Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expose new Admin endpoint on orderer for the channel participation API #1939

Merged
merged 2 commits into from
Oct 26, 2020

Conversation

wlahti
Copy link
Contributor

@wlahti wlahti commented Sep 28, 2020

Type of change

  • New feature

Description

First commit

  • split out common system logic for http endpoints from existing operations system code

Second commit

  • expose new Admin endpoint on the orderer and move the channel participation API to this endpoint

Related issues

FAB-18246

@wlahti wlahti requested a review from a team as a code owner September 28, 2020 20:41
@wlahti wlahti changed the title Expose new Admin endpoint on orderer Expose new Admin endpoint on orderer for the channel participation API Sep 28, 2020
# - This configures the admin server endpoint for the orderer
#
################################################################################
Operations:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm confused, why do you have another operations endpoint, exactly like the existing one?

Aren't both endpoints supposed to be used by users possessing local admin credentials? Why do you need a separate port, isn't it possible to use the existing one?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding is that the role using this admin endpoint to join/leave channels and the role using the operations endpoint to access metrics, change log levels. etc. are distinct and should be configurable separately.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the key here is that the identity performing operations is not a Fabric admin, it's a system admin. We would not want the identity used to perform health check, pull metrics, or modify log level to be the same identity responsible for joining/leaving channels. This is something that @sykesm brought up during the RFC review process and a new port is the simplest option going forward. In the future, the plan is to bring some non-MTLS authentication mechanism in, but that it outside the scope of the channel participation effort.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the key here is that the identity performing operations is not a Fabric admin, it's a system admin. We would not want the identity used to perform health check, pull metrics, or modify log level to be the same identity responsible for joining/leaving channels.

You can still accomplish this with a single port. You can allow both types of connections and then classify the client by its certificate.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a new port is the simplest option going forward.

I agree. It is much simpler this way.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yacovm

I'm confused,

rightly so, it's a typo, should be Admin:

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, thanks for clarifying, Yoav. Definitely overlooked this. Fixed.

@wlahti
Copy link
Contributor Author

wlahti commented Sep 29, 2020

Opened a new flake, FAB-18251, for the earlier flake (and pushed a likely fix: #1941). Current flake is FAB-16233. Grabbed the logs for that one and I'll take a look to see if anything jumps out.

TLS TLS
}

type System struct {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This name stutters, and I'm generally a little confused by the choice of package name. As a reader I would struggle to know what a system.System logically represents. I'd invite feedback for a better name... the more natural one would be http.Server or similar, but there is the obvious mental conflict with the stdlib. Maybe something like fabhttp.Server or mtlshttp.Server or... hopefully someone else has a better thought, but I really don't love system.System.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. Of those options, fabhttp.Server seems more obvious to me in terms of describing what it is.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed to fabhttp.Server for now.

func NewSystem(o Options) *System {
logger := o.Logger
if logger == nil {
logger = flogging.MustGetLogger("system.runner")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this system.runner instead of simply the package name? What value does runner add?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was following what's there in the operations system code. I'm not opposed to renaming this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed.

Version string
}

type System struct {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wasn't the whole point of factoring the operations.System out into system.System so that you could re-use it? This seems like entirely duplicated code?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm, I'm honestly not sure what happened with the code here. It looks like I messed things up when I split things into two commits. I'll get this back to what I intended and push an update...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh right, this was my first pass making sure I understood the common code that was needed before splitting it out into a separate package. I'll remove this dead code.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed.

# - This configures the admin server endpoint for the orderer
#
################################################################################
Operations:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the key here is that the identity performing operations is not a Fabric admin, it's a system admin. We would not want the identity used to perform health check, pull metrics, or modify log level to be the same identity responsible for joining/leaving channels. This is something that @sykesm brought up during the RFC review process and a new port is the simplest option going forward. In the future, the plan is to bring some non-MTLS authentication mechanism in, but that it outside the scope of the channel participation effort.

Comment on lines 903 to 912
func newAdminServer(ops localconfig.Admin) *fabhttp.Server {
return fabhttp.NewServer(fabhttp.Options{
Logger: flogging.MustGetLogger("orderer.admin"),
ListenAddress: ops.ListenAddress,
TLS: fabhttp.TLS{
Enabled: ops.TLS.Enabled,
CertFile: ops.TLS.Certificate,
KeyFile: ops.TLS.PrivateKey,
ClientCertRequired: ops.TLS.ClientAuthRequired,
ClientCACertFiles: ops.TLS.ClientRootCAs,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ops is not the right name for this argument... copy & paste error I assume.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

# - This configures the admin server endpoint for the orderer
#
################################################################################
Operations:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a new port is the simplest option going forward.

I agree. It is much simpler this way.

Comment on lines 337 to 344
################################################################################
#
# Admin Configuration
#
# - This configures the admin server endpoint for the orderer
#
################################################################################
Operations:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This field should be called Admin:, we already have Operations: above.
This probably means we're missing a unit tests that loads an updated orderer.yaml.

# - This configures the admin server endpoint for the orderer
#
################################################################################
Operations:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yacovm

I'm confused,

rightly so, it's a typo, should be Admin:

TLS:
Enabled: {{ .TLSEnabled }}
PrivateKey: {{ $w.OrdererLocalTLSDir Orderer }}/server.key
Certificate: {{ $w.OrdererLocalTLSDir Orderer }}/server.crt
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this (using OrdererLocalTLSDir) mean that in all the tests we share the crypto material of the Operations and Admin endpoints?
Is this what we want?
Is there a testing benefit for separating OrdererLocalTLSDir from say, OrdererAdminTLSDir?

@tock-ibm
Copy link
Contributor

Update commit message to reflect package names after last commit.

@wlahti
Copy link
Contributor Author

wlahti commented Oct 12, 2020

Update commit message to reflect package names after last commit.

Thanks for catching this. Noticed it last week but forgot to get back to updating it.

@tock-ibm
Copy link
Contributor

Looks good to me.

tock-ibm
tock-ibm previously approved these changes Oct 13, 2020
Move the common logic for http server/handler and TLS
authentication used by the operations.System into a
separate fabhttp.Server and refactor the operations.System
to embed the server. This is being done to allow reuse of
the common code for the orderer Admin endpoint, which will
host the Channel Participation API.

FAB-18246

Signed-off-by: Will Lahti <wtlahti@us.ibm.com>
Move the channel participation API to use this
endpoint.

FAB-18246 #done

Signed-off-by: Will Lahti <wtlahti@us.ibm.com>
@wlahti
Copy link
Contributor Author

wlahti commented Oct 26, 2020

Just a rebase on master since this has been sitting around a while.

return server
}

func (s *Server) Run(signals <-chan os.Signal, ready chan<- struct{}) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I might be missed that, but where do you use this method? It's seems unused.

Copy link
Contributor Author

@wlahti wlahti Oct 26, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This allows us to run as an ifrit.Runner. It's currently used in tests via ifrit.Invoke. I preserved this functionality as it was added by Matt when he implemented the operations service.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, thanks for the clarification.

@C0rWin C0rWin merged commit d59af2c into hyperledger:master Oct 26, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants