Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not cache failed futures for async security policies indefinitely. #10743

Merged
merged 5 commits into from
Jan 3, 2024
Merged

Do not cache failed futures for async security policies indefinitely. #10743

merged 5 commits into from
Jan 3, 2024

Conversation

mateusazis
Copy link
Contributor

Currently, if caching is enabled (as is often the case) and AsyncSecurityPolicy returns a failed future, then this future is cached forever, without giving the SecurityPolicy implementation a chance to be retried. Going forward, new invocations will trigger new security checks if the last one could not be completed successfuly.

Part of #10566.

@mateusazis
Do not cache failed futures for async security policies indefinitely.
5926b7e 
Currently, if caching is enabled (as is often the case) and AsyncSecurityPolicy returns a failed future, then this future is cached forever, without giving the SecurityPolicy implementation a chance to be retried. Going forward, new invocations will trigger new security checks if the last one could not be completed successfuly.

Part of grpc#10566.
@jdcormie
Copy link
Member

Can you share more context on this PR? I remember we discussed not having more than one async security policy check against the same uid in-flight at a time. But is there a reason to not cache negative outcomes too? How should we think about this change in the context of the SecurityPolicy javadoc that says "As long as any given UID has active processes, this method should return the same value for that UID. In order words, policy changes which occur while a transport instance is active, will have no effect on that transport instance." Thanks!

@mateusazis
Copy link
Contributor Author

Sure. Before this PR, any ListenableFuture<Status> provided by a AsyncSecurityPolicy was cached.

This PR addresses the case when the ListenableFuture ends up failing. This piece of code ends the call with status INTERNAL. By a mistake, though, we're caching that ListenableFuture of INTERNAL indefinitely and replying INTERNAL to all subsequent requests. Instead, we should cache only "legitimate" statuses to let the AsyncSecurityPolicy recover.

Please see the new unit tests in this CL; they are good examples of the behavior I'm trying to enable. Without the caching changes from this PR, these tests would fail because all requests would result in status INTERNAL.

In summary, as of this PR, we should have:

  • cancelled futures: NOT cached* (NEW)
  • failed futures: NOT cached* (NEW)
  • successful futures for any status: cached (existing behavior)

*: it's actually cached up until the next request, since I couldn't find a good way to remove the listenable future from the cache upon failure. Up to suggestions though.

@mateusazis mateusazis mentioned this pull request Jan 2, 2024
Closed
@markb74 markb74 self-requested a review January 3, 2024 13:34
markb74
markb74 approved these changes Jan 3, 2024
View reviewed changes
Copy link
Contributor

@markb74 markb74 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, looks good.

@markb74 markb74 added the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Jan 3, 2024
@grpc-kokoro grpc-kokoro removed the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Jan 3, 2024
@markb74 markb74 merged commit 5b082ca into grpc:master Jan 3, 2024
14 checks passed
@mateusazis mateusazis deleted the caching branch January 3, 2024 15:12
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 3, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jdcormie jdcormie jdcormie approved these changes

@markb74 markb74 markb74 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mateusazis @jdcormie @markb74 @grpc-kokoro