-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chore/add authz caching #432
base: master
Are you sure you want to change the base?
Conversation
The style in this PR agrees with This formatting comment was generated automatically by a script in uc-cdis/wool. |
Pull Request Test Coverage Report for Build 13844442420Details
💛 - Coveralls |
Please find the ci env pod logs here |
Please find the detailed integration test report here Please find the ci env pod logs here |
.github/workflows/ci.yaml
Outdated
@@ -29,6 +29,8 @@ jobs: | |||
ImageBuildAndPush: | |||
name: Build Image and Push | |||
uses: uc-cdis/.github/.github/workflows/image_build_push.yaml@master | |||
with: | |||
BUILD_PLATFORMS: "linux/amd64" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not building linux/arm64 isn't great for people with m1 macs trying to run images locally (like myself) - is this a recommendation from the SDET or PE teams?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
“It wasn’t—I mixed it up with the thread about _native.yaml. I’ll update it accordingly.”
sheepdog/auth/__init__.py
Outdated
authz = flask.current_app.auth.auth_request( | ||
jwt=jwt, service="sheepdog", methods=roles, resources=[resource] | ||
) | ||
cache_key = str(hash((jwt, "sheepdog", tuple(roles), (resource)))) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i'm a bit unsure about using the hash function here, we shouldn't take any risks with authz checks and from a quick google search there's a "high" risk of collision. A long key that includes the whole JWT worked fine for orthanc, could we do that here? If not, maybe the username or user ID?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for pointing this out! I didn’t realize hash was so prone to collisions. I’ll replace it with an underscore-separated string, similar to how it’s handled in Orthanc.
sheepdog/auth/__init__.py
Outdated
# The caching library raises an UnboundLocalError during unit tests due to a known bug. | ||
# This workaround prevents the error from occurring in test environments. | ||
except UnboundLocalError as e: | ||
logger.error("Catching error caused by caching library: {}".format(e)) | ||
authz = flask.current_app.auth.auth_request( | ||
jwt=jwt, service="sheepdog", methods=roles, resources=[resource] | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
any way we could move this to the unit tests, then?
and please add a link to the known bug - github issue or such
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I’ve removed the try-except block entirely and instead fixed mock_auth_request to ensure it returns True or raises an AuthzError as expected.
sheepdog/auth/__init__.py
Outdated
logger.info( | ||
f"Retrieveing response from arborist: {authz} with {type(authz)=}" | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Retrieving
typo - and i don't think this log is necessary, it would clutter the sheepdog logs. I think you're using it to debug unit tests? let's remove it when you're done
deployment/wsgi/gunicorn.conf.py
Outdated
workers = 2 | ||
preload_app = False | ||
user = "gen3" | ||
group = "gen3" | ||
timeout = 300 | ||
keepalive = 2 | ||
keepalive_timeout = 5 | ||
graceful_timeout = 45 | ||
keepalive = 10 | ||
pidfile = "/sheepdog/gunicorn.pid" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could/should these changes be moved to a different PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think in terms of bigger picture all of them are solving a single problem of solving sheepdog crashes. But I get it, i can put that as a different PR to avoid confusion in the future.
Here we go -- Update gunicorn config to improve sheepdog's responsiveness #433
Please find the detailed integration test report here Please find the ci env pod logs here |
Link to JIRA ticket if there is one: MIDRC-946
Improvements
Cache arborist requests for 1 second
to reduce multiple frequent requets."linux/amd64"
as the build platform to increase CI speed