Auth Proxy: Include additional headers as part of the cache key #18298
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Auth proxy has support to send additional user attributes as part of the authentication flow. These attributes (e.g. Groups) need to be monitored as part of the process in case of change. This commit, changes the way we compute the cache key to include all of the attributes sent as part of the authentication request. That way, if we change any user attributes we'll upsert the user information.
gotjosh
changed the title
gotjosh
commented
Jul 30, 2019
| key = strings.Join([]string{key, header}, "-") // compose the key with any additional headers | ||
| }) | ||
|
|
||
| hashedKey := base32.StdEncoding.EncodeToString([]byte(key)) |
There was a problem hiding this comment.
The downside to introducing the hashing is that this will force a cache bust for all users. Potentially causing a resource spike within big installations.
gotjosh
commented
Jul 30, 2019
| @@ -274,6 +283,21 @@ func (auth *AuthProxy) LoginViaHeader() (int64, error) { | |||
| return upsert.Result.Id, nil | |||
| } | |||
|
|
|||
| // headersIterator iterates over all non-empty supported additional headers | |||
| func (auth *AuthProxy) headersIterator(fn func(field string, header string)) { | |||
There was a problem hiding this comment.
I'm happy to hear an opinion on this approach. Is very common within Ruby's enumerable library. Originally, I tried a function that converts the keys to a map and then other functions could just use it but this approach is a tiny bit more efficient (O(n) as opposed O(2n))
xlson
approved these changes
Jul 31, 2019
There was a problem hiding this comment.
LGTM!
I had originally planned for us to remove the caching for cases when auth proxy wasn't used in conjunction with LDAP. That's what we used to do, the cache was only introduced as a way to protect LDAP from being overloaded with requests. But, this should work just as well as it is based on the incoming data.
|
@xlson I thought about that. However, I ended up going this way due to a) the team sync code is non-trivial (it executes at least 3N database queries where N is the number of groups to sync) b) since this is an enterprise-only feature is more likely that this is used with larger installations of Grafana The removal of the cache is simpler that's for sure. But felt like this approach was simple enough to reap most of the benefits. |
ryantxu
added a commit
to ryantxu/grafana
that referenced
this pull request
Aug 1, 2019
* grafana/master: (82 commits) TablePanel: Remove scroll option on TablePanel (grafana#18318) Keyboard Shortcuts: Sign in to enable them (grafana#18271) GitHub Templates: Pull Request Template update (grafana#18300) Auth Proxy: Include additional headers as part of the cache key (grafana#18298) grafana/toolkit: support windows paths (grafana#18306) Chore: noImplicitAny Sub 500 errors (grafana#18287) Plugins: return a promise for loadPluginCss (grafana#18273) Utils: avoid calling console.warn() too often for deprecation warnings (grafana#18269) CLI: Allow installing custom binary plugins (grafana#17551) Docs: Update link to example app (grafana#18253) GettingStarted: Skip Query for getting started (grafana#18268) v6.3.0-beta2 is latest testing (grafana#18283) Release: Changelog update with v6.3.0-beta2 (grafana#18281) Chore: Upgrades typescript to version 3.5 (grafana#18263) docs: team sync (grafana#18239) SAML: Only show SAML login button on Enterprise version (grafana#18270) Permissions: Show plugins in nav for non admin users but hide plugin configuration (grafana#18234) CI: Change target branch in CI task trigger-docs-update (grafana#18255) Plugins: Include build number and PR in metadata (grafana#18260) Run End-to-End tests for release builds (grafana#18211) ...
ryantxu
added a commit
to ryantxu/grafana
that referenced
this pull request
Aug 1, 2019
* grafana/master: (82 commits) TablePanel: Remove scroll option on TablePanel (grafana#18318) Keyboard Shortcuts: Sign in to enable them (grafana#18271) GitHub Templates: Pull Request Template update (grafana#18300) Auth Proxy: Include additional headers as part of the cache key (grafana#18298) grafana/toolkit: support windows paths (grafana#18306) Chore: noImplicitAny Sub 500 errors (grafana#18287) Plugins: return a promise for loadPluginCss (grafana#18273) Utils: avoid calling console.warn() too often for deprecation warnings (grafana#18269) CLI: Allow installing custom binary plugins (grafana#17551) Docs: Update link to example app (grafana#18253) GettingStarted: Skip Query for getting started (grafana#18268) v6.3.0-beta2 is latest testing (grafana#18283) Release: Changelog update with v6.3.0-beta2 (grafana#18281) Chore: Upgrades typescript to version 3.5 (grafana#18263) docs: team sync (grafana#18239) SAML: Only show SAML login button on Enterprise version (grafana#18270) Permissions: Show plugins in nav for non admin users but hide plugin configuration (grafana#18234) CI: Change target branch in CI task trigger-docs-update (grafana#18255) Plugins: Include build number and PR in metadata (grafana#18260) Run End-to-End tests for release builds (grafana#18211) ...
ryantxu
added a commit
to ryantxu/grafana
that referenced
this pull request
Aug 1, 2019
* grafana/master: TablePanel: Remove scroll option on TablePanel (grafana#18318) Keyboard Shortcuts: Sign in to enable them (grafana#18271) GitHub Templates: Pull Request Template update (grafana#18300) Auth Proxy: Include additional headers as part of the cache key (grafana#18298) grafana/toolkit: support windows paths (grafana#18306) Chore: noImplicitAny Sub 500 errors (grafana#18287)
xlson
pushed a commit
to xlson/grafana
that referenced
this pull request
Aug 2, 2019
…ana#18298) * Auth Proxy: Include additional headers as part of the cache key Auth proxy has support to send additional user attributes as part of the authentication flow. These attributes (e.g. Groups) need to be monitored as part of the process in case of change. This commit changes the way we compute the cache key to include all of the attributes sent as part of the authentication request. That way, if we change any user attributes we'll upsert the user information. (cherry picked from commit ed8aeb2)
xlson
pushed a commit
that referenced
this pull request
Aug 2, 2019
* Auth Proxy: Include additional headers as part of the cache key Auth proxy has support to send additional user attributes as part of the authentication flow. These attributes (e.g. Groups) need to be monitored as part of the process in case of change. This commit changes the way we compute the cache key to include all of the attributes sent as part of the authentication request. That way, if we change any user attributes we'll upsert the user information. (cherry picked from commit ed8aeb2)
gotjosh
added a commit
that referenced
this pull request
Aug 7, 2019
Turns out, that behaviour was a bug we introduced as part of the LDAP sync. It was squashed as part of #18298.
gotjosh
added a commit
that referenced
this pull request
Aug 8, 2019
Turns out, that behaviour was a bug we introduced as part of the LDAP sync. It was squashed as part of #18298.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Auth proxy has support to send additional user attributes as part of the
authentication flow. These attributes (e.g. Groups) need to be monitored
as part of the process in case of change.
This commit changes the way we compute the cache key to include all of the
attributes sent as part of the authentication request. That way, if we
change any user attributes we'll upsert the user information.
Which issue(s) this PR fixes:
Fixes #18276
Special notes for your reviewer: