-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
limitations do not appear to have standard implementation for enforcement #30
Comments
I think at this point, those mechanisms are still too much of an open question to have concrete answers. Eventually, these will be specified and we will have a test suite you can run against your implementation to ensure it is compliant. For an example of such a test suite you can look at the one for Trace Context. I know this isn't a great answer but I hope I didn't completely miss the mark here. |
This is a great question, and we discussed it on the weekly call today. Let's discuss the following here in this issue and then make a decision:
I like the .Net implementation for the following reasons:
Thoughts? |
My initial thoughts are that the header should just be an "unordered bag" kv pairs, and that if you are making a request to an untrusted service, you should drop the whole header if you are worried about security sensitive keys. This implies that you cannot drop old keys to insert a new one when the bag is full, since there is no way of knowing which keys are oldest or newest to determine drop order. That said, i think these requirements should be SHOULD and not MUST, and allow for application developers to specify their own rules if they have a need for it. In some applications, for instance, the app may know which keys are "low value" and can be dropped in order to make room for "high value" keys. Regarding modification of keys, I'm not sure I see the benefit of disallowing key modification. This seems like a decision best left up to individual application developers.
True that there is no way to warn the edge service that the key was dropped or modified, but this is also true of dropping the whole header. Presumably, if a tier n service overwrites a key set in tier 0, it had a good reason for doing so. My understanding of the baggage mechanism is that it is meant to be used within an application, and not meant to be arbitrarily propagated through third party services the way Trace Context is, so you don't have to trust a third party to propagate your key unmodified. As the application developer, you have control over your own keys and if they are mutated/dropped. |
I agree that at the spec level it's very hard to come up with a universal truncation strategy. It should be left to the applications and the SDKs implementing the baggage API. The SDKs can be shipped with a number of available strategies, such as
But this spec should not dictate the algorithm, just the limits. So it is a MUST that applications cannot produce header that violates the limits, but neither SHOULD nor MUST about how they do it (perhaps MAY with the above strategies as examples). |
Also +1 for just unordered bag of kv pairs. If we support modifiers like Also, I do not see why unsetting a key should be prohibited. After all, this might be the desired behavior of the specific cross-cutting concern, e.g. propagating a fault injection or a breakpoint to a specific place in the architecture, but not further. |
SGTM |
When describing this as an "unordered list", are we implying that order is not significant? |
Yes
Also yes :)
If this is the case, we should specify what it means to have a duplicate key. Given header
If we are going to allow duplicates, I would probably lean toward Another option is to disallow or discourage duplicate keys. A sender SHOULD NOT send duplicate keys, possibly with an exception that they MAY if in a performance-sensitive context, and a receiver MUST expect that duplicate keys are a possibility. This makes key order significant only from a parsing perspective, but leaves the door open to edge cases like what @michaeltlewis described.
That section describes concatenating two arbitrary HTTP headers together. It specifies to preserve order because when combining arbitrary headers you cannot know if the order of the header you are combining is important or not, so the default assumption is that it is important. It doesn't necessitate that the headers being combined are order-important though. |
I would argue against allowing duplicate keys. This is not just a matter of the header syntax, but also of the many existing "baggage" APIs (e.g. in OpenTracing and OpenTelemetry), which expect strict maps, not multi-maps. We'd still need to decide if header with dup keys must be treated as invalid or transformed into a strict map with either first-wins or last-wins deduplication. I suspect that existing implementation of baggage usually implement last-wins, since it's the simplest to implement by just populating a map structure as you read KVs from the header. |
The standard should be clear about how systems should propagate the baggage header and in particular how ordering and duplicate keys should be handled. That said, can we not leave the interpretation of duplicates of particular keys, and of order for that matter, to the consumers of this data? If some systems (e.g. in OpenTracing and OpenTelemetry) can't handle duplicates then they are free to deduplicate by whatever means, but other systems will benefit from having duplicates transported to them in a consistent (ie order preserved) manner. I note that https://w3c.github.io/baggage/#list currently requires that duplicates are preserved, although discouraged - exactly as @dyladan suggested. This seems fine to me - I would just like to see order preserved (during propagation) as well. |
@michaeltlewis in our meeting on 2020-09-08 we agreed that while we don't aim to specify all corner cases, we will provide non-normative recommendation on how to handle them. |
The spec now defines minimum limits rather than maximum limits. So, implementations must propagate at least the values for the defined minimum limits. @dyladan will be adding some additional information here. |
Limits are clarified in #113 |
Looking for a standard implementation spec for enforcing limitation standards. What can a client do to ensure that it is uniformly carrying out this list of concerns, so that every client touching these headers performs the same set of actions upstream.
Example.
Size limit reached. Should a client perform a FIFO, and append the new key=value to the header?
The text was updated successfully, but these errors were encountered: