credentials: implement file-based JWT Call Credentials (part 1 for A97) #8431
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #8431 +/- ##
==========================================
- Coverage 82.27% 81.92% -0.35%
==========================================
Files 414 415 +1
Lines 40424 40643 +219
==========================================
+ Hits 33259 33297 +38
- Misses 5795 5966 +171
- Partials 1370 1380 +10
🚀 New features to boost your workflow:
|
dimpavloff
changed the title
|
@dfawley hey 👋 Given you approved A97, would you mind having a cursory look at the PR to confirm if at least at a high level the approach looks good? |
|
I will take a look at this , I need to go through the gRFC first. |
dfawley
requested review from
easwars and
eshitachandwani
and removed request for
dfawley
|
Sorry for the delay here. @easwars would you be able to review this change? I think you have more background into some of the things than I do, like the bootstrap integration. Thank you! |
|
Thank you for your contribution @dimpavloff. Yes, it would be nice if you can split this into smaller PRs. I will continue to use this PR to review the JWT call credentials implementation. If you can move the xDS implementation out to one or more PRs, I would greatly appreciate that and would be happy to review them as well. |
|
|
||
| // Verify cached expiration is 30 seconds before actual token expiration | ||
| impl := creds.(*jwtTokenFileCallCreds) | ||
| impl.mu.RLock() |
There was a problem hiding this comment.
Please only test the API surface. Relying on implementation internals in tests makes them brittle and would result in test changes when any changes to implementation is made.
There was a problem hiding this comment.
I assume you are referring to using a private field rather than obtaining mu specifically.
In general I agree -- white box tests may get fragile and break during a refactor. However, this test and the next couple of ones are about the caching behaviour -- it is meant to be transparent to the external API. If I don't make assertions about the private fields, the tests may pass trivially and become more flaky (e.g. when testing the backoff in the next test).
One alternative could be factoring out these behaviours out into a separate private struct with "public" functions which expose the same information. Given that it would require shifting the majority of the implementation into that struct, I'm not sure it is an improvement from the current approach.
Please do let me know your thoughts and if you have other suggestions.
| if err == nil { | ||
| t.Fatalf("GetRequestMetadata() expected error, got nil") | ||
| } | ||
| if !strings.Contains(err.Error(), tt.wantErrContains) { |
There was a problem hiding this comment.
Will check with folks on the team and will get back to you soon on this. Thanks.
| impl := creds.(*jwtTokenFileCallCreds) | ||
| impl.mu.Lock() | ||
| cachedErr := impl.cachedError | ||
| retryAttempt := impl.retryAttempt | ||
| nextRetryTime := impl.nextRetryTime | ||
| impl.mu.Unlock() |
There was a problem hiding this comment.
Please consider declaring the backoff function as a package level variable that can be overridden from here. That way, you can easily verify the retry attempt and inject any value that you want from the backoff function. This is an example of a test that overrides the backoff function used by the code under test. See:
There was a problem hiding this comment.
I'm not sure if that would help much. The struct is storing the backoff duration in nextRetryTime which I am already able to mutate directly in the tests which would be simpler than through an overridden backoff function.
| // Fast-forward the backoff retry time to allow next retry attempt. | ||
| impl.mu.Lock() | ||
| impl.nextRetryTime = time.Now().Add(-1 * time.Minute) | ||
| impl.mu.Unlock() |
There was a problem hiding this comment.
So, if we override the backoff function, we wont need to change the internal fields of the creds. We can simply control the returned value from the overridden backoff function.
There was a problem hiding this comment.
The backoff function will need to be configured what delay to return before GetMetadata is called. This result is then stored in nextRetryTime in the implementation. Subsequent calls will continue to consult nextRetryTime until another attempt is made.
Therefore, in this test, before the first call, I would have to estimate what is a good delay such that it's long enough for the first and second call to be covered (ie second call is cached) but short enough for the third call to trigger a retry. Obviously, this would be extremely flaky. Alternatively, it would require that I create a deadline in the backoff function which is shared with the rest of the test and the deadline is awaited on this line. To me this seems more complicated than mutating the private field to a negative value to force the retry and it will make the test slower because I still need to overestimate the duration for the first and second calls.
LMK if you still want to proceed.
easwars
requested review from
dfawley and
arjan-bal
and removed request for
dfawley
|
Moving to @arjan-bal for second set of eyes. |
Part one for grpc/proposal#492 (A97).
This is done in a new
credentials/jwtpackage to provide file-based PerRPCCallCredentials. It can be used beyond XDS. The package handles token reloading, caching, and validation as per A97 .There will be a separate PR which uses it in
xds/bootstrap.Whilst implementing the above, I considered
credentials/oauthandcredentials/xdspackages instead of creating a new one. The former package hasNewJWTAccessFromKeyandjwtAccesswhich seem very relevant at first. However, I think thejwtAccessbehaviour seems more tailored towards Google services. Also, the refresh, caching, and error behaviour for A97 is quite different than what's already there and therefore a separate implementation would have still made sense.WRT
credentials/xds, it could have been extended to both handle transport and call credentials. However, this is a bit at odds with A97 which says that the implementation should be non-XDS specific and, from reading between the lines, usable beyond XDS.I think the current approach makes review easier but because of the similarities with the other two packages, it is a bit confusing to navigate. Please let me know whether the structure should change.
Relates to istio/istio#53532
RELEASE NOTES:
credentials/jwtpackage providing file-based JWT PerRPCCredentials (A97)