Skip to content

PYTHON-3313 Cache AWS Credentials Where Possible #982

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 78 commits into from
Oct 12, 2022
Merged

PYTHON-3313 Cache AWS Credentials Where Possible #982

merged 78 commits into from
Oct 12, 2022

Conversation

blink1073
Copy link
Member

No description provided.

ShaneHarvey
ShaneHarvey requested changes Jun 24, 2022
View reviewed changes
test/auth_aws/test_auth_aws.py Outdated
with MongoClient(self.uri) as client:
client.get_database().test.find_one()
pool = get_pool(client)
pool.reset()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we remove the get_pool/reset logic?

test/auth_aws/test_auth_aws.py Outdated
pool.reset()
with mock.patch.dict(os.environ, {}, clear=True):
with MongoClient(self.uri) as client:
client.get_database().test.find_one()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this test supposed to fail without caching? If so it would be good to make that explicit by asserting that this fails initially:

        # Auth fails without env variables.
        with mock.patch.dict(os.environ, {}, clear=True):
            with MongoClient(self.uri) as client:
                with self.assertRaises(OperationFailure):
                    client.get_database().test.find_one()

        # Auth succeeds and caches credential.
        with MongoClient(self.uri) as client:
            client.get_database().test.find_one()
        # Auth succeeds with cached credential.
        with mock.patch.dict(os.environ, {}, clear=True):
            with MongoClient(self.uri) as client:
                client.get_database().test.find_one()

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may not be possible to test. We don't cache when the creds environment variables are given directly, which is why those tests are failing. We have no way of knowing if cached creds were used on EC2 without using requests-mock which seems like too much of invasion into implementation details.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We at least need to test what we can. For example, the cache reset on auth failure logic. We can use failCommand to trigger a server side auth failure.

Would it be possible to use the connectionStatus command to determine which credential was authed?

>>> client.admin.command('connectionStatus')
{'authInfo': {'authenticatedUsers': [...]

https://www.mongodb.com/docs/manual/reference/command/connectionStatus/#mongodb-data-connectionStatus.authinfo.authenticatedUsers

Probably not I suppose, since I imagine different temp creds will map to the same database level user.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or a test that "poisons" the cache with invalid creds. The first auth attempt should fail and clear the cache, the next attempt should generate a new cred and succeed.

@blink1073 blink1073 requested a review from ShaneHarvey August 23, 2022 22:16
ShaneHarvey
ShaneHarvey reviewed Aug 30, 2022
View reviewed changes
Copy link
Member

@ShaneHarvey ShaneHarvey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be updated to use the new set_use_cached_credentials api now: mongodb/pymongo-auth-aws#11

@blink1073
Copy link
Member Author

This can be updated to use the new set_use_cached_credentials api

Done

@blink1073 blink1073 requested a review from ShaneHarvey August 30, 2022 19:28
ShaneHarvey
ShaneHarvey reviewed Aug 30, 2022
View reviewed changes
@blink1073 blink1073 requested a review from ShaneHarvey August 31, 2022 16:54
@blink1073
Copy link
Member Author

This is ready for review. The remaining failure is tracked by https://jira.mongodb.org/browse/PYTHON-3468

ShaneHarvey
ShaneHarvey reviewed Oct 11, 2022
View reviewed changes
Copy link
Member

@ShaneHarvey ShaneHarvey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM but could you add a changelog entry too?

@blink1073
Copy link
Member Author

could you add a changelog entry too?

Done

@blink1073 blink1073 requested a review from ShaneHarvey October 11, 2022 22:13
@blink1073 blink1073 merged commit 4a5e0f6 into mongodb:master Oct 12, 2022
@blink1073 blink1073 deleted the PYTHON-3313 branch October 12, 2022 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ShaneHarvey ShaneHarvey ShaneHarvey approved these changes

@juliusgeo juliusgeo Awaiting requested review from juliusgeo

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@blink1073 @ShaneHarvey