Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A Tenant can seem to be getting a DIFFERENT tenant's TAA acceptance #956

Open
loneil opened this issue Dec 11, 2023 · 4 comments
Open

A Tenant can seem to be getting a DIFFERENT tenant's TAA acceptance #956

loneil opened this issue Dec 11, 2023 · 4 comments
Labels
pinned Pinned item that will never become stale

Comments

@loneil
Copy link
Contributor

loneil commented Dec 11, 2023

I think I’ve found an issue with TAA acceptance in the Multi-Tenant case where a tenant that has NOT accepted the TAA for a ledger can seem to get a response from their TAA endpoint that says they HAVE accepted the TAA.

And I think this might have something to do with in-memory ACA-Py rather than the database persistence or any actual ledger write.

I don’t think this is any Tenant UI display issue.

I can reproduce with 2 tenants (both using sovrin-testnet) in this case as below

Step 1: Log in with a Tenant that has not accepted TAA.

image

Tenant 1 (created Dec 1) has not accepted the TAA for sovrin test.

Step 2: Log in with a Tenant that has accepted the TAA

image

Tenant 2 HAS accepted the TAA, calls the /taa endpoint and gets that

Step 3: Go back to Tenant 1 and refresh (call the /taa endpoint again)

image

Now Tenant 1 thinks it’s accepted the TAA on the same date as Tenant 2!

Has an Oct 23 acceptance date even though the Tenant did not exist until Dec 1...

Step 5: Restart ACA-Py (only tested this on OCP, by killing pods, haven’t tried locally or anything)

image

Now Tenant 1 is back to knowing it has not accepted the TAA


Confirmed it's not specific to Tenant UI, and is "pod related" in the multi-pod scenario in dev

Using one Tenant's token in a single swagger instance I get 2 different TAA results randomly while it bounces between pods

image

image

@esune
Copy link
Member

esune commented Dec 12, 2023

I checked the code in ACA-Py, it appears that the acceptance metod is being cached at the indy-vdr global level rather than at the tenant profile level (see here when the result is set, and here when it is fetched). This would cause the acceptance method to appear "shared" for all tenants for the duration of the cache (10 min by default), with the latest accepted method set/fetched being returned until the cache misses.

@andrewwhitehead does the analysis above make sense? Any recommendations to make other than saving the TAA acceptance method in the tenant's profile rather than in a shared cache?

@loneil
Copy link
Contributor Author

loneil commented Dec 20, 2023

Will try this out with a nightly build including the change from openwallet-foundation/acapy#2676 sometime soon to confirm Traction behaviour.

Copy link

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the Stale label Jan 20, 2024
@esune esune added pinned Pinned item that will never become stale and removed Stale labels Jan 22, 2024
@loneil
Copy link
Contributor Author

loneil commented Mar 8, 2024

I can still reproduce this in the 0.12.0rc2 setup running here
https://pr-1025-traction-tenant-ui-dev.apps.silver.devops.gov.bc.ca/

Can see with the following steps

Log in with "Lucas Sovrin 2" This tenant has not accepted the TAA
18b10d1e-cc33-4ebd-a47f-b58269d1af4a
a1c54a03-04bd-4a84-ba68-0531fbd2706e

Go to the profile page to see TAA status, or get the token and call the TAA endpoint. Can confirm it returns no TAA acceptance

Refresh, try API call multiple times, still see TAA unaccepted. (PR runs on 1 pod so only hitting a single cache anyways)

Log in with Log in with "Lucas Sovrin 1" This tenant has accepted the TAA
30d67ebf-a775-4132-8995-e1b049addca8
57f8bf4a-8082-4e5c-8f91-fd9652cdb9d2

Can see TAA accepted with time
1709769600

Now go back and refresh or call the API again for Tenant 2 (no TAA) and it will claim it has accepted the TAA now with the same time 1709769600.

Wait appropriate cache timeout time or restart ACA-Py and go look at Tenant 2 again and it's status will be correct again, until the API call is done for Tenant 1 again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
pinned Pinned item that will never become stale
Projects
None yet
Development

No branches or pull requests

2 participants