Propagate the bearer token to the gRPC plugin server

[radekg]

This PR attempts to resolve the problem described in #1821.

Problem summary

Query UI has an option to forward Bearer token to the storage back end using --query.bearer-token-propagation=true flag. However, when using the gRPC storage plugin, the context created with spanstore.ContextWithBearerToken(ctx, token) in https://github.com/jaegertracing/jaeger/blob/master/cmd/query/app/token_propagation_handler.go#L48 is not passed to the gRPC plugin.

Currently, the last place in the storage where the context with the bearer.token can be reached, is the gRPC client: https://github.com/jaegertracing/jaeger/blob/master/plugin/storage/grpc/shared/grpc_client.go.

This can be tested by adding these lines of code:

  str, ok := spanstore.GetBearerToken(ctx)
  fmt.Println(fmt.Sprintf(" =====================> CLIENT: The context is: %v ::: %b", str, ok))

to any of the following methods:

• func (c *grpcClient) GetTrace(ctx context.Context, traceID model.TraceID) (*model.Trace, error)
• func (c *grpcClient) GetServices(ctx context.Context) ([]string, error)
• func (c *grpcClient) GetOperations(ctx context.Context, service string) ([]string, error)
• func (c *grpcClient) FindTraces(ctx context.Context, query *spanstore.TraceQueryParameters) ([]*model.Trace, error)
• func (c *grpcClient) FindTraceIDs(ctx context.Context, query *spanstore.TraceQueryParameters) ([]model.TraceID, error)

However, on the server part of the plugin, the context is a new instance because the plugin is running as a separate process.

Solution summary

This pull request adds support for bearer token forwarding to the gRPC spanstore.Reader methods of the gRPC storage. Similarly to the solution from the ES storage provider, only forward the bearer token when the --query.bearer-token-propagation flag has been set to true.

[yurishkuro]

is the config option actually required? If the query-service is configured to pass the bearer token, it would include it in the context, and this code just needs to respect that.

[jpkrohling]

We do want a way to tell our components that the token shouldn't be propagated.

[yurishkuro]

There is already configuration to that effect in the query service, which controls token handoff from query to storage. I don't think yet another flag for storage-storagePlugin is needed.

[yurishkuro]

this may not be needed per my earlier comments, but if needed then it would be better to rename to a more general method of "adapting" the context from request, so that we could, in the future, support different types of middleware.

[yurishkuro]

if we can get away without explicit configuration, please undo this

[radekg]

Hi @yurishkuro, thank you for a quick review. I have updated the code according to your request / suggestions. Indeed, this is a way cleaner solution than the original one.

[radekg]

I am not sure what would be a cleaner way to handle this. The problem here is that FindTraces and FindTraceIDs uses context.Background() so this function has to operate on two contexts.

[radekg]

A suggestion here. There is a place in the code where the property identifying this setting is already defined. It is: https://github.com/jaegertracing/jaeger/blob/master/storage/spanstore/token_propagation.go#L21.
Maybe we could do something like:

const BearerTokenKey = "bearer.token"
const bearerToken = contextKey("bearer.token")

and use the spanstore.BearerTokenKey here and then in the gRPC plugin server?

[yurishkuro]

+1

[radekg]

Will do. Final question: should I squash before it is merged?

[yurishkuro]

No need, we squash on merge

[yurishkuro]

It looks like one of the earlier commits did not have a DCO sign-off, you may need to squash them to fix that.

[yurishkuro]

this function does not need a receiver

[jpkrohling]

Looks like there's one or more files that need formatting. The CI job failed with:

Go fmt, license check, or import ordering failures, run 'make fmt'

[radekg]

All fixed and signed off.

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@2957d89). Click here to learn what that means.
The diff coverage is 100%.

@@            Coverage Diff            @@
##             master    #1822   +/-   ##
=========================================
  Coverage          ?   98.22%           
=========================================
  Files             ?      195           
  Lines             ?     9611           
  Branches          ?        0           
=========================================
  Hits              ?     9440           
  Misses            ?      134           
  Partials          ?       37

Impacted Files	Coverage Δ
storage/spanstore/token_propagation.go	71.42% <ø> (ø)
plugin/storage/grpc/shared/grpc_client.go	83.67% <100%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2957d89...8fb5e57. Read the comment docs.

no tests

[yurishkuro]

@radekg could you please add a test somewhere verifying that the token is indeed accessible in the plugin implementation?

[yurishkuro]

This code is not covered:

[radekg]

Hi @yurishkuro, I'm not sure if the failing tests are related to my changes. I can see cql related fatal errors in the Travis job.

[pavolloffay]

thanks @radekg

[radekg]

Thank you.