Fix --remote-auth-plugin and --remote-oauth-bearer-token-path to execute every run with Pantsd
#12020
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…execute every run with Pantsd
|
How I tested this: diff --git a/pants.toml b/pants.toml
index f147114fe..40451c99e 100644
--- a/pants.toml
+++ b/pants.toml
@@ -53,7 +53,7 @@ build_ignore.add = [
# NB: Users must still set `--remote-cache-{read,write}` to enable the remote cache.
remote_store_address = "grpcs://cache.toolchain.com:443"
remote_instance_name = "main"
-remote_auth_plugin = "toolchain.pants.auth.plugin:toolchain_auth_plugin"
+remote_auth_plugin = "pants.backend.python.goals.pytest_runner:auth"
[anonymous-telemetry]
enabled = true
diff --git a/src/python/pants/backend/python/goals/pytest_runner.py b/src/python/pants/backend/python/goals/pytest_runner.py
index 7b2245fd7..25abd028b 100644
--- a/src/python/pants/backend/python/goals/pytest_runner.py
+++ b/src/python/pants/backend/python/goals/pytest_runner.py
@@ -59,7 +59,7 @@ from pants.engine.process import (
from pants.engine.rules import Get, MultiGet, collect_rules, rule
from pants.engine.target import TransitiveTargets, TransitiveTargetsRequest
from pants.engine.unions import UnionRule
-from pants.option.global_options import GlobalOptions
+from pants.option.global_options import AuthPluginResult, AuthPluginState, GlobalOptions
from pants.python.python_setup import PythonSetup
from pants.util.logging import LogLevel
@@ -308,3 +308,10 @@ async def debug_python_test(field_set: PythonTestFieldSet) -> TestDebugRequest:
def rules():
return [*collect_rules(), UnionRule(TestFieldSet, PythonTestFieldSet)]
+
+
+def auth(initial_execution_headers, initial_store_headers, options, env):
+ logger.error("HELLO!")
+ import datetime
+
+ return AuthPluginResult(AuthPluginState.OK, {"foo": str(datetime.datetime.now())}, {})Then running |
# Rust tests and lints will be skipped. Delete if not intended. [ci skip-rust] # Building wheels and fs_util will be skipped. Delete if not intended. [ci skip-build-wheels]
# Rust tests and lints will be skipped. Delete if not intended. [ci skip-rust] # Building wheels and fs_util will be skipped. Delete if not intended. [ci skip-build-wheels]
Thanks integration test!! # Rust tests and lints will be skipped. Delete if not intended. [ci skip-rust] # Building wheels and fs_util will be skipped. Delete if not intended. [ci skip-build-wheels]
Eric-Arellano
added a commit
to Eric-Arellano/pants
that referenced
this pull request
May 7, 2021
…execute every run with Pantsd (pantsbuild#12020) As found in pantsbuild#12018, `--remote-auth-plugin` and `--remote-oauth-bearer-token-path` are both impure functions with side effects like reading from the file system. Consequently, it's necessary to rerun the two mechanisms every Pants run, even with pantsd. For example, currently, we will not pick up changes made to the oauth file unless you kill Pantsd. This PR fixes it so that we always do the correct things of re-evaluating the `DynamicRemoteExecutionOptions`. If those have changed from the prior Pantsd run, we re-initialize the scheduler. Naively, however, this has a negative implication for the Toolchain plugin. Because Toolchain's auth logic is stateless, it generates a new short-lived token every call, which updates `--remote-store-header`. That means that this PR will cause Pantsd to be invalidated every single run, making Pantsd useless. This will be fixed in a followup by passing the prior `AuthPluginResult` to the auth plugin function + allowing the plugin to set a token expiration time, which will allow the plugin to decide if it's safe to reuse the prior token. # Rust tests and lints will be skipped. Delete if not intended. [ci skip-rust] # Building wheels and fs_util will be skipped. Delete if not intended. [ci skip-build-wheels]
Eric-Arellano
added a commit
that referenced
this pull request
May 10, 2021
…rride `--remote-{store,execution}-address` (#12029)
#12020 results in auth plugins being executed every run of `./pants`, even when Pantsd is used.
While correct, that is a problem for auth plugins like Toolchain's that are stateless and give back a new token every time. Getting a new token changes the `store_headers`, which changes the bootstrap options sent over FFI to Rust to create the scheduler; we must reinitialize the scheduler in this case, which is slow.
Instead, we now pass `prior_result: AuthPluginResult | None` to the auth plugin hook, which allows plugins to recycle prior results if they'd like. We also allow plugins to set `expiration` on the `AuthPluginResult`, which is particularly useful for plugins deciding to recycle a token vs. generate a new one.
Finally, we allow the plugin to override `--remote-store-address` and `--remote-execution-address`, which isn't totally related to this PR but has been requested as a feature and is done here to reduce churn in the API.
Combined, this PR allows plugin authors to avoid the problem of invalidating Pantsd every run, while avoiding the problem that Pantsd blocked every regenerating tokens until a restart. Closes #12018.
[ci skip-rust]
[ci skip-build-wheels]
Eric-Arellano
added a commit
to Eric-Arellano/pants
that referenced
this pull request
May 10, 2021
…rride `--remote-{store,execution}-address` (pantsbuild#12029)
pantsbuild#12020 results in auth plugins being executed every run of `./pants`, even when Pantsd is used.
While correct, that is a problem for auth plugins like Toolchain's that are stateless and give back a new token every time. Getting a new token changes the `store_headers`, which changes the bootstrap options sent over FFI to Rust to create the scheduler; we must reinitialize the scheduler in this case, which is slow.
Instead, we now pass `prior_result: AuthPluginResult | None` to the auth plugin hook, which allows plugins to recycle prior results if they'd like. We also allow plugins to set `expiration` on the `AuthPluginResult`, which is particularly useful for plugins deciding to recycle a token vs. generate a new one.
Finally, we allow the plugin to override `--remote-store-address` and `--remote-execution-address`, which isn't totally related to this PR but has been requested as a feature and is done here to reduce churn in the API.
Combined, this PR allows plugin authors to avoid the problem of invalidating Pantsd every run, while avoiding the problem that Pantsd blocked every regenerating tokens until a restart. Closes pantsbuild#12018.
[ci skip-rust]
[ci skip-build-wheels]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As found in #12018,
--remote-auth-pluginand--remote-oauth-bearer-token-pathare both impure functions with side effects like reading from the file system. Consequently, it's necessary to rerun the two mechanisms every Pants run, even with pantsd. For example, currently we will not pick up changes made to the oauth file unless you kill Pantsd.This PR fixes it so that we always do the correct things of re-evaluating the
DynamicRemoteExecutionOptions. If those have changed from the prior Pantsd run, we re-initialize the scheduler.Naively, however, this has a negative implication for the Toolchain plugin. Because Toolchain's auth logic is stateless, it generates a new short-lived token every call, which updates
--remote-store-header. That means that this PR will cause Pantsd to be invalidated every single run, making Pantsd useless. This will be fixed in a followup by passing the priorAuthPluginResultto the auth plugin function + allowing the plugin to set a token expiration time, which will allow the plugin to decide if it's safe to resuse the prior token.