Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🌱 Use caching authorizers per-workspace in initializingworkspaces/builder #2477

Merged
merged 1 commit into from
Jan 11, 2023
Merged

🌱 Use caching authorizers per-workspace in initializingworkspaces/builder #2477

merged 1 commit into from
Jan 11, 2023

Conversation

vincepri
Copy link
Contributor

This changeset is scoped to the virtual/initializingworkspace package.

Signed-off-by: Vince Prignano vince@prigna.com

Summary

Related issue(s)

Fixes #

@openshift-ci openshift-ci bot requested review from ncdc and shawn-hurley December 12, 2022 17:29
@vincepri vincepri changed the title 🌱 Use caching authorizers per-workspace 🌱 Use caching authorizers per-workspace in initializingworkspaces/builder Dec 12, 2022
vincepri
vincepri commented Dec 12, 2022
View reviewed changes
hack/logcheck.out Outdated Show resolved Hide resolved
ncdc
ncdc reviewed Dec 12, 2022
View reviewed changes
Copy link
Member

@ncdc ncdc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGMT overall. Would like @s-urbaniak to review the authz/audit pieces

pkg/virtual/initializingworkspaces/builder/caching_authorizer.go Outdated

authz, err := c.loadOrStore(workspace)
if err != nil {
return authorizer.DecisionNoOpinion, "error", err
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@s-urbaniak would appreciate guidance on what to use here for the reason

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As commented above, reason can be left empty string, however the error should be anonmyized.

pkg/virtual/initializingworkspaces/builder/caching_authorizer.go Outdated
workspace, name, err := initialization.TypeFrom(tenancyv1alpha1.ClusterWorkspaceInitializer(dynamiccontext.APIDomainKeyFrom(ctx)))
if err != nil {
logger.V(2).Info(err.Error())
return authorizer.DecisionNoOpinion, "unable to determine initializer", fmt.Errorf("access not permitted")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@s-urbaniak PTAL

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is taken 1:1 from the current implementation, so if anything I suggest to take improvements as a separate PR. However, my comment for this (and thus the previous implementation):

However, it's ok to address this as a follow-up as this PR introduces caching of delegated authorizers only.

@vincepri
Copy link
Contributor Author

/test e2e-shared

@openshift-merge-robot openshift-merge-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Dec 23, 2022
@s-urbaniak
Copy link
Contributor

As this is caching delegated authorizers and not authorize decisions per se I would be rather explicit about this in the godocs by saying that this caches authorizers per requested logical cluster and each cached authorizer additionally caches "allow" results (TTL being 5 minutes) and "deny" results (TTL being 30 seconds) per requested attributes. So it is rather a "cache of caches".

Additionally I suggest to add an additional constructor in the delegated authorizer and have the TTLs configurable so we know the exact timings here rather than on relying on central defaults (

kcp/pkg/authorization/delegated/authorizer.go

Lines 38 to 39 in 8d95d65

AllowCacheTTL: 5 * time.Minute,
DenyCacheTTL: 30 * time.Second,
) so we have local overall predictable cache behavior here in the constructor.

@openshift-ci openshift-ci bot added the kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API label Jan 3, 2023
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 10, 2023
@s-urbaniak
Copy link
Contributor

/lgtm

@openshift-merge-robot openshift-merge-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jan 10, 2023
ncdc
ncdc reviewed Jan 11, 2023
View reviewed changes
pkg/authorization/delegated/caching_authorizer.go Outdated
// load loads the authorizer from the cache, if any.
func (c *cachingAuthorizer) load(clusterName logicalcluster.Name) authorizer.Authorizer {
value, ok := c.cache.Get(clusterName)
if !ok && value == nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

||?

ncdc
ncdc reviewed Jan 11, 2023
View reviewed changes
pkg/authorization/delegated/caching_authorizer.go Show resolved Hide resolved
pkg/authorization/delegated/caching_authorizer.go Show resolved Hide resolved
pkg/authorization/delegated/caching_authorizer.go Show resolved Hide resolved
pkg/authorization/delegated/caching_authorizer.go Show resolved Hide resolved
pkg/authorization/delegated/caching_authorizer.go Outdated

// NewCaching creates a new Authorizer that holds an internal cache of
// Delegated Authorizer(s).
func NewCaching(client kcpkubernetesclientset.ClusterInterface, auth CachingAuthorizerFunc, opts CachingOptions) *cachingAuthorizer {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would call this NewCachingAuthorizer

@vincepri
🌱 Use caching authorizers per-workspace
c1ef69c 
This changeset is scoped to the virtual/initializingworkspace
package.

Signed-off-by: Vince Prignano <vince@prigna.com>
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 11, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 11, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ncdc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 11, 2023
@vincepri
Copy link
Contributor Author

/test e2e-multiple-runs

1 similar comment
@vincepri
Copy link
Contributor Author

/test e2e-multiple-runs

@vincepri
Copy link
Contributor Author

/retest

1 similar comment
@vincepri
Copy link
Contributor Author

/retest

@openshift-merge-robot openshift-merge-robot merged commit 5d77df7 into kcp-dev:main Jan 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sttts sttts sttts left review comments

@s-urbaniak s-urbaniak s-urbaniak left review comments

@ncdc ncdc ncdc approved these changes

@shawn-hurley shawn-hurley Awaiting requested review from shawn-hurley

Assignees

@ncdc ncdc

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@vincepri @s-urbaniak @ncdc @sttts @openshift-merge-robot