Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add fallback to cache.GetAccessList call #41258

Merged
merged 2 commits into from
May 8, 2024
Merged

Add fallback to cache.GetAccessList call #41258

merged 2 commits into from
May 8, 2024

Conversation

smallinsky
Copy link
Contributor

@smallinsky smallinsky commented May 7, 2024
edited
Loading

What

Issue: https://github.com/gravitational/teleport.e/issues/3938

CreateAccessList and AddAccessListMember flow depends on the cache propagation.

Add a fallback call for GetAccessList to prevent cache miss during fast chained CreateAccessList AddAccessListMember calls where access list needs to be present in cache during handling the AddAccessListMember call.

This is the same approach like CreateRole(Role: X) CreateUser(User[Role: X] where during user creation validaditon check if role x exist by doing a fallback call:

teleport/lib/cache/cache.go

Line 1935 in 5cb3a17

if trace.IsNotFound(err) && rg.IsCacheRead() {

Access List Flow:

  1. Access list sync during plugin creation imports okta groups as access list.
    It creates a empty access list https://github.com/gravitational/teleport.e/blob/master/lib/okta/accesslistsync.go#L319
  2. A new access list creation was not yet propagated to auth cache.
  3. Access List member reconsider does auth.upsertAccessListMember("member", "accessListID") but access list is not visible in auth cache.
  4. In the result if access list doesn't exist (not yet propagated to cache) the upsertAccessListMember call fails with AccessDenied error

changelog: Add fallback on GetAccessList cache miss call

@smallinsky smallinsky requested review from tigrato and r0mant May 7, 2024 12:53
@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2024

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@smallinsky smallinsky requested a review from tcsc May 7, 2024 12:54
@smallinsky smallinsky force-pushed the smallinsky/access_list_cache_fallback branch from 5cb3a17 to 1018558 Compare May 7, 2024 12:55
@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2024

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2024

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@smallinsky smallinsky changed the title Add fallback to Ceche.GetAccessList call Add fallback to cache.GetAccessList call May 7, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2024

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2024

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@github-actions GitHub Actions
Copy link

github-actions bot commented May 8, 2024

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@smallinsky smallinsky added this pull request to the merge queue May 8, 2024
Merged via the queue into master with commit 1aea9b4 May 8, 2024
38 of 39 checks passed
@smallinsky smallinsky deleted the smallinsky/access_list_cache_fallback branch May 8, 2024 17:16
@public-teleport-github-review-bot
Copy link

@smallinsky See the table below for backport results.

Branch Result
branch/v14 Create PR
branch/v15 Create PR

@smallinsky smallinsky mentioned this pull request May 8, 2024
Merged
@smallinsky smallinsky mentioned this pull request May 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tigrato tigrato tigrato approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees
No one assigned
Labels
backport/branch/v14 backport/branch/v15 size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@smallinsky @tigrato @rosstimothy