Add Stripe client telemetry to request headers

[jameshageman-stripe]

Follows stripe/stripe-ruby#696, stripe/stripe-php#549, and stripe/stripe-python#518 in adding telemetry metadata to request headers.

The telemetry is disabled by default, and can be enabled per-client like so:

backend := stripe.GetBackendWithConfig(
	stripe.APIBackend,
	&stripe.BackendConfig{
		URL: "https://api.stripe.com/v1",
		EnableTelemetry: true,
	},
)

or globally by setting

stripe.EnableTelemetry = true

cc @dcarney-stripe @bobby-stripe

[brandur-stripe]

Hey @jameshageman-stripe, mostly looks great. Thanks!

We try to have this sort of option configurable at the backend-level though so that you could turn it on without changing global state. Could you try tweaking this to copy the model established by say Logger in that there's a global option, but it's also in BackendConfig so that a user could request it with GetBackendWithConfig without touching global state?

ptal @jameshageman-stripe

[brandur-stripe]

Because networkRetriesSleep above has its own comment, could you just add a newline above this one just to show that it's not part of the same group?

[brandur-stripe]

Let's call this requestMetrics instead so that it's not exported outside the package (whether the first letter is lower case or upper case determines this).

[jameshageman-stripe]

I initially did make RequestMetrics private, however I wanted the tests to ensure that I could unmarshal the sent metrics back into this struct. Do you think it's ok to omit that check? Otherwise, I could duplicate the requestMetrics definition in stripe_test.go for the sake of unmarshaling.

[brandur-stripe]

Oops, sorry I missed this.

I actually forgot that stripe_test.go is in its own stripe_test package. IMO, we should probably just put it in stripe. All the tests in subpackages are just in the same namespace as their accompanying file (customer/, charge/, form/, etc.) and even most of the *_test.go in the top-level package are as well.

[brandur-stripe]

This one is unlikely to happen, but let's not swallow errors just in case we introduce something in the future that becomes difficult to debug because we're throwing some message away. Observe err and handle if it's non-nil like elsewhere.

[brandur-stripe]

Just for cleanliness, could you create a wrapper struct for this one instead of manually assembling the JSON string (maybe requestTelemetry)?

[jameshageman-stripe]

@brandur-stripe updated! Left one unresolved comment re: RequestMetrics visibility.

[jameshageman-stripe]

cc @akropp-stripe

[brandur-stripe]

Thanks for the updates!

And oops — unfortunately I overlooked something major on the last review, which as that as implemented, this is extremely unsafe from a concurrency perspective (which is fairly important from Go). As multiple Goroutines make requests, they'll all be vying to write lastRequestMetrics. Similarly as new requests are being issued, what's in lastRequestMetrics at any given moment is anybody's guess. Wrapping accesses in a mutex isn't enough because even with that, the values being read and written will be so volatile.

It's not super obvious to me how to solve this one well (maybe a bounded queue?), but we'll need to rethink the approach.

[jameshageman-stripe]

That's a good point! Just using a mutex around the value would cause metrics to be discarded if multiple calls finished at the same time. It doesn't seem like a huge deal if metrics are missed, but it would be nice to handle concurrency in some capacity.

Perhaps we could use a buffered channel to keep a finite amount of request metrics around (say, 16?), but only perform non-blocking writes to the channel and discard the metrics when the channel is full. Likewise, new requests can pull a requestMetrics struct off the channel if it is not empty. This would allow concurrently produced metrics to be kept around, without introducing any blocking calls and unbounded memory allocations. Let me know how that sounds to you.

While we're at it, I'd like to try to add a test that detects the existing data race.

[brandur-stripe]

Perhaps we could use a buffered channel to keep a finite amount of request metrics around (say, 16?), but only perform non-blocking writes to the channel and discard the metrics when the channel is full. Likewise, new requests can pull a requestMetrics struct off the channel if it is not empty. This would allow concurrently produced metrics to be kept around, without introducing any blocking calls and unbounded memory allocations. Let me know how that sounds to you.

Yep, that sounds good to me.

One minor tweak that might be worth considering: a circular buffer would probably be slightly better here than a simple buffered channel because in the case where it's full, we'd favor more recent data points instead of older data points (which seems appropriate). That said, probably not worth adding a dependency for.

[jameshageman-stripe]

@brandur I think we could accomplish something similar in pure go without a dependency. On write, if the buffer is full, we could spin up a goroutine to push an element into the buffer and simulaneously pop the oldest element off. It introduces an ephemeral goroutine, but it would allow more recent metrics to have priority.

Something like this:

// after a request is made in BackendImplementation#Do()

metrics := requestMetrics{
	RequestID:         reqID,
	RequestDurationMS: requestDurationMS,
}

select {
case s.prevRequestMetrics <- metrics:
	// Non-blocking insert succeeded, buffer was not full.
default:
	// Buffer was full, so pop off the oldest value and insert a newer one.
	// This is done in a goroutine to prevent blocking the client.
	go func() {
		<-s.prevRequestMetrics
		s.prevRequestMetrics <- metrics
	}()
}

I'm not sure how I feel about spawning a whole new goroutine for this, so I'd like to know your thoughts.

[brandur-stripe]

I'm not sure how I feel about spawning a whole new goroutine for this, so I'd like to know your thoughts.

Nice idea!

I think though that you'd still have a potential race that might cause the new Goroutines to live longer than you'd want them to. These two lines are not guaranteed to run atomically:

<-s.prevRequestMetrics
s.prevRequestMetrics <- metrics

So after the ephemeral Goroutine pulls a value out of the channel, another Goroutine could sneak in and push its own value in, which would leave the ephemeral Goroutine waiting on s.prevRequestMetrics <- metrics.

My general feeling is that it's a little heavy-handed spinning up ephemeral Goroutines for this anyway.

I was just Googling and found this article from Pivotal on implementing a channel-based ring buffer. It's actually very similar to what you suggested, except there's just a single Goroutine in charge of managing the ring, which avoids potential races. Honestly not sure if this is a good idea or not, but it seems pretty workable.

[jameshageman-stripe]

Cool! Between the Pivotal channel-based ring buffer and using container/ring with mutexes, I'd opt for the channel solution.

I'll try it out in this PR and we can decide if we like it better than non-circular buffers.

[jameshageman-stripe]

The circular buffer solution (added in 7f09c4a) was passing the normal tests, but it was failing unexpectedly on the coverage tests. It would fail on this assertion:

stripe-go/stripe_test.go

Line 252 in 7f09c4a

assert.True(t, len(telemetryStr) > 0, "telemetryStr should not be empty")

I think this indicates that the telemetry pushed into the inputChannel by the first request had not yet been passed to the outputChannel by the ringBuffer's run() goroutine.

However, this seems like it would be an unpredictable race condition based on the specific goroutine scheduling. Therefore I'm confused why it happened consistently on coverage tests but never on normal tests (in CI or on my laptop).

I'll try adding some extra logging to investigate.

[jameshageman-stripe]

My guess was correct: there was a synchronization issue. My initial implementation of ringBuffer did asynchronous writes, so the first request's metrics hadn't necessarily been placed on the outputChannel by the time the second request was kicked off (it all depended on go scheduling/time slicing).

I've added synchronous writes by having the client wait on a done channel, but I feel like this solution has become more complicated than simply wrapping the following in a mutex guard:

<-s.prevRequestMetrics
s.prevRequestMetrics <- metrics

I think I'd prefer to go back to one a single channel solution and add a mutex.

[jameshageman-stripe]

@brandur Alright, I think this is ready for re-review. Since you last commented, the following has changed:

• I implemented a circular buffer of requestMetrics using a single channel and a mutex.
• EnableTelemetry can be passed into GetBackendWithConfig via the BackendConfig struct, which allows individual clients to have telemetry enabled.
• I l(re-)added a global stripe.EnableTelemetry flag that will enable telemetry headers to all clients instead of a single Backend.
• I did not change the package in stripe_test.go from stripe_test to stripe, because that change would end up adding a large diff to an already large PR. Instead, I duplicated the requestMetrics and requestTelemetry headers into the one test that used them.

[bobby-stripe]

@jameshageman-stripe I like how clever this is to avoid taking a lock when reading the buffer, but I think as-is there is the (remote but possible) possibility of a deadlock:

goroutine 1:
locks requestMetricsMutex
attempt to write to requestMetricsBuffer, but it is full, fall through to the default case on line 982
goroutine 1 descheduled

goroutine 2..n:
read from requestMetricsBuffer until it is empty (because the user's application has issued a burst of API requests, or something)

goroutine 1:
rescheduled
attempt to read from <-s.requestMetricsBuffer, which will block

goroutine 1 is now blocked waiting for a metric to appear on the channel, but nobody else will be able to write to the channel as requestMetricsMutex is held (all incoming requests will now also deadlock, waiting on that mutex).

I think this can be addressed by changing:

<-s.requestMetricsBuffer

to

select {
case _ = <-s.requestMetricsBuffer:
default:
}

So that we don't do a blocking channel read with the mutex held (along with a big fat comment), but maybe its worth considering if this is too clever and we should unconditionally grab the mutex for all reads + writes of s.requestMetricsBuffer

Unless I'm reading this wrong and there is nothing to worry about, which is possible!

[jameshageman-stripe]

@bobby-stripe @dcarney-stripe and I had some further discussion in person that I thought I'd share.

The circular buffer implementation has grown in complexity enough to warrant it's extraction from the stripe.go package, due to the required coordination between multiple channels, goroutines, and/or mutexes depending on the implementation. The complexity of implementing a safe, concurrent circular buffer led us to discuss the reasoning for using a circular buffer over a regular FIFO channel. Some points:

• With a circular buffer, the oldest request metrics get dropped when the buffer is full
• With a regular channel, the newest request metrics get dropped when the buffer is full
• The buffer only fills up when there are concurrently executing requests
• When we send a requestMetrics struct, it is already for a past request. The gap between recording a request metric and sending it could be on the order of minutes if the client is not sending many requests.
• We do not expect or require delivery of metrics for every request
• Using a circular buffer would reduce the average time between a request being recorded, but it does not stop clients from potentially sending requestMetrics that are many minutes old.

With these points in mind, I think it's worth reconsidering using a standard FIFO channel instead of a circular buffer, as the benefit (slightly younger request metrics on average) may not outweigh the added complexity.

[brandur-stripe]

With these points in mind, I think it's worth reconsidering using a standard FIFO channel instead of a circular buffer, as the benefit (slightly younger request metrics on average) may not outweigh the added complexity.

Yeah, fair enough.

I think the circular buffer would be slightly better implementation, but things change given that it's not that easy. I totally buy the complexity argument, and even with thorough review, there's still a much higher chance of introducing a bug with our own buffer implementation than just using a standard channel.

I'm +1 going back to FIFO channel if you guys are. Thanks for looking into it at least!

[jameshageman-stripe]

Reverted back to a simple FIFO channel.

r? @brandur-stripe

[brandur-stripe]

Awesome! Left a couple minor comments, but looking great. Thanks for the updates!

[brandur-stripe]

Can you move this up a couple lines? (The constant names are ordered alphabetically so let's try to keep them that way.)

[dcarney]

Also, would you mind amending the comment to mention that additional objects will be dropped if the buffer is full? It'll make it extra clear what the lib does when the buffer is full (as opposed to other behaviors like growing the buffer, or sending metrics synchronously, etc.)

(I know you mention that at the site where the channel is actually written to, but I think it'd be helpful to have here as well).

[brandur-stripe]

Thanks for the comment!

[brandur-stripe]

Likewise, can you put EnableTelemetry into the right place alphabetically?

[brandur-stripe]

Can we just use start? All that's happening between the two is some structs being initialized locally. In practice it's likely to have a negligible effect on timing, and I don't think it's worth complicating the code over.

[dcarney]

nit: might be worth amending this comment to point out that this default case needs to be here to enable a non-blocking receive on the channel. Wouldn't want some over-zealous refactorer to remove it, thinking that it was an innocuous block.

[dcarney]

It's initially unclear why this loop executes twice. Can you add a quick comment that explains that it's because the telemetry comes from the previous completed request/response?

[dcarney]

Great test. 👍 I love Go's httptest package!

[dcarney]

👍

[dcarney]

@jameshageman-stripe This is looking great! Most of my comments were small little nitpicks about comments.

I think the general concept of using the simple buffered channel is the way to go, and led to some very clean code. We can always revisit this if we decide to do something more sophisticated.

[jameshageman-stripe]

@dcarney @brandur-stripe Thanks for your feedback! I think I've addressed all of the comments, and I just added another assertion that checks that we actually measure request duration.

Let me know if you see anything else you'd like to discuss :)

[brandur-stripe]

Awesome — LGTM. Thanks for all the hard work here James!

[brandur-stripe]

Released as 55.12.0.