Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

authz: Clarity needed for few operations DURING Rotate() in progress #102

Closed
ssachinbharadwaj opened this issue Jul 24, 2023 · 3 comments
Closed

Comments

@ssachinbharadwaj
Copy link

In the authz spec, it is mentioned that the pushed policy becomes active immediately as below:

Because the policy uploaded during the gNSI.authz.Rotate() call becomes active
immediately, the gNSI.authz.Probe() can be used to check if the uploaded
policy provides the expected response without attempting performing the
(potentially destructive) RPC in question while the gNSI.authz.Rotate() is
still active (the stream is opened and the Finalize message has not been sent
yet.

This is fine for Probe() RPC because it has to be tested before finalize.

When the Rotate() is in progress (After upload and before finalize) what is the expectation for the below two use case:

  1. A real RPC such as /gnmi.gNMI/Get or /gnmi.gNMI/Subscribe. Should this be authorized based on the newly pushed sandbox policy (which has not yet received finalize maybe because the test phase is taking time) or the current active policy. Is the "Step 3 (optional): Test/Validation by the client." performed only using Probe() RPC or does the controller fires the actual RPC also to perform the test?
  2. What should Get() RPC return in this intermediate state? Unlike pathz, the GetRequest does not take the PolicyInstance parameter.
@haussli
Copy link
Contributor

haussli commented Jul 31, 2023

IMO, the new policy becomes active, period. Probe() is simply a way to test the policy without executing the RPC in the Probe; ie: /gnmi.gNMI/Subscribe would be tested against policy but not executed.

@morrowc
Copy link
Contributor

morrowc commented Aug 1, 2023

It sounds like the intention was:
"Rotate applies a new policy immediately, the rotator should test with probe() messages to see that their intended result is live, and finalize() when that's done"

Because 'live immediately', I expect that new rpcs between the start of Rotate() and Finalize() would be evaluated under the newly placed policy. If the policy failes Probe() tests (for instance) or there are signals to the rotator that: "Hey, half my RPCs are failing? wut?" the rotator may choose to not Finalize() and disconnect forcing the previous policy to take up the active role.

make sense?

@ssachinbharadwaj
Copy link
Author

Got it @morrowc. This answers my questions

In summary:
In the intermittent state, all of them(Probe(), real RPC and Get()) behave as per the new policy even though Finalize is not yet issued. This is in line with the spec which mentions "active immediately".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants