Add plugin version to GRPC interface #17088
Conversation
swenson
force-pushed
the
vault-8143/plugin-version-grpc
branch
from
d590e4b
to
0886a5d
Compare
|
It looks like a lot of the failed tests are using the PassthroughBackend, so I wonder if that needs another type assertion in request_handling.go and the factory wrapped in request_handling_test.go: diff --git a/vault/request_handling.go b/vault/request_handling.go
index b37085c83c..95243bb38a 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -1076,7 +1076,7 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
return nil, auth, retErr
}
- if ptbe, ok := matchingBackend.(*PassthroughBackend); ok {
+ if ptbe, ok := matchingBackend.(builtinVersionBackend).backend.(*PassthroughBackend); ok {
if !ptbe.GeneratesLeases() {
registerLease = false
resp.Secret.Renewable = false
diff --git a/vault/request_handling_test.go b/vault/request_handling_test.go
index cfdea525f7..b79601039b 100644
--- a/vault/request_handling_test.go
+++ b/vault/request_handling_test.go
@@ -17,7 +17,7 @@ import (
func TestRequestHandling_Wrapping(t *testing.T) {
core, _, root := TestCoreUnsealed(t)
- core.logicalBackends["kv"] = PassthroughBackendFactory
+ core.logicalBackends["kv"] = wrapFactoryAddBuiltinVersion(PassthroughBackendFactory)
meUUID, _ := uuid.GenerateUUID()
err := core.mount(namespace.RootContext(nil), &MountEntry{ |
|
Thanks @tvoran for the tip about the passthroughbackend -- that was exactly the problem. |
|
I converted this into a draft since I have a bit more work to do before it's quite ready. I went ahead and removed the plugin wrapper and used the build information to get the plugin version, as Tom suggested, which simplifies things a little. |
Unlike the POC, I went ahead and added it into the main interface. So far in my testing, this has been safe to do. I also took a slightly different approach for how to include the `v1.12.0+builtin` version in the builtin plugins: I added a new wrapper struct that sets the version to the "builtin" version if it isn't already set, and I wrap all of the builtin factories with that when we create the map of factories. This way we don't have to update every builtin plugin to add the version logic. If we do want to version those plugins separately, though, we will be able to do so. There are still some TODOs before merging this, I feel, but this is getting large so I wanted to check in: * [ ] More manual testing with existing plugins and updated (with version) ones * [ ] Update identity/cubbyhole/sys/etc. special backends to support version method.
…since we won't need it anymore
swenson
force-pushed
the
vault-8143/plugin-version-grpc
branch
from
34ec9ba
to
4626aa8
Compare
swenson
force-pushed
the
vault-8143/plugin-version-grpc
branch
from
6e99f04
to
fdf2894
Compare
We use a placeholder backend (previously a framework.Backend) before a GRPC plugin is lazy-loaded. This makes us later think the plugin is a builtin plugin. So we added a `placeholderBackend` type that overrides the `IsExternal()` method so that later we know that the plugin is external, and don't give it a default builtin version.
| @@ -874,42 +869,3 @@ func isPluginType(s string) bool { | |||
| _, err := consts.ParsePluginType(s) | |||
| return err == nil | |||
| } | |||
|
|
|||
| func (c *PluginCatalog) getBuiltinVersion(pluginType consts.PluginType, pluginName string) string { | |||
There was a problem hiding this comment.
I moved this function to more central place so it could be used more easily. It didn't really need access to the pluginCatalog to work.
| // don't override a manually specified plugin version | ||
| // but if it is empty, then add in the self-reported version for informational purposes | ||
| if config.PluginVersion == "" { | ||
| config.PluginVersion = dbw.Version().Version |
There was a problem hiding this comment.
I think this could cause issues the next time the config is updated if it's different to the version we did the initial lookup with, as next time we'll lookup the reported version and maybe get a different entry from the catalog. Could we call this method as we're registering the plugin, and either a) Use the reported version in the catalog if none was provided or b) Error if the reported version is different from the one provided? Then we shouldn't need to make any updates here as the catalog and reported versions will always match up.
It might be interesting to query the version from the plugin and validate that it's the version we think it should be or error out, though I can't think of any reason that would fail if we validate during plugin registration.
There was a problem hiding this comment.
It is definitely possible to add a check between PluginVersion and the self-reported version on registration.
I primarily added this because, if no version is specified on registration, it is otherwise impossible to tell what version of the plugin is running, and I wanted to expose this somewhere.
It doesn't even really make sense to have this information in the config at all, but there's no mount or auth table for database configs.
| b.Backend = &framework.Backend{ | ||
| PathsSpecial: paths, | ||
| BackendType: btype, | ||
| b.Backend = &placeholderBackend{ |
There was a problem hiding this comment.
placeholderBackend.IsExternal() always returns true, but the function comment for Backend implies the backend could be builtin. Not sure if I'm just misreading though?
There was a problem hiding this comment.
Ah, you're right, the placeholder is used even for builtin plugins. I'll see if I can just forward the IsExternal method.
sdk/logical/version.proto
Outdated
| } | ||
|
|
||
| // Versioned is an optional RPC service implemented by plugins. | ||
| service Versioned { |
There was a problem hiding this comment.
WDYT about PluginVersion to differentiate from Vault version and protocol version?
sdk/logical/version.proto
Outdated
| // VersionReply is the reply for the Version method. | ||
| message VersionReply { | ||
| string plugin_name = 1; | ||
| string version = 2; |
There was a problem hiding this comment.
I originally wanted to use version everywhere, so started sprinkling that around. But then we've found a couple of places where we need to use plugin_version to avoid ambiguity. I'm wondering if we should standardise on plugin_version everywhere for consistency, and for an abundance of clarity?
There was a problem hiding this comment.
I think that makes sense. I'll rename it.
| return logical.EmptyVersion | ||
| } | ||
| } | ||
| b.Logger().Warn("Unknown error getting plugin version", "err", err) |
There was a problem hiding this comment.
Something would have to go seriously wrong for this to happen, which makes me a bit nervous to only log it server-side and continue. I see Type does something similar above, but perhaps it's worth adding an error return value to our new interface signature before we first ship it so that we have an easier time if we have need for it at a later date. WDYT?
There was a problem hiding this comment.
I was trying to mimic Type's relative safety -- worst case scenario, the Version will just return "". I can think of few reasons why this might fail, like if the plugin dies or is running too slowly.
(Type won't even log a warning if an error occurs. :))
I'm open to adding an error return though; I was just trying to keep it as simple as possible.
There was a problem hiding this comment.
Yeah it's definitely nice to have that simplicity. I was thinking a little of possible future changes to the plugin architecture, e.g. what if we wanted to support remote plugins where transport errors might become less unusual. It's perfectly possible the error will never be a particularly useful part of the API though, so I'm not 100% about it.
* Change changelog to improvement * Make IsExternal configurable for plugin placeholder * Start changing version to pluginVersion everywhere
swenson
force-pushed
the
vault-8143/plugin-version-grpc
branch
from
7e7581a
to
0e6d9e6
Compare
|
@tomhjp I think I addressed your concerns. PTAL. |
|
Thanks! |
Added a version interface in the
sdk/logicalso that it can be shared between all plugin types, and then wired it up toRunningVersionin the mounts, auth list, and database systems.I've tested that this works with auth, database, and secrets plugin types, with the following logic to populate
RunningVersion:Version()method implemented, then that is usedgo.modversion is usedMy apologies for the length of this PR.