go/runtime + agent: introduce /notify/shard-failure API

The runtime invokes a new /notify/shard-failure control-plane API which is told of shard failures that have occurred within a data-plane. At the moment, this API verifies the data-plane token and logs the failure, but takes no further action. Update the taskBase.heartbeatLoop() to perform this notification if the shard's primary loop exits with a non-cancellation error. Issue #1666
estuary · Sep 30, 2024 · 5a20739 · 5a20739
1 parent fd93dc4
commit 5a20739
Show file tree

Hide file tree

Showing 6 changed files with 202 additions and 75 deletions.
diff --git a/crates/agent/src/api/authorize_task.rs b/crates/agent/src/api/authorize_task.rs
@@ -15,28 +15,7 @@ pub async fn authorize_task(
 
 #[tracing::instrument(skip(app), err(level = tracing::Level::WARN))]
 async fn do_authorize_task(app: &App, Request { token }: &Request) -> anyhow::Result<Response> {
- let jsonwebtoken::TokenData { header, mut claims }: jsonwebtoken::TokenData<
- proto_gazette::Claims,
- > = {
- // In this pass we do not validate the signature,
- // because we don't yet know which data-plane the JWT is signed by.
- let empty_key = jsonwebtoken::DecodingKey::from_secret(&[]);
- let mut validation = jsonwebtoken::Validation::default();
- validation.insecure_disable_signature_validation();
- jsonwebtoken::decode(token, &empty_key, &validation)
- }?;
- tracing::debug!(?claims, ?header, "decoded authorization request");
-
- let shard_id = claims.sub.as_str();
- if shard_id.is_empty() {
- anyhow::bail!("missing required shard ID (`sub` claim)");
- }
-
- let shard_data_plane_fqdn = claims.iss.as_str();
- if shard_data_plane_fqdn.is_empty() {
- anyhow::bail!("missing required shard data-plane FQDN (`iss` claim)");
- }
-
+ let (header, mut claims) = super::parse_untrusted_data_plane_claims(token)?;
  let journal_name_or_prefix = labels::expect_one(claims.sel.include(), "name")?.to_owned();
 
  // Require the request was signed with the AUTHORIZE capability,
@@ -62,8 +41,8 @@ async fn do_authorize_task(app: &App, Request { token }: &Request) -> anyhow::Re
  match Snapshot::evaluate(&app.snapshot, claims.iat, |snapshot: &Snapshot| {
  evaluate_authorization(
  snapshot,
- shard_id,
- shard_data_plane_fqdn,
+ &claims.sub,
+ &claims.iss,
  token,
  &journal_name_or_prefix,
  required_role,
@@ -104,47 +83,13 @@ fn evaluate_authorization(
  journal_name_or_prefix: &str,
  required_role: models::Capability,
 ) -> anyhow::Result<(jsonwebtoken::EncodingKey, String, String)> {
- // Map `claims.sub`, a Shard ID, into its task.
- let task = tasks
- .binary_search_by(|task| {
- if shard_id.starts_with(&task.shard_template_id) {
- std::cmp::Ordering::Equal
- } else {
- task.shard_template_id.as_str().cmp(shard_id)
- }
- })
- .ok()
- .map(|index| &tasks[index]);
-
- // Map `claims.iss`, a data-plane FQDN, into its task-matched data-plane.
- let task_data_plane = task.and_then(|task| {
- data_planes
- .get_by_key(&task.data_plane_id)
- .filter(|data_plane| data_plane.data_plane_fqdn == shard_data_plane_fqdn)
- });
-
- let (Some(task), Some(task_data_plane)) = (task, task_data_plane) else {
- anyhow::bail!(
- "task shard {shard_id} within data-plane {shard_data_plane_fqdn} is not known"
- )
- };
-
- // Attempt to find an HMAC key of this data-plane which validates against the request token.
- let validation = jsonwebtoken::Validation::default();
- let mut verified = false;
-
- for hmac_key in &task_data_plane.hmac_keys {
- let key = jsonwebtoken::DecodingKey::from_base64_secret(hmac_key)
- .context("invalid data-plane hmac key")?;
-
- if jsonwebtoken::decode::<proto_gazette::Claims>(token, &key, &validation).is_ok() {
- verified = true;
- break;
- }
- }
- if !verified {
- anyhow::bail!("no data-plane keys validated against the token signature");
- }
+ let (task, task_data_plane) = super::verify_data_plane_claims(
+ data_planes,
+ tasks,
+ shard_id,
+ shard_data_plane_fqdn,
+ token,
+ )?;
 
  // Map a required `name` journal label selector into its collection.
  let Some(collection) = collections

diff --git a/crates/agent/src/api/mod.rs b/crates/agent/src/api/mod.rs
@@ -5,6 +5,7 @@ mod authorize_task;
 mod authorize_user_collection;
 mod authorize_user_task;
 mod create_data_plane;
+mod notify_shard_failure;
 mod snapshot;
 mod update_l2_reporting;
 
@@ -125,6 +126,10 @@ pub fn build_router(
  post(update_l2_reporting::update_l2_reporting)
  .route_layer(axum::middleware::from_fn_with_state(app.clone(), authorize)),
  )
+ .route(
+ "/notify/shard-failure",
+ post(notify_shard_failure::notify_shard_failure),
+ )
  .layer(tower_http::trace::TraceLayer::new_for_http())
  .layer(cors)
  .with_state(app);
@@ -239,3 +244,81 @@ fn maybe_rewrite_address(external: bool, address: &str) -> String {
  address.to_string()
  }
 }
+
+// Parse a data-plane claims token without verifying it's signature.
+fn parse_untrusted_data_plane_claims(
+ token: &str,
+) -> anyhow::Result<(jsonwebtoken::Header, proto_gazette::Claims)> {
+ let jsonwebtoken::TokenData { header, claims }: jsonwebtoken::TokenData<proto_gazette::Claims> =
+ {
+ // In this pass we do not validate the signature,
+ // because we don't yet know which data-plane the JWT is signed by.
+ let empty_key = jsonwebtoken::DecodingKey::from_secret(&[]);
+ let mut validation = jsonwebtoken::Validation::default();
+ validation.insecure_disable_signature_validation();
+ jsonwebtoken::decode(token, &empty_key, &validation)
+ }?;
+
+ if claims.sub.is_empty() {
+ anyhow::bail!("missing required shard ID (`sub` claim)");
+ }
+ if claims.iss.is_empty() {
+ anyhow::bail!("missing required shard data-plane FQDN (`iss` claim)");
+ }
+
+ tracing::debug!(?claims, ?header, "decoded authorization request");
+
+ Ok((header, claims))
+}
+
+fn verify_data_plane_claims<'s>(
+ data_planes: &'s tables::DataPlanes,
+ tasks: &'s [snapshot::SnapshotTask],
+ shard_id: &str,
+ shard_data_plane_fqdn: &str,
+ token: &str,
+) -> anyhow::Result<(&'s snapshot::SnapshotTask, &'s tables::DataPlane)> {
+ // Map `shard_id` into its task.
+ let task = tasks
+ .binary_search_by(|task| {
+ if shard_id.starts_with(&task.shard_template_id) {
+ std::cmp::Ordering::Equal
+ } else {
+ task.shard_template_id.as_str().cmp(shard_id)
+ }
+ })
+ .ok()
+ .map(|index| &tasks[index]);
+
+ // Map `shard_data_plane_fqdn` into its task-matched data-plane.
+ let task_data_plane = task.and_then(|task| {
+ data_planes
+ .get_by_key(&task.data_plane_id)
+ .filter(|data_plane| data_plane.data_plane_fqdn == shard_data_plane_fqdn)
+ });
+
+ let (Some(task), Some(task_data_plane)) = (task, task_data_plane) else {
+ anyhow::bail!(
+ "task shard {shard_id} within data-plane {shard_data_plane_fqdn} is not known"
+ )
+ };
+
+ // Attempt to find an HMAC key of this data-plane which validates against the request token.
+ let validation = jsonwebtoken::Validation::default();
+ let mut verified = false;
+
+ for hmac_key in &task_data_plane.hmac_keys {
+ let key = jsonwebtoken::DecodingKey::from_base64_secret(hmac_key)
+ .context("invalid data-plane hmac key")?;
+
+ if jsonwebtoken::decode::<proto_gazette::Claims>(token, &key, &validation).is_ok() {
+ verified = true;
+ break;
+ }
+ }
+ if !verified {
+ anyhow::bail!("no data-plane keys validated against the token signature");
+ }
+
+ Ok((task, task_data_plane))
+}
diff --git a/crates/agent/src/api/notify_shard_failure.rs b/crates/agent/src/api/notify_shard_failure.rs
@@ -0,0 +1,69 @@
+use super::{App, Snapshot};
+use std::sync::Arc;
+
+/// Request sent by data-plane reactors to notify the data-plane of a shard failure.
+#[derive(Debug, serde::Deserialize, schemars::JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct Request {
+ /// # JWT token which identifies the shard and authorizes the request.
+ /// The token subject is the shard ID.
+ pub token: String,
+ /// # Error encountered by the shard.
+ pub error: String,
+}
+
+#[derive(Debug, Default, serde::Serialize, schemars::JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct Response {
+ /// # Number of milliseconds to wait before retrying the request.
+ /// Zero if the request was successful.
+ pub retry_millis: u64,
+}
+
+#[axum::debug_handler]
+pub async fn notify_shard_failure(
+ axum::extract::State(app): axum::extract::State<Arc<App>>,
+ axum::Json(request): axum::Json<Request>,
+) -> axum::response::Response {
+ super::wrap(async move { do_notify_shard_failure(&app, &request).await }).await
+}
+
+#[tracing::instrument(skip(app), err(level = tracing::Level::WARN))]
+async fn do_notify_shard_failure(
+ app: &App,
+ Request { token, error }: &Request,
+) -> anyhow::Result<Response> {
+ let (_header, claims) = super::parse_untrusted_data_plane_claims(token)?;
+
+ match Snapshot::evaluate(
+ &app.snapshot,
+ claims.iat,
+ |Snapshot {
+ data_planes, tasks, ..
+ }: &Snapshot| {
+ _ = super::verify_data_plane_claims(
+ data_planes,
+ tasks,
+ &claims.sub,
+ &claims.iss,
+ token,
+ )?;
+ Ok(())
+ },
+ ) {
+ Ok(()) => {
+ // TODO(johnny): This is a placeholder for enqueuing an automation to perform
+ // shard restart.
+ tracing::info!(%error, %claims.sub, %claims.iss, "notified of shard failure");
+
+ Ok(Response {
+ ..Default::default()
+ })
+ }
+ Err(Ok(retry_millis)) => Ok(Response {
+ retry_millis,
+ ..Default::default()
+ }),
+ Err(Err(err)) => Err(err),
+ }
+}
diff --git a/go/runtime/flow_consumer.go b/go/runtime/flow_consumer.go
@@ -61,6 +61,8 @@ func (c *FlowConsumerConfig) Execute(args []string) error {
 type FlowConsumer struct {
  // Configuration of this FlowConsumer.
  config *FlowConsumerConfig
+ // Control plane of this consumer, or nil in testing contexts.
+ controlPlane *controlPlane
  // Running consumer.service.
  service *consumer.Service
  // Shared catalog builds.
@@ -208,11 +210,10 @@ func (f *FlowConsumer) InitApplication(args runconsumer.InitArgs) error {
  return fmt.Errorf("catalog builds service: %w", err)
  }
 
- var controlPlane *controlPlane
  var localAuthorizer = args.Service.Authorizer
 
  if keyedAuth, ok := localAuthorizer.(*auth.KeyedAuth); ok && !config.Flow.TestAPIs {
- controlPlane = newControlPlane(
+ f.controlPlane = newControlPlane(
  keyedAuth,
  config.Flow.DataPlaneFQDN,
  config.Flow.ControlAPI,
@@ -221,7 +222,7 @@ func (f *FlowConsumer) InitApplication(args runconsumer.InitArgs) error {
  // Wrap the underlying KeyedAuth Authorizer to use the control-plane's Authorize API.
  // Next unwrap the raw JournalClient from its current AuthJournalClient,
  // and then replace it with one built using our wrapped Authorizer.
- args.Service.Authorizer = newControlPlaneAuthorizer(controlPlane)
+ args.Service.Authorizer = newControlPlaneAuthorizer(f.controlPlane)
  var rawClient = args.Service.Journals.(*pb.ComposedRoutedJournalClient).JournalClient.(*pb.AuthJournalClient).Inner
  args.Service.Journals.(*pb.ComposedRoutedJournalClient).JournalClient = pb.NewAuthJournalClient(rawClient, args.Service.Authorizer)
  }

diff --git a/go/runtime/task.go b/go/runtime/task.go
@@ -22,6 +22,8 @@ import (
  "github.com/estuary/flow/go/shuffle"
  "github.com/gogo/protobuf/proto"
  "github.com/gogo/protobuf/types"
+ "github.com/golang-jwt/jwt/v5"
+ "github.com/sirupsen/logrus"
  "go.gazette.dev/core/allocator"
  "go.gazette.dev/core/broker/client"
  pb "go.gazette.dev/core/broker/protocol"
@@ -254,11 +256,12 @@ func (t *taskReader[TaskSpec]) Coordinator() *shuffle.Coordinator { return t.coo
 // and then logs the final exit status of the shard.
 func (t *taskBase[TaskSpec]) heartbeatLoop(shard consumer.Shard) {
  var (
+ id = shard.Spec().Id
  // Period between regularly-published stat intervals.
  // This period must cleanly divide into one hour!
  period = 3 * time.Minute
  // Jitters when interval stats are written cluster-wide.
- jitter = intervalJitter(period, shard.FQN())
+ jitter = intervalJitter(period, id)
  // Op notified when the shard fails.
  op = shard.PrimaryLoop()
  )
@@ -289,8 +292,33 @@ func (t *taskBase[TaskSpec]) heartbeatLoop(shard consumer.Shard) {
  "assignment", shard.Assignment().Decoded,
  )
 
- // TODO(johnny): Notify control-plane of failure.
+ // Notify control-plane of the failure.
+ var now = time.Now()
 
+ var claims = pb.Claims{
+ RegisteredClaims: jwt.RegisteredClaims{
+ Subject: id.String(),
+ IssuedAt: jwt.NewNumericDate(now),
+ ExpiresAt: jwt.NewNumericDate(now.Add(time.Hour)),
+ },
+ }
+ var token, postErr = t.host.controlPlane.signClaims(claims)
+
+ var request = struct {
+ Token string `json:"token"`
+ Error string `json:"error"`
+ }{token, err.Error()}
+
+ var response struct {
+ // No response fields.
+ }
+
+ if postErr == nil {
+ postErr = callControlAPI(shard.Context(), t.host.controlPlane, "/notify/shard-failure", &request, &response)
+ }
+ if postErr != nil {
+ logrus.WithField("err", postErr).Error("failed to notify control plane of shard failure")
+ }
  return
  }
  }
@@ -325,9 +353,9 @@ func durationToNextInterval(now time.Time, period time.Duration) time.Duration {
 
 // intervalJitter returns a globally consistent, unique jitter offset for `name`
 // so that heartbeats are uniformly distributed over time, in aggregate.
-func intervalJitter(period time.Duration, name string) time.Duration {
+func intervalJitter(period time.Duration, id pc.ShardID) time.Duration {
  var w = fnv.New32()
- w.Write([]byte(name))
+ w.Write([]byte(id))
  return time.Duration(w.Sum32()%uint32(period.Seconds())) * time.Second
 }
 

diff --git a/go/runtime/task_test.go b/go/runtime/task_test.go
@@ -7,16 +7,17 @@ import (
  pf "github.com/estuary/flow/go/protocols/flow"
  "github.com/estuary/flow/go/protocols/ops"
  "github.com/stretchr/testify/require"
+ pc "go.gazette.dev/core/consumer/protocol"
 )
 
 func TestIntervalJitterAndDurations(t *testing.T) {
  const period = time.Minute
 
  for _, tc := range []struct {
- n string
- i time.Duration
+ id pc.ShardID
+ i  time.Duration
  }{{"foo", 35}, {"bar", 52}, {"baz", 0}, {"bing", 39}, {"quip", 56}} {
- require.Equal(t, time.Second*tc.i, intervalJitter(period, tc.n), tc.n)
+ require.Equal(t, time.Second*tc.i, intervalJitter(period, tc.id), tc.id)
 
  }