdb50

by Martin Blanchard at 2018-11-29T08:59:48Z

settings.py: Add a monitoring period setting

https://gitlab.com/BuildGrid/buildgrid/issues/132

50f3f63b

by Martin Blanchard at 2018-11-29T08:59:48Z

server/instance.py: Run a monitoring task periodically

https://gitlab.com/BuildGrid/buildgrid/issues/132

62870d0a

by Martin Blanchard at 2018-11-29T09:24:03Z

setup.py: Introduce pyjwt dependency

Hosted at: https://github.com/jpadilla/pyjwt

7513caf3

by Martin Blanchard at 2018-11-29T15:38:45Z

server/_authentication.py: New JWT based gRPC interceptor

0cffd69a

by Martin Blanchard at 2018-11-29T15:38:49Z

client/authentication.py: New client gRPC channel helpers

37c9140e

by Martin Blanchard at 2018-11-29T15:38:54Z

cmd_capabilities.py: Port to new client channel helpers

1911cd93

by Martin Blanchard at 2018-11-29T15:38:54Z

cmd_cas.py: Port‧to‧new‧client‧channel‧helpers

c6b9dd15

by Martin Blanchard at 2018-11-29T15:38:54Z

cmd_execute.py: Port‧to‧new‧client‧channel‧helpers

8a900c4e

by Martin Blanchard at 2018-11-29T15:38:54Z

cmd_operation.py: Port‧to‧new‧client‧channel‧helpers

b6c12e78

by Martin Blanchard at 2018-11-29T15:38:54Z

server/instance.py: Register authentication gRPC interceptor

18 changed files:

.pylintrc
buildgrid/_app/commands/cmd_capabilities.py
buildgrid/_app/commands/cmd_cas.py
buildgrid/_app/commands/cmd_execute.py
buildgrid/_app/commands/cmd_operation.py
+ buildgrid/client/authentication.py
+ buildgrid/server/_authentication.py
buildgrid/server/bots/instance.py
buildgrid/server/bots/service.py
buildgrid/server/execution/instance.py
buildgrid/server/execution/service.py
buildgrid/server/instance.py
buildgrid/server/job.py
buildgrid/server/operations/instance.py
buildgrid/server/operations/service.py
buildgrid/server/scheduler.py
buildgrid/settings.py
setup.py

Changes:

.pylintrc

@@ -185,6 +185,7 @@ ignore-on-opaque-inference=yes
  # for classes with dynamically set attributes). This supports the use of
  # qualified names.
  ignored-classes=google.protobuf.any_pb2.Any,
 +                google.protobuf.duration_pb2.Duration,
                  google.protobuf.timestamp_pb2.Timestamp
  # List of module names for which member attributes should not be checked
@@ -460,6 +461,8 @@ known-third-party=boto3,
                    enchant,
                    google,
                    grpc,
 +                  janus,
 +                  jwt,
                    moto,
                    yaml
@@ -523,4 +526,4 @@ valid-metaclass-classmethod-first-arg=mcs
  # Exceptions that will emit a warning when being caught. Defaults to
  # "Exception"
 -overgeneral-exceptions=Exception
 +overgeneral-exceptions=Exception
 \ No newline at end of file

buildgrid/_app/commands/cmd_capabilities.py

@@ -17,9 +17,12 @@ import sys
  from urllib.parse import urlparse
  import click
 +from google.protobuf import json_format
  import grpc
 +from buildgrid.client.authentication import setup_channel
  from buildgrid.client.capabilities import CapabilitiesInterface
 +from buildgrid._exceptions import InvalidArgumentError
  from ..cli import pass_context
@@ -27,32 +30,29 @@ from ..cli import pass_context
  @click.command(name='capabilities', short_help="Capabilities service.")
  @click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
                help="Remote execution server's URL (port defaults to 50051 if no specified).")
 +@click.option('--auth-token', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Authorization token for the remote.")
  @click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Private client key for TLS (PEM-encoded)")
 +              help="Private client key for TLS (PEM-encoded).")
  @click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public client certificate for TLS (PEM-encoded)")
 +              help="Public client certificate for TLS (PEM-encoded).")
  @click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public server certificate for TLS (PEM-encoded)")
 +              help="Public server certificate for TLS (PEM-encoded).")
  @click.option('--instance-name', type=click.STRING, default='main', show_default=True,
                help="Targeted farm instance name.")
  @pass_context
 -def cli(context, remote, instance_name, client_key, client_cert, server_cert):
 -    click.echo("Getting capabilities...")
 -    url = urlparse(remote)
+-
 -    remote = '{}:{}'.format(url.hostname, url.port or 50051)
 -    instance_name = instance_name
+-
 -    if url.scheme == 'http':
 -        channel = grpc.insecure_channel(remote)
 -    else:
 -        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 -        if not credentials:
 -            click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
 -            sys.exit(-1)
+-
 -        channel = grpc.secure_channel(remote, credentials)
+-
 -    interface = CapabilitiesInterface(channel)
 -    response = interface.get_capabilities(instance_name)
 -    click.echo(response)
 +def cli(context, remote, instance_name, auth_token, client_key, client_cert, server_cert):
 +    """Entry point for the bgd-capabilities CLI command group."""
 +    try:
 +        context.channel = setup_channel(remote, authorization_token=auth_token,
 +                                        client_key=client_key, client_cert=client_cert)
++
 +    except InvalidArgumentError as e:
 +        click.echo("Error: {}.".format(e), err=True)
++
 +    context.instance_name = instance_name
++
 +    interface = CapabilitiesInterface(context.channel)
 +    response = interface.get_capabilities(context.instance_name)
++
 +    click.echo(json_format.MessageToJson(response))

buildgrid/_app/commands/cmd_cas.py

@@ -27,7 +27,9 @@ from urllib.parse import urlparse
  import click
  import grpc
 +from buildgrid.client.authentication import setup_channel
  from buildgrid.client.cas import download, upload
 +from buildgrid._exceptions import InvalidArgumentError
  from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2
  from buildgrid.utils import create_digest, merkle_tree_maker, read_file
@@ -37,32 +39,27 @@ from ..cli import pass_context
  @click.group(name='cas', short_help="Interact with the CAS server.")
  @click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
                help="Remote execution server's URL (port defaults to 50051 if no specified).")
 +@click.option('--auth-token', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Authorization token for the remote.")
  @click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Private client key for TLS (PEM-encoded)")
 +              help="Private client key for TLS (PEM-encoded).")
  @click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public client certificate for TLS (PEM-encoded)")
 +              help="Public client certificate for TLS (PEM-encoded).")
  @click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
                help="Public server certificate for TLS (PEM-encoded)")
  @click.option('--instance-name', type=click.STRING, default='main', show_default=True,
                help="Targeted farm instance name.")
  @pass_context
 -def cli(context, remote, instance_name, client_key, client_cert, server_cert):
 -    url = urlparse(remote)
 +def cli(context, remote, instance_name, auth_token, client_key, client_cert, server_cert):
 +    """Entry point for the bgd-cas CLI command group."""
 +    try:
 +        context.channel = setup_channel(remote, authorization_token=auth_token,
 +                                        client_key=client_key, client_cert=client_cert)
 -    context.remote = '{}:{}'.format(url.hostname, url.port or 50051)
 -    context.instance_name = instance_name
+-
 -    if url.scheme == 'http':
 -        context.channel = grpc.insecure_channel(context.remote)
 -    else:
 -        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 -        if not credentials:
 -            click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
 -            sys.exit(-1)
 +    except InvalidArgumentError as e:
 +        click.echo("Error: {}.".format(e), err=True)
 -        context.channel = grpc.secure_channel(context.remote, credentials)
+-
 -    click.echo("Starting for remote=[{}]".format(context.remote))
 +    context.instance_name = instance_name
  @cli.command('upload-dummy', short_help="Upload a dummy action. Should be used with `execute dummy-request`")

buildgrid/_app/commands/cmd_execute.py

@@ -28,7 +28,9 @@ from urllib.parse import urlparse
  import click
  import grpc
 +from buildgrid.client.authentication import setup_channel
  from buildgrid.client.cas import download, upload
 +from buildgrid._exceptions import InvalidArgumentError
  from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2, remote_execution_pb2_grpc
  from buildgrid.utils import create_digest
@@ -38,32 +40,27 @@ from ..cli import pass_context
  @click.group(name='execute', short_help="Execute simple operations.")
  @click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
                help="Remote execution server's URL (port defaults to 50051 if no specified).")
 +@click.option('--auth-token', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Authorization token for the remote.")
  @click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Private client key for TLS (PEM-encoded)")
 +              help="Private client key for TLS (PEM-encoded).")
  @click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public client certificate for TLS (PEM-encoded)")
 +              help="Public client certificate for TLS (PEM-encoded).")
  @click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public server certificate for TLS (PEM-encoded)")
 +              help="Public server certificate for TLS (PEM-encoded).")
  @click.option('--instance-name', type=click.STRING, default='main', show_default=True,
                help="Targeted farm instance name.")
  @pass_context
  def cli(context, remote, instance_name, client_key, client_cert, server_cert):
 -    url = urlparse(remote)
 +    """Entry point for the bgd-execute CLI command group."""
 +    try:
 +        context.channel = setup_channel(remote, authorization_token=auth_token,
 +                                        client_key=client_key, client_cert=client_cert)
 -    context.remote = '{}:{}'.format(url.hostname, url.port or 50051)
 -    context.instance_name = instance_name
+-
 -    if url.scheme == 'http':
 -        context.channel = grpc.insecure_channel(context.remote)
 -    else:
 -        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 -        if not credentials:
 -            click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
 -            sys.exit(-1)
 +    except InvalidArgumentError as e:
 +        click.echo("Error: {}.".format(e), err=True)
 -        context.channel = grpc.secure_channel(context.remote, credentials)
+-
 -    click.echo("Starting for remote=[{}]".format(context.remote))
 +    context.instance_name = instance_name
  @cli.command('request-dummy', short_help="Send a dummy action.")

buildgrid/_app/commands/cmd_operation.py

@@ -30,7 +30,9 @@ import click
  from google.protobuf import json_format
  import grpc
 +from buildgrid.client.authentication import setup_channel
  from buildgrid._enums import OperationStage
 +from buildgrid._exceptions import InvalidArgumentError
  from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2, remote_execution_pb2_grpc
  from buildgrid._protos.google.longrunning import operations_pb2, operations_pb2_grpc
  from buildgrid._protos.google.rpc import code_pb2
@@ -41,32 +43,27 @@ from ..cli import pass_context
  @click.group(name='operation', short_help="Long running operations commands.")
  @click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
                help="Remote execution server's URL (port defaults to 50051 if no specified).")
 +@click.option('--auth-token', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Authorization token for the remote.")
  @click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Private client key for TLS (PEM-encoded)")
 +              help="Private client key for TLS (PEM-encoded).")
  @click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public client certificate for TLS (PEM-encoded)")
 +              help="Public client certificate for TLS (PEM-encoded).")
  @click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public server certificate for TLS (PEM-encoded)")
 +              help="Public server certificate for TLS (PEM-encoded).")
  @click.option('--instance-name', type=click.STRING, default='main', show_default=True,
                help="Targeted farm instance name.")
  @pass_context
  def cli(context, remote, instance_name, client_key, client_cert, server_cert):
 -    url = urlparse(remote)
 +    """Entry point for the bgd-operation CLI command group."""
 +    try:
 +        context.channel = setup_channel(remote, authorization_token=auth_token,
 +                                        client_key=client_key, client_cert=client_cert)
 -    context.remote = '{}:{}'.format(url.hostname, url.port or 50051)
 -    context.instance_name = instance_name
+-
 -    if url.scheme == 'http':
 -        context.channel = grpc.insecure_channel(context.remote)
 -    else:
 -        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 -        if not credentials:
 -            click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
 -            sys.exit(-1)
 +    except InvalidArgumentError as e:
 +        click.echo("Error: {}.".format(e), err=True)
 -        context.channel = grpc.secure_channel(context.remote, credentials)
+-
 -    click.echo("Starting for remote=[{}]".format(context.remote))
 +    context.instance_name = instance_name
  def _print_operation_status(operation, print_details=False):

buildgrid/client/authentication.py

 +# Copyright (C) 2018 Bloomberg LP
 +#
 +# Licensed under the Apache License, Version 2.0 (the "License");
 +# you may not use this file except in compliance with the License.
 +# You may obtain a copy of the License at
 +#
 +#  <http://www.apache.org/licenses/LICENSE-2.0>
 +#
 +# Unless required by applicable law or agreed to in writing, software
 +# distributed under the License is distributed on an "AS IS" BASIS,
 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +# See the License for the specific language governing permissions and
 +# limitations under the License.
++
++
 +import base64
 +from collections import namedtuple
 +from urllib.parse import urlparse
 +import os
++
 +import grpc
++
 +from buildgrid._exceptions import InvalidArgumentError
 +from buildgrid.utils import read_file
++
++
 +def load_tls_channel_credentials(client_key=None, client_cert=None, server_cert=None):
 +    """Looks-up and loads TLS gRPC client channel credentials.
++
 +    Args:
 +        client_key(str, optional): Client certificate chain file path.
 +        client_cert(str, optional): Client private key file path.
 +        server_cert(str, optional): Serve root certificate file path.
++
 +    Returns:
 +        ChannelCredentials: Credentials to be used for a TLS-encrypted gRPC
 +            client channel.
 +    """
 +    if server_cert and os.path.exists(server_cert):
 +        server_cert_pem = read_file(server_cert)
 +    else:
 +        server_cert_pem = None
++
 +    if client_key and os.path.exists(client_key):
 +        client_key_pem = read_file(client_key)
 +    else:
 +        client_key_pem = None
++
 +    if client_key_pem and client_cert and os.path.exists(client_cert):
 +        client_cert_pem = read_file(client_cert)
 +    else:
 +        client_cert_pem = None
++
 +    credentials = grpc.ssl_channel_credentials(root_certificates=server_cert_pem,
 +                                               private_key=client_key_pem,
 +                                               certificate_chain=client_cert_pem)
 +    return credentials
++
++
 +def load_channel_authorization_token(authorization_token=None):
 +    """Looks-up and loads client authorization token.
++
 +    Args:
 +        authorization_token(str, optional): Token file path.
++
 +    Returns:
 +        str: Encoded token string.
 +    """
 +    if authorization_token and os.path.exists(authorization_token):
 +        return read_file(authorization_token)
++
 +    #TODO: Try loading the token from a default location?
++
 +    return None
++
++
 +def setup_channel(remote_url, authorization_token=None,
 +                  client_key=None, client_cert=None, server_cert=None):
 +    """Creates a new gRPC client communication chanel.
++
 +    If `remote_url` does not specifies a port number, defaults 50051.
++
 +    Args:
 +        remote_url (str): URL for the remote, including port and protocol.
 +        authorization_token (str): Authorization token file path.
 +        server_cert(str): TLS certificate chain file path.
 +        client_key(str): TLS root certificate file path.
 +        client_cert(str): TLS private key file path.
++
 +    Returns:
 +        (str, Channel):
++
 +    Raises:
 +        InvalidArgumentError: On any input parsing error.
 +    """
 +    url = urlparse(remote_url)
 +    remote = '{}:{}'.format(url.hostname, url.port or 50051)
++
 +    if url.scheme == 'http':
 +        channel = grpc.insecure_channel(remote)
++
 +    elif url.scheme == 'https':
 +        credentials = load_tls_channel_credentials(client_key, client_cert, server_cert)
 +        if not credentials:
 +            raise InvalidArgumentError("Given TLS details (or defaults) could be loaded")
++
 +        channel = grpc.secure_channel(remote, credentials)
++
 +    else:
 +        raise InvalidArgumentError("Given remote does not specify a protocol")
++
 +    if authorization_token is not None:
 +        token = load_channel_authorization_token(authorization_token)
 +        if not token:
 +            raise InvalidArgumentError("Given authorization token could be loaded")
++
 +        interpector =  AuthMetadataClientInterceptor(token)
 +        channel = grpc.intercept_channel(channel, interpector)
++
 +    return channel
++
++
 +class AuthMetadataClientInterceptor(
 +        grpc.UnaryUnaryClientInterceptor, grpc.UnaryStreamClientInterceptor,
 +        grpc.StreamUnaryClientInterceptor, grpc.StreamStreamClientInterceptor):
++
 +    def __init__(self, authorization_token=None, authorization_secret=None):
 +        """Initialises a new :class:`AuthMetadataClientInterceptor`.
++
 +        Args:
 +            authorization_token (str): Authorization token as a string.
 +        """
 +        if authorization_token:
 +            self.__secret = authorization_token.strip()
 +        else:
 +            self.__secret = base64.b64encode(authorization_secret)
++
 +        self.__header_field_name = 'authorization'
 +        self.__header_field_value = 'Bearer {}'.format(self.__secret)
++
 +    def intercept_unary_unary(self, continuation, client_call_details, request):
 +        new_details = self._amend_call_details(client_call_details)
++
 +        return continuation(new_details, request)
++
 +    def intercept_unary_stream(self, continuation, client_call_details, request):
 +        new_details = self._amend_call_details(client_call_details)
++
 +        return continuation(new_details, request)
++
 +    def intercept_stream_unary(self, continuation, client_call_details, request_iterator):
 +        new_details = self._amend_call_details(client_call_details)
++
 +        return continuation(new_details, request_iterator)
++
 +    def intercept_stream_stream(self, continuation, client_call_details, request_iterator):
 +        new_details = self._amend_call_details(client_call_details)
++
 +        return continuation(new_details, request_iterator)
++
 +    def _amend_call_details(self, client_call_details):
 +        if client_call_details.metadata is not None:
 +            new_metadata = list(client_call_details.metadata)
 +        else:
 +            new_metadata = []
++
 +        new_metadata.append(
 +            (self.__header_field_name, self.__header_field_value,))
++
 +        class _ClientCallDetails(
 +                namedtuple('_ClientCallDetails',
 +                           ('method', 'timeout', 'credentials', 'metadata')),
 +                grpc.ClientCallDetails):
 +            pass
++
 +        return _ClientCallDetails(client_call_details.method,
 +                                  client_call_details.timeout,
 +                                  client_call_details.credentials,
 +                                  new_metadata)

buildgrid/server/_authentication.py

 +# Copyright (C) 2018 Bloomberg LP
 +#
 +# Licensed under the Apache License, Version 2.0 (the "License");
 +# you may not use this file except in compliance with the License.
 +# You may obtain a copy of the License at
 +#
 +#  <http://www.apache.org/licenses/LICENSE-2.0>
 +#
 +# Unless required by applicable law or agreed to in writing, software
 +# distributed under the License is distributed on an "AS IS" BASIS,
 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +# See the License for the specific language governing permissions and
 +# limitations under the License.
++
++
 +from datetime import datetime
 +from enum import Enum
 +import logging
++
 +import grpc
 +import jwt
++
 +from buildgrid._exceptions import InvalidArgumentError
++
++
 +class JwtAlgorithm(Enum):
 +    # HMAC algorithms:
 +    HS256 = 'HS256'
 +    HS384 = 'HS384'
 +    HS512 = 'HS512'
++
 +    # RSASSA-PKCS algorithms:
 +    RS256 = 'RS256'
 +    RS384 = 'RS384'
 +    RS512 = 'RS512'
++
 +    # RSASSA-PSS algorithms:
 +    PS256 = 'PS256'
 +    PS384 = 'PS384'
 +    PS512 = 'PS512'
++
 +    # ECDSA algorithms:
 +    ES256 = 'ES256'
 +    ES384 = 'ES384'
 +    ES521 = 'ES521'
 +    ES512 = 'ES512'
++
++
 +class AuthMetadataServerInterceptor(grpc.ServerInterceptor):
++
 +    __auth_errors = {
 +        'missing-bearer': 'Missing authentication header field',
 +        'invalid-bearer': 'Invalid authentication header field',
 +        'invalid-token': 'Invalid authentication token',
 +        'expired-token': 'Expired authentication token',
 +        'unbounded-token': 'Unbounded authentication token',
 +    }
++
 +    def __init__(self, secret, algorithm):
 +        """Initialises a new :class:`AuthMetadataServerInterceptor`.
++
 +        Args:
 +            secret (str): Symetric secret key or asymetric public key.
 +            algorithm (JwtAlgorithm): Algorithm used to encode `secret`.
++
 +        Raises:
 +            InvalidArgumentError: If `algorithm` is not supported.
 +        """
 +        self.__logger = logging.getLogger(__name__)
++
 +        self.__bearer_cache = {}
 +        self.__terminators = {}
 +        self.__secret = secret
 +        self.__algorithms = [algorithm.value]
++
 +        try:
 +            jwt.register_algorithm(self.__algorithms[0], None)
++
 +        except TypeError:
 +            raise InvalidArgumentError("Algorithm not supported for JWT decoding: [{}]"
 +                                       .format(self._algorithm))
++
 +        except ValueError:
 +            pass
++
 +        for code, message in self.__auth_errors.items():
 +            self.__terminators[code] = _unary_unary_rpc_terminator(message)
++
 +    @property
 +    def algorithm(self):
 +        return JwtAlgorithm(self.__algorithms[0])
++
 +    def intercept_service(self, continuation, handler_call_details):
 +        try:
 +            # Reject requests not carrying a token:
 +            bearer = dict(handler_call_details.invocation_metadata)['authorization']
++
 +        except KeyError:
 +            self.__logger.error("Rejecting '{}' request: {}"
 +                                .format(handler_call_details.method.split('/')[-1],
 +                                        self.__auth_errors['missing-bearer']))
 +            return self.__terminators['missing-bearer']
++
 +        # Reject requests with malformated bearer:
 +        if not bearer.startswith('Bearer '):
 +            self.__logger.error("Rejecting '{}' request: {}"
 +                                .format(handler_call_details.method.split('/')[-1],
 +                                        self.__auth_errors['invalid-bearer']))
 +            return self.__terminators['invalid-bearer']
++
 +        try:
 +            # Hit the cache for already validated token:
 +            expiration_time = self.__bearer_cache[bearer]
++
 +            # Accept request if cached token hasn't expired yet:
 +            if expiration_time < datetime.utcnow():
 +                return continuation(handler_call_details)  # Accepted
++
 +        except KeyError:
 +            pass
++
 +        try:
 +            # Decode and validate the new token:
 +            payload = jwt.decode(bearer[7:], self.__secret, algorithms=self.__algorithms)
++
 +        except jwt.exceptions.ExpiredSignatureError as e:
 +            self.__logger.error("Rejecting '{}' request: {}; {}"
 +                                .format(handler_call_details.method.split('/')[-1],
 +                                        self.__auth_errors['expired-token'], str(e)))
 +            return self.__terminators['expired-token']
++
 +        except jwt.exceptions.InvalidTokenError as e:
 +            self.__logger.error("Rejecting '{}' request: {}; {}"
 +                                .format(handler_call_details.method.split('/')[-1],
 +                                        self.__auth_errors['invalid-token'], str(e)))
 +            return self.__terminators['invalid-token']
++
 +        # Do not accept token without an expiration time:
 +        if 'exp' not in payload or not isinstance(payload['exp'], int):
 +            self.__logger.error("Rejecting '{}' request: {}"
 +                                .format(handler_call_details.method.split('/')[-1],
 +                                        self.__auth_errors['unbounded-token']))
 +            return self.__terminators['unbounded-token']
++
 +        # Cache the validated token and store expiration time:
 +        self.__bearer_cache[bearer] = datetime.fromtimestamp(payload['exp'])
++
 +        return continuation(handler_call_details)  # Accepted
++
++
 +def _unary_unary_rpc_terminator(details):
++
 +    def terminate(ignored_request, context):
 +        context.abort(grpc.StatusCode.UNAUTHENTICATED, details)
++
 +    return grpc.unary_unary_rpc_method_handler(terminate)

buildgrid/server/bots/instance.py

@@ -37,6 +37,10 @@ class BotsInterface:
          self._assigned_leases = {}
          self._scheduler = scheduler
 +    @property
 +    def scheduler(self):
 +        return self._scheduler
++
      def register_instance_with_server(self, instance_name, server):
          server.add_bots_interface(self, instance_name)

buildgrid/server/bots/service.py

@@ -23,8 +23,9 @@ import logging
  import grpc
 -from google.protobuf.empty_pb2 import Empty
 +from google.protobuf import empty_pb2, timestamp_pb2
 +from buildgrid._enums import BotStatus
  from buildgrid._exceptions import InvalidArgumentError, OutOfSyncError
  from buildgrid._protos.google.devtools.remoteworkers.v1test2 import bots_pb2
  from buildgrid._protos.google.devtools.remoteworkers.v1test2 import bots_pb2_grpc
@@ -32,24 +33,86 @@ from buildgrid._protos.google.devtools.remoteworkers.v1test2 import bots_pb2_grp
  class BotsService(bots_pb2_grpc.BotsServicer):
 -    def __init__(self, server):
 +    def __init__(self, server, monitor=False):
          self.__logger = logging.getLogger(__name__)
 +        self.__bots_by_status = None
 +        self.__bots_by_instance = None
 +        self.__bots = None
++
          self._instances = {}
          bots_pb2_grpc.add_BotsServicer_to_server(self, server)
 -    def add_instance(self, name, instance):
 -        self._instances[name] = instance
 +        self._is_instrumented = monitor
++
 +        if self._is_instrumented:
 +            self.__bots_by_status = {}
 +            self.__bots_by_instance = {}
 +            self.__bots = {}
++
 +            self.__bots_by_status[BotStatus.OK] = set()
 +            self.__bots_by_status[BotStatus.UNHEALTHY] = set()
++
 +    # --- Public API ---
++
 +    def add_instance(self, instance_name, instance):
 +        """Registers a new servicer instance.
++
 +        Args:
 +            instance_name (str): The new instance's name.
 +            instance (BotsInterface): The new instance itself.
 +        """
 +        self._instances[instance_name] = instance
++
 +        if self._is_instrumented:
 +            self.__bots_by_instance[instance_name] = set()
++
 +    def get_scheduler(self, instance_name):
 +        """Retrieves a reference to the scheduler for an instance.
++
 +        Args:
 +            instance_name (str): The name of the instance to query.
++
 +        Returns:
 +            Scheduler: A reference to the scheduler for `instance_name`.
++
 +        Raises:
 +            InvalidArgumentError: If no instance named `instance_name` exists.
 +        """
 +        instance = self._get_instance(instance_name)
++
 +        return instance.scheduler
++
 +    # --- Public API: Servicer ---
      def CreateBotSession(self, request, context):
 +        """Handles CreateBotSessionRequest messages.
++
 +        Args:
 +            request (CreateBotSessionRequest): The incoming RPC request.
 +            context (grpc.ServicerContext): Context for the RPC call.
 +        """
          self.__logger.debug("CreateBotSession request from [%s]", context.peer())
 +        instance_name = request.parent
 +        bot_status = BotStatus(request.bot_session.status)
 +        bot_id = request.bot_session.bot_id
++
          try:
 -            parent = request.parent
 -            instance = self._get_instance(request.parent)
 -            return instance.create_bot_session(parent,
 -                                               request.bot_session)
 +            instance = self._get_instance(instance_name)
 +            bot_session = instance.create_bot_session(instance_name,
 +                                                      request.bot_session)
 +            now = timestamp_pb2.Timestamp()
 +            now.GetCurrentTime()
++
 +            if self._is_instrumented:
 +                self.__bots[bot_id] = now
 +                self.__bots_by_instance[instance_name].add(bot_id)
 +                if bot_status in self.__bots_by_status:
 +                    self.__bots_by_status[bot_status].add(bot_id)
++
 +            return bot_session
          except InvalidArgumentError as e:
              self.__logger.error(e)
@@ -59,17 +122,41 @@ class BotsService(bots_pb2_grpc.BotsServicer):
          return bots_pb2.BotSession()
      def UpdateBotSession(self, request, context):
 +        """Handles UpdateBotSessionRequest messages.
++
 +        Args:
 +            request (UpdateBotSessionRequest): The incoming RPC request.
 +            context (grpc.ServicerContext): Context for the RPC call.
 +        """
          self.__logger.debug("UpdateBotSession request from [%s]", context.peer())
 +        names = request.name.split("/")
 +        bot_status = BotStatus(request.bot_session.status)
 +        bot_id = request.bot_session.bot_id
++
          try:
 -            names = request.name.split("/")
 -            # Operation name should be in format:
 -            # {instance/name}/{uuid}
 -            instance_name = ''.join(names[0:-1])
 +            instance_name = '/'.join(names[:-1])
              instance = self._get_instance(instance_name)
 -            return instance.update_bot_session(request.name,
 -                                               request.bot_session)
 +            bot_session = instance.update_bot_session(request.name,
 +                                                      request.bot_session)
++
 +            if self._is_instrumented:
 +                self.__bots[bot_id].GetCurrentTime()
 +                if bot_id not in self.__bots_by_status[bot_status]:
 +                    if bot_status == BotStatus.OK:
 +                        self.__bots_by_status[BotStatus.OK].add(bot_id)
 +                        self.__bots_by_status[BotStatus.UNHEALTHY].discard(bot_id)
++
 +                    elif bot_status == BotStatus.UNHEALTHY:
 +                        self.__bots_by_status[BotStatus.OK].discard(bot_id)
 +                        self.__bots_by_status[BotStatus.UNHEALTHY].add(bot_id)
++
 +                    else:
 +                        self.__bots_by_instance[instance_name].remove(bot_id)
 +                        del self.__bots[bot_id]
++
 +            return bot_session
          except InvalidArgumentError as e:
              self.__logger.error(e)
@@ -89,10 +176,47 @@ class BotsService(bots_pb2_grpc.BotsServicer):
          return bots_pb2.BotSession()
      def PostBotEventTemp(self, request, context):
 +        """Handles PostBotEventTempRequest messages.
++
 +        Args:
 +            request (PostBotEventTempRequest): The incoming RPC request.
 +            context (grpc.ServicerContext): Context for the RPC call.
 +        """
          self.__logger.debug("PostBotEventTemp request from [%s]", context.peer())
          context.set_code(grpc.StatusCode.UNIMPLEMENTED)
 -        return Empty()
++
 +        return empty_pb2.Empty()
++
 +    # --- Public API: Monitoring ---
++
 +    @property
 +    def is_instrumented(self):
 +        return self._is_instrumented
++
 +    def query_n_bots(self):
 +        if self.__bots is not None:
 +            return len(self.__bots)
++
 +        return 0
++
 +    def query_n_bots_for_instance(self, instance_name):
 +        try:
 +            if self.__bots_by_instance is not None:
 +                return len(self.__bots_by_instance[instance_name])
 +        except KeyError:
 +            pass
 +        return 0
++
 +    def query_n_bots_for_status(self, bot_status):
 +        try:
 +            if self.__bots_by_status is not None:
 +                return len(self.__bots_by_status[bot_status])
 +        except KeyError:
 +            pass
 +        return 0
++
 +    # --- Private API ---
      def _get_instance(self, name):
          try:

buildgrid/server/execution/instance.py

@@ -36,6 +36,10 @@ class ExecutionInstance:
          self._storage = storage
          self._scheduler = scheduler
 +    @property
 +    def scheduler(self):
 +        return self._scheduler
++
      def register_instance_with_server(self, instance_name, server):
          server.add_execution_instance(self, instance_name)

buildgrid/server/execution/service.py

@@ -33,30 +33,84 @@ from buildgrid._protos.google.longrunning import operations_pb2
  class ExecutionService(remote_execution_pb2_grpc.ExecutionServicer):
 -    def __init__(self, server):
 +    def __init__(self, server, monitor=False):
          self.__logger = logging.getLogger(__name__)
 +        self.__peers_by_instance = None
 +        self.__peers = None
++
          self._instances = {}
++
          remote_execution_pb2_grpc.add_ExecutionServicer_to_server(self, server)
 -    def add_instance(self, name, instance):
 -        self._instances[name] = instance
 +        self._is_instrumented = monitor
++
 +        if self._is_instrumented:
 +            self.__peers_by_instance = {}
 +            self.__peers = {}
++
 +    # --- Public API ---
++
 +    def add_instance(self, instance_name, instance):
 +        """Registers a new servicer instance.
++
 +        Args:
 +            instance_name (str): The new instance's name.
 +            instance (ExecutionInstance): The new instance itself.
 +        """
 +        self._instances[instance_name] = instance
++
 +        if self._is_instrumented:
 +            self.__peers_by_instance[instance_name] = set()
++
 +    def get_scheduler(self, instance_name):
 +        """Retrieves a reference to the scheduler for an instance.
++
 +        Args:
 +            instance_name (str): The name of the instance to query.
++
 +        Returns:
 +            Scheduler: A reference to the scheduler for `instance_name`.
++
 +        Raises:
 +            InvalidArgumentError: If no instance named `instance_name` exists.
 +        """
 +        instance = self._get_instance(instance_name)
++
 +        return instance.scheduler
++
 +    # --- Public API: Servicer ---
      def Execute(self, request, context):
 +        """Handles ExecuteRequest messages.
++
 +        Args:
 +            request (ExecuteRequest): The incoming RPC request.
 +            context (grpc.ServicerContext): Context for the RPC call.
 +        """
          self.__logger.debug("Execute request from [%s]", context.peer())
 +        instance_name = request.instance_name
 +        message_queue = queue.Queue()
 +        peer = context.peer()
++
          try:
 -            message_queue = queue.Queue()
 -            instance = self._get_instance(request.instance_name)
 +            instance = self._get_instance(instance_name)
              operation = instance.execute(request.action_digest,
                                           request.skip_cache_lookup,
                                           message_queue)
 -            context.add_callback(partial(instance.unregister_message_client,
 -                                         operation.name, message_queue))
 +            context.add_callback(partial(self._rpc_termination_callback,
 +                                         peer, instance_name, operation.name, message_queue))
 -            instanced_op_name = "{}/{}".format(request.instance_name,
 -                                               operation.name)
 +            if self._is_instrumented:
 +                if peer not in self.__peers:
 +                    self.__peers_by_instance[instance_name].add(peer)
 +                    self.__peers[peer] = 1
 +                else:
 +                    self.__peers[peer] += 1
++
 +            instanced_op_name = "{}/{}".format(instance_name, operation.name)
              self.__logger.info("Operation name: [%s]", instanced_op_name)
@@ -86,23 +140,33 @@ class ExecutionService(remote_execution_pb2_grpc.ExecutionServicer):
              yield operations_pb2.Operation()
      def WaitExecution(self, request, context):
 -        self.__logger.debug("WaitExecution request from [%s]", context.peer())
 +        """Handles WaitExecutionRequest messages.
 -        try:
 -            names = request.name.split("/")
 +        Args:
 +            request (WaitExecutionRequest): The incoming RPC request.
 +            context (grpc.ServicerContext): Context for the RPC call.
 +        """
 +        self.__logger.debug("WaitExecution request from [%s]", context.peer())
 -            # Operation name should be in format:
 -            # {instance/name}/{operation_id}
 -            instance_name = ''.join(names[0:-1])
 +        names = request.name.split('/')
 +        instance_name = '/'.join(names[:-1])
 +        operation_name = names[-1]
 +        message_queue = queue.Queue()
 +        peer = context.peer()
 -            message_queue = queue.Queue()
 -            operation_name = names[-1]
 +        try:
              instance = self._get_instance(instance_name)
              instance.register_message_client(operation_name, message_queue)
 +            context.add_callback(partial(self._rpc_termination_callback,
 +                                         peer, instance_name, operation_name, message_queue))
 -            context.add_callback(partial(instance.unregister_message_client,
 -                                         operation_name, message_queue))
 +            if self._is_instrumented:
 +                if peer not in self.__peers:
 +                    self.__peers_by_instance[instance_name].add(peer)
 +                    self.__peers[peer] = 1
 +                else:
 +                    self.__peers[peer] += 1
              for operation in instance.stream_operation_updates(message_queue,
                                                                 operation_name):
@@ -123,6 +187,39 @@ class ExecutionService(remote_execution_pb2_grpc.ExecutionServicer):
              context.set_code(grpc.StatusCode.CANCELLED)
              yield operations_pb2.Operation()
 +    # --- Public API: Monitoring ---
++
 +    @property
 +    def is_instrumented(self):
 +        return self._is_instrumented
++
 +    def query_n_clients(self):
 +        if self.__peers is not None:
 +            return len(self.__peers)
 +        return 0
++
 +    def query_n_clients_for_instance(self, instance_name):
 +        try:
 +            if self.__peers_by_instance is not None:
 +                return len(self.__peers_by_instance[instance_name])
 +        except KeyError:
 +            pass
 +        return 0
++
 +    # --- Private API ---
++
 +    def _rpc_termination_callback(self, peer, instance_name, job_name, message_queue):
 +        instance = self._get_instance(instance_name)
++
 +        instance.unregister_message_client(job_name, message_queue)
++
 +        if self._is_instrumented:
 +            if self.__peers[peer] > 1:
 +                self.__peers[peer] -= 1
 +            else:
 +                self.__peers_by_instance[instance_name].remove(peer)
 +                del self.__peers[peer]
++
      def _get_instance(self, name):
          try:
              return self._instances[name]

buildgrid/server/instance.py

@@ -15,13 +15,18 @@
  import asyncio
  from concurrent import futures
 +from datetime import timedelta
  import logging
  import os
  import signal
 +import time
  import grpc
 +from buildgrid._enums import BotStatus, MetricRecordDomain, MetricRecordType
 +from buildgrid._protos.buildgrid.v2 import monitoring_pb2
  from buildgrid.server.actioncache.service import ActionCacheService
 +from buildgrid.server._authentication import JwtAlgorithm, AuthMetadataServerInterceptor
  from buildgrid.server.bots.service import BotsService
  from buildgrid.server.cas.service import ByteStreamService, ContentAddressableStorageService
  from buildgrid.server.execution.service import ExecutionService
@@ -30,6 +35,7 @@ from buildgrid.server.operations.service import OperationsService
  from buildgrid.server.referencestorage.service import ReferenceStorageService
  from buildgrid.server.capabilities.instance import CapabilitiesInstance
  from buildgrid.server.capabilities.service import CapabilitiesService
 +from buildgrid.settings import MONITORING_PERIOD
  class BuildGridServer:
@@ -52,11 +58,15 @@ class BuildGridServer:
              max_workers = (os.cpu_count() or 1) * 5
          self.__grpc_executor = futures.ThreadPoolExecutor(max_workers)
 -        self.__grpc_server = grpc.server(self.__grpc_executor)
 +        self.__grpc_auth_interceptor = AuthMetadataServerInterceptor('your-256-bit-secret', JwtAlgorithm.HS256)
 +        self.__grpc_server = grpc.server(
 +            self.__grpc_executor, interceptors=(self.__grpc_auth_interceptor,))
          self.__main_loop = asyncio.get_event_loop()
          self.__monitoring_bus = None
 +        self.__state_monitoring_task = None
++
          # We always want a capabilities service
          self._capabilities_service = CapabilitiesService(self.__grpc_server)
@@ -68,6 +78,9 @@ class BuildGridServer:
          self._cas_service = None
          self._bytestream_service = None
 +        self._schedulers = {}
 +        self._instances = set()
++
          self._is_instrumented = monitor
          if self._is_instrumented:
@@ -84,6 +97,10 @@ class BuildGridServer:
          if self._is_instrumented:
              self.__monitoring_bus.start()
 +            self.__state_monitoring_task = asyncio.ensure_future(
 +                self._state_monitoring_worker(period=MONITORING_PERIOD),
 +                loop=self.__main_loop)
++
          self.__main_loop.add_signal_handler(signal.SIGTERM, self.stop)
          self.__main_loop.run_forever()
@@ -91,6 +108,9 @@ class BuildGridServer:
      def stop(self):
          """Stops the BuildGrid server."""
          if self._is_instrumented:
 +            if self.__state_monitoring_task is not None:
 +                self.__state_monitoring_task.cancel()
++
              self.__monitoring_bus.stop()
          self.__main_loop.stop()
@@ -130,11 +150,15 @@ class BuildGridServer:
              instance_name (str): Instance name.
          """
          if self._execution_service is None:
 -            self._execution_service = ExecutionService(self.__grpc_server)
 +            self._execution_service = ExecutionService(
 +                self.__grpc_server, monitor=self._is_instrumented)
          self._execution_service.add_instance(instance_name, instance)
          self._add_capabilities_instance(instance_name, execution_instance=instance)
 +        self._schedulers[instance_name] = instance.scheduler
 +        self._instances.add(instance_name)
++
      def add_bots_interface(self, instance, instance_name):
          """Adds a :obj:`BotsInterface` to the service.
@@ -145,10 +169,13 @@ class BuildGridServer:
              instance_name (str): Instance name.
          """
          if self._bots_service is None:
 -            self._bots_service = BotsService(self.__grpc_server)
 +            self._bots_service = BotsService(
 +                self.__grpc_server, monitor=self._is_instrumented)
          self._bots_service.add_instance(instance_name, instance)
 +        self._instances.add(instance_name)
++
      def add_operations_instance(self, instance, instance_name):
          """Adds an :obj:`OperationsInstance` to the service.
@@ -221,6 +248,14 @@ class BuildGridServer:
          self._bytestream_service.add_instance(instance_name, instance)
 +    # --- Public API: Monitoring ---
++
 +    @property
 +    def is_instrumented(self):
 +        return self._is_instrumented
++
 +    # --- Private API ---
++
      def _add_capabilities_instance(self, instance_name,
                                     cas_instance=None,
                                     action_cache_instance=None,
@@ -246,8 +281,152 @@ class BuildGridServer:
                                                           execution_instance)
              self._capabilities_service.add_instance(instance_name, capabilities_instance)
 -    # --- Public API: Monitoring ---
 +    async def _state_monitoring_worker(self, period=1.0):
 +        """Periodically publishes state metrics to the monitoring bus."""
 +        async def __state_monitoring_worker():
 +            # Emit total clients count record:
 +            _, record = self._query_n_clients()
 +            await self.__monitoring_bus.send_record(record)
++
 +            # Emit total bots count record:
 +            _, record = self._query_n_bots()
 +            await self.__monitoring_bus.send_record(record)
++
 +            queue_times = []
 +            # Emits records by instance:
 +            for instance_name in self._instances:
 +                # Emit instance clients count record:
 +                _, record = self._query_n_clients_for_instance(instance_name)
 +                await self.__monitoring_bus.send_record(record)
++
 +                # Emit instance bots count record:
 +                _, record = self._query_n_bots_for_instance(instance_name)
 +                await self.__monitoring_bus.send_record(record)
++
 +                # Emit instance average queue time record:
 +                queue_time, record = self._query_am_queue_time_for_instance(instance_name)
 +                await self.__monitoring_bus.send_record(record)
 +                if queue_time:
 +                    queue_times.append(queue_time)
++
 +            # Emits records by bot status:
 +            for bot_status in [BotStatus.OK, BotStatus.UNHEALTHY]:
 +                # Emit status bots count record:
 +                _, record = self._query_n_bots_for_status(bot_status)
 +                await self.__monitoring_bus.send_record(record)
++
 +            # Emit overall average queue time record:
 +            if queue_times:
 +                am_queue_time = sum(queue_times, timedelta()) / len(queue_times)
 +            else:
 +                am_queue_time = timedelta()
 +            record = self._forge_timer_metric_record(
 +                MetricRecordDomain.STATE,
 +                'average-queue-time',
 +                am_queue_time)
++
 +            await self.__monitoring_bus.send_record(record)
 -    @property
 -    def is_instrumented(self):
 -        return self._is_instrumented
 +        try:
 +            while True:
 +                start = time.time()
 +                await __state_monitoring_worker()
++
 +                end = time.time()
 +                await asyncio.sleep(period - (end - start))
++
 +        except asyncio.CancelledError:
 +            pass
++
 +    def _forge_counter_metric_record(self, domain, name, count, metadata=None):
 +        counter_record = monitoring_pb2.MetricRecord()
++
 +        counter_record.creation_timestamp.GetCurrentTime()
 +        counter_record.domain = domain.value
 +        counter_record.type = MetricRecordType.COUNTER.value
 +        counter_record.name = name
 +        counter_record.count = count
 +        if metadata is not None:
 +            counter_record.metadata.update(metadata)
++
 +        return counter_record
++
 +    def _forge_timer_metric_record(self, domain, name, duration, metadata=None):
 +        timer_record = monitoring_pb2.MetricRecord()
++
 +        timer_record.creation_timestamp.GetCurrentTime()
 +        timer_record.domain = domain.value
 +        timer_record.type = MetricRecordType.TIMER.value
 +        timer_record.name = name
 +        timer_record.duration.FromTimedelta(duration)
 +        if metadata is not None:
 +            timer_record.metadata.update(metadata)
++
 +        return timer_record
++
 +    def _forge_gauge_metric_record(self, domain, name, value, metadata=None):
 +        gauge_record = monitoring_pb2.MetricRecord()
++
 +        gauge_record.creation_timestamp.GetCurrentTime()
 +        gauge_record.domain = domain.value
 +        gauge_record.type = MetricRecordType.GAUGE.value
 +        gauge_record.name = name
 +        gauge_record.value = value
 +        if metadata is not None:
 +            gauge_record.metadata.update(metadata)
++
 +        return gauge_record
++
 +    # --- Private API: Monitoring ---
++
 +    def _query_n_clients(self):
 +        """Queries the number of clients connected."""
 +        n_clients = self._execution_service.query_n_clients()
 +        gauge_record = self._forge_gauge_metric_record(
 +            MetricRecordDomain.STATE, 'clients-count', n_clients)
++
 +        return n_clients, gauge_record
++
 +    def _query_n_clients_for_instance(self, instance_name):
 +        """Queries the number of clients connected for a given instance"""
 +        n_clients = self._execution_service.query_n_clients_for_instance(instance_name)
 +        gauge_record = self._forge_gauge_metric_record(
 +            MetricRecordDomain.STATE, 'clients-count', n_clients,
 +            metadata={'instance-name': instance_name or 'void'})
++
 +        return n_clients, gauge_record
++
 +    def _query_n_bots(self):
 +        """Queries the number of bots connected."""
 +        n_bots = self._bots_service.query_n_bots()
 +        gauge_record = self._forge_gauge_metric_record(
 +            MetricRecordDomain.STATE, 'bots-count', n_bots)
++
 +        return n_bots, gauge_record
++
 +    def _query_n_bots_for_instance(self, instance_name):
 +        """Queries the number of bots connected for a given instance."""
 +        n_bots = self._bots_service.query_n_bots_for_instance(instance_name)
 +        gauge_record = self._forge_gauge_metric_record(
 +            MetricRecordDomain.STATE, 'bots-count', n_bots,
 +            metadata={'instance-name': instance_name or 'void'})
++
 +        return n_bots, gauge_record
++
 +    def _query_n_bots_for_status(self, bot_status):
 +        """Queries the number of bots connected for a given health status."""
 +        n_bots = self._bots_service.query_n_bots_for_status(bot_status)
 +        gauge_record = self._forge_gauge_metric_record(
 +            MetricRecordDomain.STATE, 'bots-count', n_bots,
 +            metadata={'bot-status': bot_status.name})
++
 +        return n_bots, gauge_record
++
 +    def _query_am_queue_time_for_instance(self, instance_name):
 +        """Queries the average job's queue time for a given instance."""
 +        am_queue_time = self._schedulers[instance_name].query_am_queue_time()
 +        timer_record = self._forge_timer_metric_record(
 +            MetricRecordDomain.STATE, 'average-queue-time', am_queue_time,
 +            metadata={'instance-name': instance_name or 'void'})
++
 +        return am_queue_time, timer_record

buildgrid/server/job.py

@@ -13,10 +13,11 @@
  # limitations under the License.
 +from datetime import datetime
  import logging
  import uuid
 -from google.protobuf import timestamp_pb2
 +from google.protobuf import duration_pb2, timestamp_pb2
  from buildgrid._enums import LeaseState, OperationStage
  from buildgrid._exceptions import CancelledError
@@ -40,6 +41,7 @@ class Job:
          self.__operation_metadata = remote_execution_pb2.ExecuteOperationMetadata()
          self.__queued_timestamp = timestamp_pb2.Timestamp()
 +        self.__queued_time_duration = duration_pb2.Duration()
          self.__worker_start_timestamp = timestamp_pb2.Timestamp()
          self.__worker_completed_timestamp = timestamp_pb2.Timestamp()
@@ -56,6 +58,8 @@ class Job:
          self._operation.done = False
          self._n_tries = 0
 +    # --- Public API ---
++
      @property
      def name(self):
          return self._name
@@ -193,7 +197,7 @@ class Job:
                  result.Unpack(action_result)
              action_metadata = action_result.execution_metadata
 -            action_metadata.queued_timestamp.CopyFrom(self.__worker_start_timestamp)
 +            action_metadata.queued_timestamp.CopyFrom(self.__queued_timestamp)
              action_metadata.worker_start_timestamp.CopyFrom(self.__worker_start_timestamp)
              action_metadata.worker_completed_timestamp.CopyFrom(self.__worker_completed_timestamp)
@@ -227,6 +231,10 @@ class Job:
                  self.__queued_timestamp.GetCurrentTime()
              self._n_tries += 1
 +        elif self.__operation_metadata.stage == OperationStage.EXECUTING.value:
 +            queue_in, queue_out = self.__queued_timestamp.ToDatetime(), datetime.now()
 +            self.__queued_time_duration.FromTimedelta(queue_out - queue_in)
++
          elif self.__operation_metadata.stage == OperationStage.COMPLETED.value:
              if self.__execute_response is not None:
                  self._operation.response.Pack(self.__execute_response)
@@ -260,3 +268,11 @@ class Job:
          self.__execute_response.status.message = "Operation cancelled by client."
          self.update_operation_stage(OperationStage.COMPLETED)
++
 +    # --- Public API: Monitoring ---
++
 +    def query_queue_time(self):
 +        return self.__queued_time_duration.ToTimedelta()
++
 +    def query_n_retries(self):
 +        return self._n_tries - 1 if self._n_tries > 0 else 0

buildgrid/server/operations/instance.py

@@ -32,6 +32,10 @@ class OperationsInstance:
          self._scheduler = scheduler
 +    @property
 +    def scheduler(self):
 +        return self._scheduler
++
      def register_instance_with_server(self, instance_name, server):
          server.add_operations_instance(self, instance_name)

buildgrid/server/operations/service.py

@@ -38,8 +38,18 @@ class OperationsService(operations_pb2_grpc.OperationsServicer):
          operations_pb2_grpc.add_OperationsServicer_to_server(self, server)
 -    def add_instance(self, name, instance):
 -        self._instances[name] = instance
 +    # --- Public API ---
++
 +    def add_instance(self, instance_name, instance):
 +        """Registers a new servicer instance.
++
 +        Args:
 +            instance_name (str): The new instance's name.
 +            instance (OperationsInstance): The new instance itself.
 +        """
 +        self._instances[instance_name] = instance
++
 +    # --- Public API: Servicer ---
      def GetOperation(self, request, context):
          self.__logger.debug("GetOperation request from [%s]", context.peer())
@@ -127,6 +137,8 @@ class OperationsService(operations_pb2_grpc.OperationsServicer):
          return Empty()
 +    # --- Private API ---
++
      def _parse_instance_name(self, name):
          """ If the instance name is not blank, 'name' will have the form
          {instance_name}/{operation_uuid}. Otherwise, it will just be

buildgrid/server/scheduler.py

@@ -20,33 +20,70 @@ Schedules jobs.
  """
  from collections import deque
 +from datetime import timedelta
  import logging
 +from buildgrid._enums import LeaseState, OperationStage
  from buildgrid._exceptions import NotFoundError
 -from .job import OperationStage, LeaseState
+-
  class Scheduler:
      MAX_N_TRIES = 5
 -    def __init__(self, action_cache=None):
 +    def __init__(self, action_cache=None, monitor=False):
          self.__logger = logging.getLogger(__name__)
 +        self.__operations_by_stage = None
 +        self.__leases_by_state = None
 +        self.__queue_time_average = None
 +        self.__retries_count = 0
++
          self._action_cache = action_cache
          self.jobs = {}
          self.queue = deque()
 +        self._is_instrumented = monitor
++
 +        if self._is_instrumented:
 +            self.__operations_by_stage = {}
 +            self.__leases_by_state = {}
 +            self.__queue_time_average = 0, timedelta()
++
 +            self.__operations_by_stage[OperationStage.CACHE_CHECK] = set()
 +            self.__operations_by_stage[OperationStage.QUEUED] = set()
 +            self.__operations_by_stage[OperationStage.EXECUTING] = set()
 +            self.__operations_by_stage[OperationStage.COMPLETED] = set()
++
 +            self.__leases_by_state[LeaseState.PENDING] = set()
 +            self.__leases_by_state[LeaseState.ACTIVE] = set()
 +            self.__leases_by_state[LeaseState.COMPLETED] = set()
++
 +    # --- Public API ---
++
      def register_client(self, job_name, queue):
 -        self.jobs[job_name].register_client(queue)
 +        job = self.jobs[job_name]
++
 +        job.register_client(queue)
      def unregister_client(self, job_name, queue):
 -        self.jobs[job_name].unregister_client(queue)
 +        job = self.jobs[job_name]
 -        if not self.jobs[job_name].n_clients and self.jobs[job_name].operation.done:
 +        job.unregister_client(queue)
++
 +        if not job.n_clients and job.operation.done:
              del self.jobs[job_name]
 +            if self._is_instrumented:
 +                self.__operations_by_stage[OperationStage.CACHE_CHECK].discard(job_name)
 +                self.__operations_by_stage[OperationStage.QUEUED].discard(job_name)
 +                self.__operations_by_stage[OperationStage.EXECUTING].discard(job_name)
 +                self.__operations_by_stage[OperationStage.COMPLETED].discard(job_name)
++
 +                self.__leases_by_state[LeaseState.PENDING].discard(job_name)
 +                self.__leases_by_state[LeaseState.ACTIVE].discard(job_name)
 +                self.__leases_by_state[LeaseState.COMPLETED].discard(job_name)
++
      def queue_job(self, job, skip_cache_lookup=False):
          self.jobs[job.name] = job
@@ -62,23 +99,30 @@ class Scheduler:
                  job.set_cached_result(action_result)
                  operation_stage = OperationStage.COMPLETED
 +                if self._is_instrumented:
 +                    self.__retries_count += 1
++
          else:
              operation_stage = OperationStage.QUEUED
              self.queue.append(job)
 -        job.update_operation_stage(operation_stage)
 +        self._update_job_operation_stage(job.name, operation_stage)
      def retry_job(self, job_name):
 -        if job_name in self.jobs:
 -            job = self.jobs[job_name]
 -            if job.n_tries >= self.MAX_N_TRIES:
 -                # TODO: Decide what to do with these jobs
 -                job.update_operation_stage(OperationStage.COMPLETED)
 -                # TODO: Mark these jobs as done
 -            else:
 -                job.update_operation_stage(OperationStage.QUEUED)
 -                job.update_lease_state(LeaseState.PENDING)
 -                self.queue.append(job)
 +        job = self.jobs[job_name]
++
 +        operation_stage = None
 +        if job.n_tries >= self.MAX_N_TRIES:
 +            # TODO: Decide what to do with these jobs
 +            operation_stage = OperationStage.COMPLETED
 +            # TODO: Mark these jobs as done
++
 +        else:
 +            operation_stage = OperationStage.QUEUED
 +            job.update_lease_state(LeaseState.PENDING)
 +            self.queue.append(job)
++
 +        self._update_job_operation_stage(job_name, operation_stage)
      def list_jobs(self):
          return self.jobs.values()
@@ -118,17 +162,27 @@ class Scheduler:
              lease_result (google.protobuf.Any): the lease execution result, only
                  required if `lease_state` is `COMPLETED`.
          """
+-
          job = self.jobs[lease.id]
          lease_state = LeaseState(lease.state)
 +        operation_stage = None
          if lease_state == LeaseState.PENDING:
              job.update_lease_state(LeaseState.PENDING)
 -            job.update_operation_stage(OperationStage.QUEUED)
 +            operation_stage = OperationStage.QUEUED
++
 +            if self._is_instrumented:
 +                self.__leases_by_state[LeaseState.PENDING].add(lease.id)
 +                self.__leases_by_state[LeaseState.ACTIVE].discard(lease.id)
 +                self.__leases_by_state[LeaseState.COMPLETED].discard(lease.id)
          elif lease_state == LeaseState.ACTIVE:
              job.update_lease_state(LeaseState.ACTIVE)
 -            job.update_operation_stage(OperationStage.EXECUTING)
 +            operation_stage = OperationStage.EXECUTING
++
 +            if self._is_instrumented:
 +                self.__leases_by_state[LeaseState.PENDING].discard(lease.id)
 +                self.__leases_by_state[LeaseState.ACTIVE].add(lease.id)
 +                self.__leases_by_state[LeaseState.COMPLETED].discard(lease.id)
          elif lease_state == LeaseState.COMPLETED:
              job.update_lease_state(LeaseState.COMPLETED,
@@ -137,7 +191,14 @@ class Scheduler:
              if self._action_cache is not None and not job.do_not_cache:
                  self._action_cache.update_action_result(job.action_digest, job.action_result)
 -            job.update_operation_stage(OperationStage.COMPLETED)
 +            operation_stage = OperationStage.COMPLETED
++
 +            if self._is_instrumented:
 +                self.__leases_by_state[LeaseState.PENDING].discard(lease.id)
 +                self.__leases_by_state[LeaseState.ACTIVE].discard(lease.id)
 +                self.__leases_by_state[LeaseState.COMPLETED].add(lease.id)
++
 +        self._update_job_operation_stage(lease.id, operation_stage)
      def get_job_lease(self, job_name):
          """Returns the lease associated to job, if any have been emitted yet."""
@@ -160,3 +221,101 @@ class Scheduler:
              job_name (str): name of the job holding the operation to cancel.
          """
          self.jobs[job_name].cancel_operation()
++
 +    # --- Public API: Monitoring ---
++
 +    @property
 +    def is_instrumented(self):
 +        return self._is_instrumented
++
 +    def query_n_jobs(self):
 +        return len(self.jobs)
++
 +    def query_n_operations(self):
 +        # For now n_operations == n_jobs:
 +        return len(self.jobs)
++
 +    def query_n_operations_by_stage(self, operation_stage):
 +        try:
 +            if self.__operations_by_stage is not None:
 +                return len(self.__operations_by_stage[operation_stage])
 +        except KeyError:
 +            pass
 +        return 0
++
 +    def query_n_leases(self):
 +        return len(self.jobs)
++
 +    def query_n_leases_by_state(self, lease_state):
 +        try:
 +            if self.__leases_by_state is not None:
 +                return len(self.__leases_by_state[lease_state])
 +        except KeyError:
 +            pass
 +        return 0
++
 +    def query_n_retries(self):
 +        return self.__retries_count
++
 +    def query_am_queue_time(self):
 +        if self.__queue_time_average is not None:
 +            return self.__queue_time_average[1]
 +        return timedelta()
++
 +    # --- Private API ---
++
 +    def _update_job_operation_stage(self, job_name, operation_stage):
 +        """Requests a stage transition for the job's :class:Operations.
++
 +        Args:
 +            job_name (str): name of the job to query.
 +            operation_stage (OperationStage): the stage to transition to.
 +        """
 +        job = self.jobs[job_name]
++
 +        if operation_stage == OperationStage.CACHE_CHECK:
 +            job.update_operation_stage(OperationStage.CACHE_CHECK)
++
 +            if self._is_instrumented:
 +                self.__operations_by_stage[OperationStage.CACHE_CHECK].add(job_name)
 +                self.__operations_by_stage[OperationStage.QUEUED].discard(job_name)
 +                self.__operations_by_stage[OperationStage.EXECUTING].discard(job_name)
 +                self.__operations_by_stage[OperationStage.COMPLETED].discard(job_name)
++
 +        elif operation_stage == OperationStage.QUEUED:
 +            job.update_operation_stage(OperationStage.QUEUED)
++
 +            if self._is_instrumented:
 +                self.__operations_by_stage[OperationStage.CACHE_CHECK].discard(job_name)
 +                self.__operations_by_stage[OperationStage.QUEUED].add(job_name)
 +                self.__operations_by_stage[OperationStage.EXECUTING].discard(job_name)
 +                self.__operations_by_stage[OperationStage.COMPLETED].discard(job_name)
++
 +        elif operation_stage == OperationStage.EXECUTING:
 +            job.update_operation_stage(OperationStage.EXECUTING)
++
 +            if self._is_instrumented:
 +                self.__operations_by_stage[OperationStage.CACHE_CHECK].discard(job_name)
 +                self.__operations_by_stage[OperationStage.QUEUED].discard(job_name)
 +                self.__operations_by_stage[OperationStage.EXECUTING].add(job_name)
 +                self.__operations_by_stage[OperationStage.COMPLETED].discard(job_name)
++
 +        elif operation_stage == OperationStage.COMPLETED:
 +            job.update_operation_stage(OperationStage.COMPLETED)
++
 +            if self._is_instrumented:
 +                self.__operations_by_stage[OperationStage.CACHE_CHECK].discard(job_name)
 +                self.__operations_by_stage[OperationStage.QUEUED].discard(job_name)
 +                self.__operations_by_stage[OperationStage.EXECUTING].discard(job_name)
 +                self.__operations_by_stage[OperationStage.COMPLETED].add(job_name)
++
 +                average_order, average_time = self.__queue_time_average
++
 +                average_order += 1
 +                if average_order <= 1:
 +                    average_time = job.query_queue_time()
 +                else:
 +                    queue_time = job.query_queue_time()
 +                    average_time = average_time + ((queue_time - average_time) / average_order)
++
 +                self.__queue_time_average = average_order, average_time

buildgrid/settings.py

 +# Copyright (C) 2018 Bloomberg LP
 +#
 +# Licensed under the Apache License, Version 2.0 (the "License");
 +# you may not use this file except in compliance with the License.
 +# You may obtain a copy of the License at
 +#
 +#  <http://www.apache.org/licenses/LICENSE-2.0>
 +#
 +# Unless required by applicable law or agreed to in writing, software
 +# distributed under the License is distributed on an "AS IS" BASIS,
 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +# See the License for the specific language governing permissions and
 +# limitations under the License.
++
++
  import hashlib
 -# The hash function that CAS uses
 +# Hash function used for computing digests:
  HASH = hashlib.sha256
++
 +# Lenght in bytes of a hash string returned by HASH:
  HASH_LENGTH = HASH().digest_size * 2
++
 +# Period, in seconds, for the monitoring cycle:
 +MONITORING_PERIOD = 5.0

setup.py

@@ -112,13 +112,16 @@ setup(
      license="Apache License, Version 2.0",
      description="A remote execution service",
      packages=find_packages(),
 +    python_requires='>= 3.5.3',  # janus requirement
      install_requires=[
 -        'protobuf',
 -        'grpcio',
 -        'Click',
 -        'PyYAML',
          'boto3 < 1.8.0',
          'botocore < 1.11.0',
 +        'click',
 +        'grpcio',
 +        'janus',
 +        'protobuf',
 +        'pyjwt',
 +        'pyyaml',
      ],
      entry_points={
          'console_scripts': [

[Notes] [Git][BuildGrid/buildgrid][mablanch/144-jwt-authentication] 17 commits: execution/service.py: Calculate client counts

Martin Blanchard pushed to branch mablanch/144-jwt-authentication at BuildGrid / buildgrid

Commits:

18 changed files:

Changes: