Early exit auth check on lease puts #16005
Conversation
| @@ -125,6 +125,11 @@ func (aa *authApplierV3) LeaseRevoke(lc *pb.LeaseRevokeRequest) (*pb.LeaseRevoke | |||
| func (aa *authApplierV3) checkLeasePuts(leaseID lease.LeaseID) error { | |||
| l := aa.lessor.Lookup(leaseID) | |||
| if l != nil { | |||
| // early return for most-common scenario of either disabled auth or admin user | |||
| if aa.as.IsAdminPermitted(&aa.authInfo) == nil { | |||
| return nil | |||
There was a problem hiding this comment.
Do we have a test covering this case?
There was a problem hiding this comment.
Neither apply.go, nor apply_auth.go have unit test coverage- there are no unit tests as far as I can tell.
There was a problem hiding this comment.
My suggestion would be to add ArePutsPermitted method that will for the range and add tests for it.
| @@ -125,6 +125,11 @@ func (aa *authApplierV3) LeaseRevoke(lc *pb.LeaseRevokeRequest) (*pb.LeaseRevoke | |||
| func (aa *authApplierV3) checkLeasePuts(leaseID lease.LeaseID) error { | |||
| l := aa.lessor.Lookup(leaseID) | |||
| if l != nil { | |||
| // early return for most-common scenario of either disabled auth or admin user | |||
| if aa.as.IsAdminPermitted(&aa.authInfo) == nil { | |||
There was a problem hiding this comment.
It's not obvious from proposed check that it covers case that auth is disabled. From code design it seems strange for me that authApplierV3 will be used at all if auth is disabled.
There was a problem hiding this comment.
I was surprised too, it even goes through an rw mutex everytime it checks...
I reckon we should discuss a bigger refactoring for the auth system, potentially?
There was a problem hiding this comment.
Maybe, depends on whether we want to backport this fix. This seems like a trivial but important change. Appliers changed a lot between v3.5 and main.
There was a problem hiding this comment.
From code design it seems strange for me that authApplierV3 will be used at all if auth is disabled.
I reckon we should discuss a bigger refactoring for the auth system, potentially?
Because the existing chain of applier is static. If we want to get rid of authApplier completely when auth isn't enabled, then we need to make the chain dynamic. We don't have to do it, please feel free to evaluate the effort and impact separately if anyone is interested.
It's not obvious from proposed check that it covers case that auth is disabled.
It's a common "issue" in all existing (*authStore) IsXXXPermitted(...) error methods, when auth isn't enabled, they return nil.
depends on whether we want to backport this fix
I think we need to backport the fix.
There was a problem hiding this comment.
we need to make the chain dynamic.
I haven't researched too deeply yet, but the whole system is already dynamic because the whole auth goes through raft (even enable/disable). I would've expected the enable/disable methods to be a configuration for startup, not a dynamic apply request. Hence the static implementation, I guess.
I'll open a discussion issue up as a feature request, will do some benchmarks in the meantime around the impact of either approach.
There was a problem hiding this comment.
turns out we're already swapping out the applier for corruption and nospace alerts:
https://github.com/etcd-io/etcd/blob/release-3.5/server/etcdserver/apply.go#L752-L760
ofc the whole thing isn't locked 🗡️
There was a problem hiding this comment.
The link you provide just replaces the whole applier chain with applierV3Capped or applierV3Corrupt. But you can't change (swap out) part of the chain: authApplier -> quotaApplier -> backendApplier.
It's similar to string in golang, it's immutable. You can't modify part of a string; instead, you can only replace the whole string.
Just as I mentioned previously, we don't have to make the applier chain dynamic. But of course, it's open to discussion in a separate session.
There was a problem hiding this comment.
No doubt on the immutability of the chain, but the pointer to the applier struct needs to be guarded by a mutex when you swap it out from another goroutine?
https://github.com/etcd-io/etcd/blob/release-3.5/server/etcdserver/server.go#L252
let me try to tease the race detector on this case more specifically. Not that it matters much, if you're corrupted/OOS it's game over anyway, it just tickled my inner race detector.
|
The PR looks good to me. @tjungblu did you compare the performance before and after applying this PR? |
|
running this entirely local with the test supplied from the issue, I can see the p99 latency to be consistently good:
here's the same result without the patch right afterwards in comparison:
The p99 looks very low in absolute by prometheus because of the scraping interval and one minute resolution, it actually degrades almost immediately into 100ms+ latency after 10k entries:
which is basically a few seconds into the unit test. Just for completeness with a comparison of the same metric used in the issue report also stays flat over the whole execution time: Even though I'm not entirely sure whether it makes sense to sum over the rate duration sum here. |
| @@ -125,6 +125,11 @@ func (aa *authApplierV3) LeaseRevoke(lc *pb.LeaseRevokeRequest) (*pb.LeaseRevoke | |||
| func (aa *authApplierV3) checkLeasePuts(leaseID lease.LeaseID) error { | |||
| l := aa.lessor.Lookup(leaseID) | |||
| if l != nil { | |||
| // early return for most-common scenario of either disabled auth or admin user | |||
| if aa.as.IsAdminPermitted(&aa.authInfo) == nil { | |||
There was a problem hiding this comment.
Make it explicit that we check the returned error
| if aa.as.IsAdminPermitted(&aa.authInfo) == nil { | |
| if err := aa.as.IsAdminPermitted(&aa.authInfo); err == nil { |
There was a problem hiding this comment.
yep, let me update the existing commit
Mitigates etcd-io#15993 by not checking each key individually for permission when auth is entirely disabled or admin user is calling the method. Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
|
@marseel I assume you would need this at the very least in the next 3.5.x release? |
|
3.5.x release would be great. |
|
cool, then I'll get to write a backport. Thanks everyone! |
|
One think before merging. @tjungblu I know we don't have tests, however I would feel much safer for backports if we could add some even trivial test. |
Mitigates etcd-io#15993 by not checking each key individually for permission when auth is entirely disabled or admin user is calling the method. Backport of etcd-io#16005 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
Mitigates etcd-io#15993 by not checking each key individually for permission when auth is entirely disabled or admin user is calling the method. Backport of etcd-io#16005 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
|
Totally makes sense, let me try to add one right here as a separate commit. I'll cherry-pick it down for the backport PRs then. |
|
Added a new test, it's a little more involved to mock out the required parts to test this properly. Anybody, if there's a slightly easier way to enable that test (while fixing the perf issue and not introducing cyclical dependencies) - please let me know. |
tjungblu
force-pushed
the
putauthshort
branch
2 times, most recently
from
7d43b78
to
1d473d5
Compare
|
@serathius can we move this forward? Is the testcase sufficient for you or too much refactoring already? |
server/auth/store_mock.go
Outdated
| @@ -14,7 +14,39 @@ | |||
|
|
|||
There was a problem hiding this comment.
Don't move test file to normal file. Don't share mocks outside of package.
| ) | ||
|
|
||
| func TestCheckLeasePutsKeys(t *testing.T) { | ||
| aa := authApplierV3{as: auth.NewAuthStore(zaptest.NewLogger(t), auth.NewBackendMock(), &auth.TokenNop{}, 10)} |
There was a problem hiding this comment.
Don't borrow mocks just use normal backend.
server/auth/nop.go
Outdated
| @@ -18,18 +18,18 @@ import ( | |||
| "context" | |||
| ) | |||
|
|
|||
| type tokenNop struct{} | |||
| type TokenNop struct{} | |||
There was a problem hiding this comment.
Don't expose internal testing code from package! Use proper TokenProvider in external tests.
|
Overall looks very good! Tests you added are awesome! Left some small comments. |
This contains a slight refactoring to expose enough information to write meaningful tests for auth applier v3. Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
|
fixed the goimport manually, I reckon |
Not all |
Mitigates etcd-io#15993 by not checking each key individually for permission when auth is entirely disabled or admin user is calling the method. Backport of etcd-io#16005 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
Mitigates #15993 by not checking each key individually for permission when auth is entirely disabled or admin user is calling the method.
Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.