Multi tenant workspace cleaning #7243
Conversation
Signed-off-by: David Festal <dfestal@redhat.com>
Signed-off-by: David Festal <dfestal@redhat.com>
More precisely, the idea is to keep track of the userId that started a workspace and have the corresponding Subject always available and updated with the last connection information (mainly the last Keycloak token). Signed-off-by: David Festal <dfestal@redhat.com>
... to allow removing Openshift resources when a workspace is stopped (`removeContainer`, `removeImage`) even if the workspace user is not accessible through the current `EnvironmentContext`. Signed-off-by: David Festal <dfestal@redhat.com>
... This mainly consists in cleaning the workspace files *synchronously* instead of doing it in batch at che-server idling. The previous behavior remains unchanged if the che server is not multi-tenant. Signed-off-by: David Festal <dfestal@redhat.com>
... This allows cleaning the workspaces correctly also in the multi-tenant scenario. Signed-off-by: David Festal <dfestal@redhat.com>
davidfestal
requested review from
benoitf,
garagatyi,
l0rd,
riuvshin,
skabashnyuk and
vparfonov
as code owners
|
Can one of the admins verify this patch? |
benoitf
added
the
status/code-review
|
Can one of the admins verify this patch? |
|
ci-build |
|
Build # 4314 - FAILED Please check console output at https://ci.codenvycorp.com/job/che-pullrequests-build/4314/ to view the results. |
|
any idea why the CI build failed ? it seems from the console output that the maven build was successful but the the Jenkins job failed. |
|
|
| @@ -106,6 +106,7 @@ private void doStopServices() { | |||
| @PreDestroy | |||
| @VisibleForTesting | |||
| void shutdown() throws InterruptedException { | |||
| LOG.info("Synchronous shutdown requested"); | |||
There was a problem hiding this comment.
why ? is it a problem to have this log ? it's only called once on shutdown, but might be very useful to check that the post-destroy method is called on SIGTERM, which wasn't the case last week (for an unknown reason, this was fixed when updating to the last master branch).
There was a problem hiding this comment.
it's more the level of the logger
There was a problem hiding this comment.
well, the log level used in line 91 is also INFO, and the type of event is clearly the same, no ?
There was a problem hiding this comment.
It's my view on log events (there are other views ;-) I still think these events are not at INFO level.
People that are interested in a specific part want always to push to INFO level but many times it's more DEBUG info. I'm not sure it's interesting for end-user to see that by default.
|
ci-build |
|
Build success. https://ci.codenvycorp.com/job/che-pullrequests-build/4316/ |
Signed-off-by: David Festal <dfestal@redhat.com>
| @@ -266,6 +266,8 @@ echo "done!" | |||
| # If command == clean up then delete all openshift objects | |||
| # ------------------------------------------------------------- | |||
| if [ "${COMMAND}" == "cleanup" ]; then | |||
| echo "[CHE] Stopping the Che server..." | |||
| oc scale --replicas=0 --timeout=3h dc che | |||
There was a problem hiding this comment.
as a side note, do we really want to wait 3h there ?
There was a problem hiding this comment.
probably not :-) The idea though is to give enough time to stop all the workspaces started on the various external clusters / namespaces associated to users in the multi-tenant scenario.
There was a problem hiding this comment.
@l0rd What value would you give to this timeout ?
There was a problem hiding this comment.
Fixed in commit cc96961
| * @return workspace identifier | ||
| * @throws NotFoundException when no such machine token exists | ||
| */ | ||
| public String getWorkspaceId(String token) throws NotFoundException { |
There was a problem hiding this comment.
this method should be tested in multiuser/machine-auth/che-multiuser-machine-authentication/src/test/java/org/eclipse/che/multiuser/machine/authentication/server/MachineTokenRegistryTest.java
There was a problem hiding this comment.
Can't find where this method is used
There was a problem hiding this comment.
This method is used by the rh-che assembly, in order to get an up-to-date Keycloak token that we can inject into the Bayesian Language server when starting it.
See PR redhat-developer/rh-che#417, and especially this line
| import org.slf4j.Logger; | ||
|
|
||
| @Singleton | ||
| public class WorkspaceSubjectRegistry implements EventSubscriber<WorkspaceStatusEvent> { |
There was a problem hiding this comment.
it is missing unit tests and class comment like What is the meaning of this class, etc.
There was a problem hiding this comment.
Sure, sorry about that. I'll add it.
| } | ||
|
|
||
| @PostConstruct | ||
| @VisibleForTesting |
There was a problem hiding this comment.
I don't see the associated test ?
There was a problem hiding this comment.
see commit 4a4a4f0
| * @return workspace identifier | ||
| * @throws NotFoundException when no such machine token exists | ||
| */ | ||
| public String getWorkspaceId(String token) throws NotFoundException { |
There was a problem hiding this comment.
Can't find where this method is used
| import org.eclipse.che.commons.subject.Subject; | ||
| import org.slf4j.Logger; | ||
|
|
||
| @Singleton |
There was a problem hiding this comment.
Contract of this class is unclear. Looks like a cache of information that can be retrieved from other API or managers. Can you clarify a contract?
There was a problem hiding this comment.
It's a sort of cache yes, but I'll add Javadoc to the class, as well as tests, which I omitted.
There was a problem hiding this comment.
Javadoc added in commit 3b91135
| @@ -45,6 +49,7 @@ public final void doFilter( | |||
| Subject subject = new SubjectImpl("che", "che", "dummy_token", false); | |||
| HttpSession session = httpRequest.getSession(); | |||
| session.setAttribute("codenvy_user", subject); | |||
| workspaceSubjectRegistry.updateSubject(subject); | |||
There was a problem hiding this comment.
Why do we need to cache subject?
There was a problem hiding this comment.
for the reasons explained here
| private Subject subjectForContainerId(String containerId) { | ||
| String workspaceId = containerIdToWorkspaceId.get(containerId); | ||
| if (workspaceId != null) { | ||
| Subject subject = workspaceSubjectRegistry.getWorkspaceStarter(workspaceId); |
There was a problem hiding this comment.
Why we need to get Subject from cache instead of EnvironmentContext.getCurrent().getSubject();
There was a problem hiding this comment.
to manage the cases when OpenshiftConnector has to to some action on a workspace, triggered by a batch, non-UI event:
- start/stop of the che-server (which will stop ll workspaces during the shutdown procedure, which in turn will call
OpenshiftConnector.removeImage()andOpenshiftConnector.removeContainer(). - stop of the current workspace by the
activity-checkerdue to workspace idling, which will also callOpenshiftConnector.removeImage()andOpenshiftConnector.removeContainer().
In cases 1 and 2, the EnvironmentContext.getCurrent().getSubject() doesn't contain a valid subject that can be used to connect the Openshift cluster/namespace hosting the workspace.
- Start of the Bayesian language server: in this case, calling
EnvironmentContext.getCurrent().getSubject()on the wsmaster during a request coming from the wsagent would return the machine token instead of the Keycloak token insubject.getToken(), which is also wrong.
There was a problem hiding this comment.
it would be great if subject is not cached
why batch jobs can't send the required data ? or why associated subject is not propagated ? on removeContainer ?
There was a problem hiding this comment.
@benoitf in those 3 scenarios, currently (before this PR) the required user information (contained in the subject) is available nowhere in the wsmaster application. And since these 3 scenarios are triggered by some non-interactive event (idling, tomcat shutdown hook, internal event indirectly triggered by the language server registry), we have no way to send or propagate the user information, afaik.
To be clear, on the other hand, workspace stop initiated by the user himself from the Javascript UIs (GWT or Dashboard) was already working great.
| if (WorkspaceStatusEvent.EventType.STARTING.equals(event.getEventType())) { | ||
| Subject subject = EnvironmentContext.getCurrent().getSubject(); | ||
| if (subject == Subject.ANONYMOUS) { | ||
| LOG.warn("Workspace {} is being started by the 'anonymous' user.", workspaceId); |
There was a problem hiding this comment.
This case is impossible AFAIK. Shall we throw an error instead?
There was a problem hiding this comment.
if you confirm that workspace start always happens as a direct result of a user action in the client-side Javascript application, then I'm not against it.
There was a problem hiding this comment.
Done in commit 9d94514
benoitf
added
the
kind/task
Signed-off-by: David Festal <dfestal@redhat.com>
Signed-off-by: David Festal <dfestal@redhat.com>
| private final EventService eventService; | ||
| private final ReadWriteLock lock = new ReentrantReadWriteLock(); | ||
| private final Map<String, Subject> workspaceOwners = new HashMap<>(); | ||
| private final Multimap<String, String> userIdToWorkspaces = |
There was a problem hiding this comment.
@davidfestal I propose to replace Multimap and Map to next mapping:
Map<String, String> workspaceId2UserId
Map<String, Subject> userId2Subjectcases:
1. when the workspace is stopped
...
String userId = workspaceId2UserId.remove(workspaceId);
if(userId != null) {
userId2Subject.remove(userId);
}
...2. when the workspace is started
...
workspaceId2UserId.put(workspaceId, subject.getUserId());
updateSubject(Subject subject);
...
public void updateSubject(Subject subject) {
String token = subject != null ? subject.getToken() : null;
if (token != null && token.startsWith("machine")) {
return;
}
...
userId2Subject.put(subject.getUserId(), subject);
...
}3. get subject by workpsace id:
public Subject getWorkspaceStarter(String workspaceId) {
...
String userId = workspaceId2UserId.get(workspaceId);
if(userId != null) {
return userId2Subject.get(userId);
}
return null;
...
}WDYT?
There was a problem hiding this comment.
It seems to me that this proposal doesn't support starting 2 workspaces with the same user and then stopping only one of both. The user Subject would be lost though it is still useful for the second workspace.
Or did I miss something ?
There was a problem hiding this comment.
yes, I missed that and the first case when the workspace is stopped should look like this:
String userId = workspaceId2UserId.remove(workspaceId);
if(userId != null && !workspaceId2UserId.values().contains(userId)) {
userId2Subject.remove(userId);
}There was a problem hiding this comment.
also it seems to me that in this proposal, updateSubject(Subject subject) would allow adding in the userId2Subject map a userId that wasn't previously associated to a workspace. In such a case, it will never be removed from the map and we have a memory leak, no ?
Could you explain what seems like a problem for you in the current implementation ?
There was a problem hiding this comment.
Basically leak that you described is possible, but I thought that the start of the workspace it is the only case when this method is used and it can be solved by adding a check like:
if (workspaceId2UserId.values().contains(userId)) {
userId2Subject.put(subject.getUserId(), subject);
}What I'm trying to improve it is the mapping of:
1 user to n workspaces and n workspaces to 1 subject
to
n workspaces to 1 user and 1 user to 1 subject.
Do you see what I mean?
There was a problem hiding this comment.
Yes, I see, but I'm not sure performance would be better in the updateSubject() method, knowing that you potentially need to iterate the whole list of started workspaces.
And the updateSubject() method should be as fast as possible, since it's called each time a client request comes to the wsmaster.
Another point: with your proposal, getWorkspaceStarter() requires 2 hash map get calls instead of one.
In fact the idea of the current implementation was to optimize performance in those 2 methods that are called much more often than the workspace start or stop methods.
There was a problem hiding this comment.
@davidfestal I see, so let it be as it is.
... as suggested by @skabashnyuk [here](eclipse-che#7243 (comment)) Signed-off-by: David Festal <dfestal@redhat.com>
Signed-off-by: David Festal <dfestal@redhat.com>
|
ci-build |
Signed-off-by: David Festal <dfestal@redhat.com>
|
@skabashnyuk @benoitf @akorneta I tried to answer all your comments, but I might have missed some. Could you tell me if you still have pending comments / questions that still didn't get a satisfying answer ? |
|
Build success. https://ci.codenvycorp.com/job/che-pullrequests-build/4320/ |
Signed-off-by: David Festal <dfestal@redhat.com>
davidfestal
force-pushed
the
multi-tenant-workspace-cleaning
branch
from
50930e3
to
e7050f0
Compare
|
ci-build |
benoitf
removed
the
status/code-review
|
Build success. https://ci.codenvycorp.com/job/che-pullrequests-build/4321/ |
What does this PR do?
This PR introduces changes required to support some multi-tenancy use-cases that were not supported until now:
These 2 use-cases are critical to allow OSIO multi-tenancy to go to production.
What issues does this PR fix or reference?
redhat-developer/rh-che#370