Ability to add auth headers to Druid requests.

[codingwhatever]

We are adding security to our Druid cluster and need Fili to be able to send a token in a header for authenticating our Druid requests.

[cdeszaq]

Just a few small things. Overall, looks pretty good

[cdeszaq]

Can we use a built-in (ie. Java Collections) map instead of apache commons?

[cdeszaq]

Wrapping param lists should "chop" the list, rather than just wrap it. eg.:

public AsyncDruidWebServiceImpl(
        DruidServiceConfig serviceConfig, 
        ObjectMapper mapper,
        Supplier<Map<String, String>> authHeaders
) {

[cdeszaq]

Javadoc needed for the new parameter

[codingwhatever]

Addressed this in the constructor below.

[cdeszaq]

Can we re-name this? Rather than auth-specific, can this be named so that it can be any headers?

[cdeszaq]

Same comments re: wrapping and name apply here as well

[cdeszaq]

can we rename this to indicate any headers?

[cdeszaq]

We should also have constructors that default the header supplier for backwards compatibility. We can deprecate them so that people are required to supply a supplier eventually, but we should try to maintain backwards compatibility if we can.

The supplier can just return an empty map in the defaulting case.

[codingwhatever]

@cdeszaq Addressed all the comments.

[archolewa]

If you could add the @deprecated annotation to the JavaDoc as well, with a brief explanation of why this constructor is being deprecated, and which constructor should be used instead, I would be grateful.

[archolewa]

The @deprecated annotation should also be added to the JavaDoc, with a brief explanation of why this is being deprecated, and a pointer to which constructor should be used instead.

[archolewa]

ditto

[archolewa]

This also needs a CHANGELOG entry.

[cdeszaq]

Other than the minor JavaDoc update on the 2 deprecated constructors, and adding entries to the ChangeLog file (a bit in the ### Deprecated section and a bit in the ### Changed section), this PR looks like it's very close!

[cdeszaq]

For these deprecations, we should add an @deprecated tag to the javadoc indicating why we're deprecating them (because you should specify your header supplier), and what you should use instead (the matching constructor with that new parameter)

Applies to the other @Deprecated instance in this PR as well

[cdeszaq]

Just a few thoughts around the extension hook for the Supplier, but otherwise that extension looks good.

PR still needs CHANGELOG entries and updates the the JavaDoc for those @Deprecated methods documenting the deprecation

[cdeszaq]

@michael-mclawhorn does this usage fit with how we usually use systemConfig?

[cdeszaq]

Rather than enumerate all of these, should we just catch Exception? If anything goes wrong loading this, we should just fail anyway, no matter what the exception is, right?

[cdeszaq]

I think we should pull the buildDruidWebServiceHeaderSupplier code into it's own method. That will give another (fairly easy) override-based config mechanism if someone's Supplier needs more than a no-param constructor.

[codingwhatever]

I assumed we could just pull the other params from system_config in the supplier. I guess there could be more complicated use cases?

[codingwhatever]

@archolewa @cdeszaq Addressed all review comments.

[cdeszaq]

👍

[michael-mclawhorn]

I think Supplier<Map<String, String>> might be inferior as the type here to Iterable<Pair<String, String>>

[michael-mclawhorn]

I think the Supplier<Map<S,S>> type should be seriously reconsidered.

A better name for the additional headers and documentation of the semantics (adding vs replacing) on the request would be a good idea.

Also, tests.

At minimum, postDruidQuery should be tested to verify that the added headers get added.
Abstract binder factory being tested with actually building a header source from a config parameter and an empty one from null would be really good.

Alternatives to Supplier would be an Iterable or an rx Observable.

[michael-mclawhorn]

I dislike the name of the variable. If I understand the scope of this, these are mandatory headers appended (or possibly prepended, it looks like the latter based on digging into the netty code) to the client request. So possible 'requestAppendHeaders' or 'clientAppendHeaders'.

[cdeszaq]

Since we're adding the headers (and it looks like added headers strictly add, don't replace), I think a name like headersToAdd or headersToAppend helps clarify this.

[michael-mclawhorn]

It does not appear that headers are maplike in that there can't be more than one of a given key value. Given this, you might be better served with an iterable here.

[cdeszaq]

While the AsyncHttpClient allows for multi-value headers, I think it's OK for us to restrict it down to just being able to add single-valued headers. We can expand that later if we need to.

[michael-mclawhorn]

Can we catch something more specific than 'Exception' here?

[cdeszaq]

We were matching something more specific in an earlier version of this PR and I suggested replacing that list of roughly 5 exceptions with just Exception. Since we're re-throwing the exception anyways, catching everything so that we can log it (since it'll be fatal anyways) is (I think) fine, and lets the code be smaller / cleaner.

[cdeszaq]

Can be replaced with method reference (requestBuilder::addHeader)

[michael-mclawhorn]

To summarize my responses, since I distributed them across Rick's responses to my comments:
The only change I am currently asking for is the anyHeaders variable to be named slightly differently. Otherwise 👍 from me.

[cdeszaq]

Definitely need to test that we're adding any supplied headers on the Druid requests.

I don't know if we have a hook for that in our testing framework yet, but I don't know if there's a need for such a hook in the functional tests (it would be OK to have one). If we don't want to add one, I think we should be able to test the Async client in isolation.

To do so, we may need to either extend an existing or add a new TestServlet (which are the pieces we use to capture requests to "druid")

[codingwhatever]

@cdeszaq Addressed remaining comments and added a unit test.

[cdeszaq]

Very close, just a few minor things!

[cdeszaq]

Copyright needed

[cdeszaq]

All of this stuff from here up that's in the when block should go up in the setup block, since it's still setting up the scenario.

If needed, you can use and: blocks (with an optional comment: and: "a set of expected headers to add") to break up any block.

[cdeszaq]

Only top-level expressions in a then block are treated as assertions. To treat non-top-level expressions as assertions, you need to explicitly add the assert keyword: assert actualHeaders.get(header.getKey()) == header.getValue()

[cdeszaq]

We should fix this too.

[codingwhatever]

@cdeszaq Addressed the latest comments.

[cdeszaq]

👍 just needs to be squashed and rebased onto master and I think this is good to merge.