New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#1475 user auth (steps 1 & 2) - configurable public access #1480
Conversation
|
||
import cylc.flags | ||
|
||
def get_task_cycle_statuses_updatetime(host, suite, owner=None): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I took this out of gsummary.py to use it in cylc-scan as well. However, now I'm getting the state totals from the "suite identity" (scan) interface in the daemon, and this can go back to gsummary (just for computing stop summaries)...
Yes, this is moving Other thoughts:
|
I think so, perhaps with a -A option to display all users' suites. |
9b48b94
to
8464166
Compare
Branched rebased onto master and squashed. To limit the scope of this pull request, I have punted gsummary changes to #1488 after adapting it minimally to the new scan command (it still gets all task state totals from |
11f44ab
to
700853e
Compare
note - port files removed, no longer needed [update: I've gone back on this - port files restored https://github.com//pull/1480#issuecomment-109964703] Now that port scanning is more efficient (except for back compat with older suite daemons) we can get suite port numbers by scanning instead of using ssh to cat the port file. Advantages of this:
|
6279ea9
to
2076f37
Compare
Note - once we get rid of passphrases stored in suite definition directories we'll no longer need to consult the suite registration db at run-time (it's currently used to find the passphrase) |
Do we not still need to have some sort of file around to indicate the suite is running in the event network access to a suite host machine has failed? |
@hjoliver To elaborate @arjclark 's comment, consider a farm of suite servers with a shared file system, we need to have a mechanism to prevent a suite from running on multiple servers. Does this change handle this kind of situation? A separate point, I suppose the |
Does it also mean that |
@arjclark and @matthewrmshin - the full test battery now passes in my environment on this branch ... but I think you're probably right. Also, after some testing I already had concerns that while scanning all ports is now much faster, it may not be fast enough under all circumstances to trump using the port file... I'll look into this tomorrow, and will restore the port file if necessary. |
(I reverted the port file change today; just ran the test battery on my laptop and two of the restart tests are failing - one of them is also failing on master - I'll look at these tomorrow ... then this should be ready for review) |
I've had problems with one of the restart tests recently but it eventually ran fine when that test was run on its own. |
d3ab4e2
to
f4000a4
Compare
(@kaday - branch updated from master, is merge-able again. One conflict resolved in |
(Ouch, nasty conflicts here now...) |
Conflicts: bin/cylc-cat-log bin/cylc-cycle-point bin/cylc-jobscript bin/cylc-trigger lib/cylc/CylcOptionParsers.py lib/cylc/scheduler.py
Branch updated. Test battery still passes. |
|
That said, if you think that scan is slower on this branch than 6.5.0 we should investigate... |
Backwards compatibility with |
I believe there is a speed issue with I ran it on cylc 6.4.1 and had multiple suites at multiple versions and it took 22 seconds. I ran it on cylc 6.5.0 with one suite and it took 22 seconds. I ran it on the branch with only one suite that was the branch version and it took 53 seconds. |
Some quick timing information (seconds) on how long it takes to run the
|
(I'll do more time analysis tomorrow.) |
(This time with number of suites on hosts. All hosts running mainly suites at 6.5.0, 6.4.1, or below.)
|
OK, thanks for that - I did find a typo that slowed down scanning of new suites a bit. It wouldn't affect your results (all old suites), but I'm not convinced there is a problem. On each occupied port, if an initial attempt at new authentication fails with "connection denied", we try again (old-style) with all passphrases - so new-style scan should be slower for old suite daemons: it is roughly equivalent to old scan plus one attempt at new authentication. This shouldn't have a large impact though, and it is a temporary - new scan of new suites should be faster than old scan. Timings (mean of 10 scans) on my laptop VM seem to confirm this:
Note that old scan slows down with the number of registered suites (because there's more passphrases to try). |
Note I've added two shell scripts to |
So, I can confirm the benefit of this branch when most suites have moved up to this version or above. |
Excellent that there is not a speed problem once all suites are on the new version. @hjoliver |
My issue with speed seemed to be linked to the extensive number of suites I had in my cylc-run/ directory. Much quicker now! |
Strictly speaking it is the number of registered suites that matters ( |
Done (well, the one caveat you mentioned explicitly - are there others?). |
All passes in test battery in my environment. Working in my environment. Looks okay to me. |
#1475 user auth (steps 1 & 2) - configurable public access
Compat with before and after cylc/cylc-flow#1480
First part of #1475 - use a custom connection validator to authorize a client for free access to scan data (no passphrase required) or full control access (with the standard suite passphrase).
For the next step (not in this pull request) this new connection validator can easily be made to work with a user+password file for control or read-only authorization of individual users, instead of a single passphrase required by all authorized users - we just need to decide on details (e.g. do we want to allow authorization to multiple suites at once...)
As a side effect, this change greatly simplifies port scanning - no need to try all passphrases on each port (except in a much cleaned-up back compat mode for existing older suite daemons).
Also,
cylc scan
can now see all suites (not just the user's) and I've allowed it to retrieve minimal task state totals as well as name and owner, which makes it a CLI version ofcylc gsummary
- hence this can close #578. Do we agree that this is an appropriate extension tocylc scan
?[update: global config scan groups taken out in favour of simple suite name and owner options]
[update: outdated image removed; see new version below]
[update: gsummary comments shifted to a new issue #1488]
Close #577