Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(accesscontrol): deterministic cache key hashing #292

Merged
merged 14 commits into from
Oct 28, 2024
Merged

refactor(accesscontrol): deterministic cache key hashing #292

merged 14 commits into from
Oct 28, 2024

Conversation

aruiz14
Copy link
Contributor

@aruiz14 aruiz14 commented Oct 9, 2024
edited
Loading

Issue: rancher/rancher#47460

Problem

The current AccessFor implementation calculates the cache key for a given user based on the resource version of Roles/ClusterRoles associated via RoleBindings/ClusterRoleBindings. While this is correct, in the case of a cache miss that information that was previously used to calculate the hash is no used but instead retrieved again. Finally, the previously-calculated hash is used as key to store the generated AccessSet into the cache.

This approach Introduces the chance for a race condition, which this PR is meant to fix by using the same data used to calculate the hash to later generate the AccessSet in case of a cache miss.

Summary

  • Small refactoring of some internal functions to allow reusing them
  • Add new types for encapsulating all needed data
  • Make accessStore use the new types and method
  • Cleanup unused code and adapt tests to new signatures
  • Add new comments to structs and methods
  • Refactor PolicyRules' indexer to make it easier to read and more testable

(please take a look at the commits view for more details)

@aruiz14 aruiz14 requested review from moio and tomleb October 9, 2024 09:21
@aruiz14 aruiz14 requested a review from a team as a code owner October 9, 2024 09:21
@aruiz14 aruiz14 changed the title refactor(accesscontrol): make addAccess directly accept PolicyRules refactor(accesscontrol): deterministic cache key hashing Oct 9, 2024
@aruiz14 aruiz14 mentioned this pull request Oct 9, 2024
Merged
ericpromislow
ericpromislow requested changes Oct 9, 2024
View reviewed changes
Copy link
Contributor

@ericpromislow ericpromislow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine, apart from a trivial typo

ericpromislow
ericpromislow previously approved these changes Oct 10, 2024
View reviewed changes
Copy link
Contributor

@ericpromislow ericpromislow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thx

bigkevmcd
bigkevmcd previously approved these changes Oct 24, 2024
View reviewed changes
Copy link

@bigkevmcd bigkevmcd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've gone over this in fine detail, and it looks fine.

It improves the test coverage a fair bit, but there's still a lot of untested code that we can address when we next touch these files.

pkg/accesscontrol/access_store.go Show resolved Hide resolved
pkg/accesscontrol/access_store.go Outdated Show resolved Hide resolved
pkg/accesscontrol/access_store_test.go Show resolved Hide resolved
pkg/accesscontrol/policy_rule_index_test.go Show resolved Hide resolved
@aruiz14 aruiz14 dismissed stale reviews from bigkevmcd and ericpromislow via 818ff7a October 24, 2024 13:48
@aruiz14
refactor(accesscontrol): make addAccess directly accept PolicyRules
4b77b14
@aruiz14
refactor(accesscontrol): add new types for encapsulating all needed data
2a8ad1d
@aruiz14
refactor(accesscontrol): make getRules return resource version
4e29602
@aruiz14
refactor(accesscontrol): add new getRoleRefs to policyRuleIndex
f9ad35f
@aruiz14
refactor(accesscontrol): make accessStore use the new types and method
1299042
@aruiz14
cleanup(accesscontrol): remove unused code
689bd3d
@aruiz14
cleanup(accesscontrol): adapt tests
fa4b64d
@aruiz14
cleanup(accesscontrol): add some comments and remove unused function
f6b7967
@aruiz14
refactor(accesscontrol): rework indexer to make it more readable and …
1769917 
…testable
@aruiz14
Fix typo
c319eca
@aruiz14
test: consistent use of t.Error
cb61f2a
@aruiz14
test: refactor policyRulesMock to just use a map
77f54bf
@aruiz14
misc: rename toUserInfo function
8e7747f
@aruiz14
refactor: consistent sort by UID
f2f43a2
@aruiz14
Copy link
Contributor Author

aruiz14 commented Oct 24, 2024

@ericpromislow please take another look, I've addressed Kevin's feedback but it didn't affect core of this PR.

ericpromislow
ericpromislow approved these changes Oct 25, 2024
View reviewed changes
Copy link
Contributor

@ericpromislow ericpromislow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works and looks ok

@olblak olblak merged commit fd9a516 into rancher:main Oct 28, 2024
1 check passed
@aruiz14 aruiz14 deleted the deterministic-cacheKey branch October 28, 2024 08:41
@aruiz14 aruiz14 mentioned this pull request Oct 28, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bigkevmcd bigkevmcd bigkevmcd approved these changes

@ericpromislow ericpromislow ericpromislow approved these changes

@moio moio Awaiting requested review from moio

@tomleb tomleb Awaiting requested review from tomleb

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@aruiz14 @ericpromislow @bigkevmcd @olblak