INS-12991: Redis authentication support #101
Conversation
|
Another thing to add to the todo is to do a rough benchmark, e.g. redis auth enabled on against the examples/redis-passthrough and maybe examples/redis-cluster using the redis benchmark toolset (e.g. The real todo is to include the benchmarks in CI/CD... |
|
Regarding benchmarking this change. There is now a PR for benchmarking on PR via criterion and cargo bench. In addition, criterion now supports async function benchmarking, which should make writing micro benchs fairly easy. |
XA21X
force-pushed
the
INS-12991-auth-support
branch
2 times, most recently
from
d408419
to
9348d6c
Compare
|
Can we pull the DockerComposeContext refactor into its own PR? |
|
To resolve the merge conflicts, at this point it might be easier to start from scratch on the latest main branch and copy over the changes manually. |
XA21X
force-pushed
the
INS-12991-auth-support
branch
from
f0cb297
to
8cd8301
Compare
XA21X
force-pushed
the
INS-12991-auth-support
branch
from
9c38b84
to
4c44b9e
Compare
| args.get(streams_position + 1) | ||
| .and_then(RoutingInfo::for_key) | ||
| } | ||
| b"AUTH" => Some(RoutingInfo::Other(Command::AUTH)), |
There was a problem hiding this comment.
I think I'm confused here, wouldn't we want to route the auth command to all upstream redis nodes rather than a random one?
There was a problem hiding this comment.
AUTH needs special handling (try auth -> switch context -> new connection pool) instead of forwarding to any nodes. The RoutingInfo::Other means this command needs to be handled outside. i.e. it's like Err(command) vs Ok(routes).
| let sender = self.get_channels(&message.original).await; | ||
| let command = match &message.original { | ||
| RawFrame::Redis(Frame::Array(ref command)) => command, | ||
| RawFrame::Redis(_) => { |
There was a problem hiding this comment.
Redis supports some form of inline commands (e.g. so it's easier for telnet clients to interact with). Iirc the codec should error out long before we get here, but it might be worth short circtuiting an error into responses with a helpful error message back to the client.
There was a problem hiding this comment.
Yeah, I only added this to avoid unhandled panics. Not sure what was blocking me from short circuit, will try again.
There was a problem hiding this comment.
Inline commands are unsupported and therefore blocked by the codec framing so we can't provide a better message from here. The connection gets killed if as much as a single unexpected byte is out of place.
Syntax errors which have valid framing will now report back to the client:
❯ echo -n -e "*1\r\n:1000\r\n" | nc 127.0.0.1 6379
-ERR transform error: syntax error: bad command name
~
❯ echo -n -e ":1000\r\n" | nc 127.0.0.1 6379
-ERR transform error: syntax error: bad command
shotover-proxy/src/transforms/redis_transforms/redis_cluster.rs
Outdated
Show resolved
Hide resolved
|
I'm really struggling to get my head around this PR. |
| redis::cmd("GET").arg("{x}key3").query(&mut connection), | ||
| Ok("food".to_string()) | ||
| ); | ||
| // To reproduce the auth mixing issue caused by using PoolConnections: |
There was a problem hiding this comment.
Is this problem solved?
If so lets write a proper test for it instead of this comment.
If not lets raise an issue for us to follow up on it instead of this comment.
There was a problem hiding this comment.
The underlying problem isn't solved - using the PoolConnections transform will violate assumptions that the auth implementation relies on. I'll raise an issue and remove this comment (but leave the test).
shotover-proxy/src/transforms/redis_transforms/redis_cluster.rs
Outdated
Show resolved
Hide resolved
|
LGTM Two minor fixes: Sort these out and we can merge :D :D :D |
TODO:
Closes #91