Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reactive Datasource: support CredentialsProvider changing values #31873

Merged
merged 1 commit into from
Jun 15, 2023

Conversation

tsegismont
Copy link
Contributor

@tsegismont tsegismont commented Mar 15, 2023

Instead of:

  • creating pgConnectOptions after calling the CredentialsProvider on startup
  • using static pool configuration

We:

  • use dynamic pool configuration
  • call the Credentials provider every time a new connection must be created

This PR allows to support use cases like password rotation.

See also https://issues.redhat.com/projects/QUARKUS/issues/QUARKUS-2995

@tsegismont
Copy link
Contributor Author

The first commit applies changes to the Reactive Pg Client extension only. I'll update the other reactive SQL client extensions after we've discussed the proposal.

@tsegismont
Copy link
Contributor Author

@vietj can you please take a look (dynamic pool config implementation)

@cescoffier @geoand I've made changes so that the credentials provider is invoked on a worker thread, is that fine? The user might be doing blocking calls in the implementation.

@tsegismont tsegismont force-pushed the changing_credentials branch from 290c0a1 to b12de93 Compare March 15, 2023 18:34
@geoand
Copy link
Contributor

geoand commented Mar 16, 2023

I've made changes so that the credentials provider is invoked on a worker thread, is that fine? The user might be doing blocking calls in the implementation

Have you seen such use cases or users mentioning this?

@tsegismont
Copy link
Contributor Author

Have you seen such use cases or users mentioning this?

I looked into this because of https://issues.redhat.com/projects/QUARKUS/issues/QUARKUS-2995

I haven't tried myself or seen reproducers. I'm trying to think about uses cases, like password rotation. The changing credentials must come from the disk or a remote system? If the lookup is made synchronously in the credentials provider, the event loop will be blocked.

We have two options, I think:

  • acknowledging the CredentialsProvider contract is synchronous and invoking it on a worker thread
  • invoking it on the event loop anyway and then we shall:
    • document it
    • recommend users to perform the new credentials lookup in a scheduled task

@geoand
Copy link
Contributor

geoand commented Mar 16, 2023

I guess we should have it on the worker thread for the time being and if the need arised, look into supporting the @Blockling / @NonBlocking annotations

@cescoffier
Copy link
Member

The call to the credential provider must happen on a worker thread unfortunately (wrong design).

Copy link
Member

@cescoffier cescoffier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The idea looks good.

The credential provider must be called on a worker thread, as it may block.

@ingmarfjolla
Copy link

hello, i just verified that this fix seems to be working with this reproducer here (quarkus version 3.0.0.Alpha4): https://github.com/ingmarfjolla/quarkus-reactive. Thanks for working on this!

cc @senthilredhat @raffaelespazzoli

@ingmarfjolla
Copy link

the only thing i noticed is that the credential manager (vault in my case) seems to be called multiple times on 7 different event loop threads on startup, so the logs look something like :

2023-03-16 11:41:51,471 WARN [io.quarkus.vault.runtime.TimeLimitedBase] (vert.x-eventloop-thread-1) mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s {}  
2023-03-16 11:41:51,475 WARN [io.quarkus.vault.runtime.TimeLimitedBase] (vert.x-eventloop-thread-1) mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s {}  
2023-03-16 11:41:51,489 WARN [io.quarkus.vault.runtime.TimeLimitedBase] (vert.x-eventloop-thread-2) mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s {}  
2023-03-16 11:41:51,493 WARN [io.quarkus.vault.runtime.TimeLimitedBase] (vert.x-eventloop-thread-2) mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s {}  
...
2023-03-16 11:41:51,576 WARN [io.quarkus.vault.runtime.TimeLimitedBase] (vert.x-eventloop-thread-7) mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s {}  

@tsegismont
Copy link
Contributor Author

tsegismont commented Mar 17, 2023

The idea looks good.

Thank you @cescoffier

The credential provider must be called on a worker thread, as it may block.

👍

the only thing i noticed is that the credential manager (vault in my case) seems to be called multiple times on 7 different event loop threads on startup

@ingmarfjolla The crendentials provider can be invoked twice on startup by the extension, and then the default 5 max connections may be created immediately if you setup the database (perhaps with Hibernate Reactive) ?

A good way to check would be to log a fake error (new Exception()) in order to see the stack trace.

@tsegismont
Copy link
Contributor Author

@cescoffier @geoand about credentials provider API: I took a look at the Vault extension implementation:

            return vaultDynamicCredentialsManager.getDynamicCredentials(DATABASE_DEFAULT_MOUNT, DEFAULT_REQUEST_PATH,
                    config.databaseCredentialsRole.get()).await().indefinitely();

Too bad the contract is synchronous because the implementation uses non blocking-APIs.

Do you think it is worth tracking in a separate issue? In the meantime, we definitely have to invoke this on a worker thread.

@geoand
Copy link
Contributor

geoand commented Mar 20, 2023

Yeah, I think we should open an issue about providing a new SPI

@tsegismont tsegismont force-pushed the changing_credentials branch from b12de93 to 49cc24f Compare March 20, 2023 17:50
@cescoffier
Copy link
Member

Yes, when I found out about the synchronous and blocking nature of the credential provider it was too late :-(. So, yes, please open an issue to switch to a non-blocking API.

@tsegismont tsegismont force-pushed the changing_credentials branch from 49cc24f to 4a4a3b9 Compare March 21, 2023 22:05
@tsegismont tsegismont marked this pull request as ready for review March 21, 2023 22:05
@quarkus-bot quarkus-bot bot added area/dependencies Pull requests that update a dependency file area/persistence OBSOLETE, DO NOT USE labels Mar 21, 2023
@tsegismont tsegismont requested a review from cescoffier March 21, 2023 22:07
@tsegismont
Copy link
Contributor Author

The PR is ready for review

@quarkus-bot

This comment has been minimized.

@tsegismont tsegismont force-pushed the changing_credentials branch from 4a4a3b9 to adebae9 Compare March 21, 2023 22:27
@quarkus-bot

This comment has been minimized.

@tsegismont
Copy link
Contributor Author

The failure looks unrelated

@geoand
Copy link
Contributor

geoand commented Mar 22, 2023

Yeah, totally unrelated

@tsegismont
Copy link
Contributor Author

I've updated the PR using the new Vert.x API with connect options supplier.

@kdubb
Copy link
Contributor

kdubb commented Jun 9, 2023

🎉

@quarkus-bot

This comment has been minimized.

@tsegismont
Copy link
Contributor Author

tsegismont commented Jun 10, 2023 via email

@geoand geoand added release/noteworthy-feature and removed triage/on-ice Frozen until external concerns are resolved labels Jun 12, 2023
@geoand
Copy link
Contributor

geoand commented Jun 12, 2023

@kdubb what was the outcome of your experiment vs this?

@kdubb
Copy link
Contributor

kdubb commented Jun 12, 2023

@tsegismont Is using the culmination of my original PR's against the vert.x sql client.

@geoand
Copy link
Contributor

geoand commented Jun 12, 2023

Excellent. @cescoffier are you still good with the latest version of the PR?

@cescoffier
Copy link
Member

Yes, looks good to me.

@kdubb
Copy link
Contributor

kdubb commented Jun 12, 2023

Is there any chance of this being back ported to 2.x? idle-timeout is the solution to many issues and discussions in the vault extension. It would be nice to have the functionality in both series if possible.

@geoand
Copy link
Contributor

geoand commented Jun 12, 2023

Is there any chance of this being back ported to 2.x

-1 as we really don't want to backport features to 2.x

@geoand
Copy link
Contributor

geoand commented Jun 12, 2023

Can we get one last rebase please so we can make sure CI is fine?

Instead of:

- creating pgConnectOptions after calling the CredentialsProvider on startup
- using static pool configuration

We:

- use dynamic pool configuration
- call the Credentials provider every time a new connection must be created
@tsegismont tsegismont force-pushed the changing_credentials branch from 8c9e5ca to 3e5afbf Compare June 12, 2023 08:42
@tsegismont
Copy link
Contributor Author

Can we get one last rebase please so we can make sure CI is fine?

Done

@geoand
Copy link
Contributor

geoand commented Jun 12, 2023

Thanks!

@geoand geoand added the triage/waiting-for-ci Ready to merge when CI successfully finishes label Jun 12, 2023
@quarkus-bot
Copy link

quarkus-bot bot commented Jun 12, 2023

Failing Jobs - Building 3e5afbf

Status Name Step Failures Logs Raw logs
Native Tests - Security1 Build ⚠️ Check → Logs Raw logs

@tsegismont
Copy link
Contributor Author

@geoand this time it seems the build failed because one job ran out of time.

@geoand
Copy link
Contributor

geoand commented Jun 12, 2023

Yeah, I doubt it's related. @sberyozkin can you confirm?

@tsegismont
Copy link
Contributor Author

@cescoffier @geoand can we go ahead and merge the PR?

@geoand geoand merged commit ac3129f into quarkusio:main Jun 15, 2023
@quarkus-bot quarkus-bot bot removed the triage/waiting-for-ci Ready to merge when CI successfully finishes label Jun 15, 2023
@quarkus-bot quarkus-bot bot added this to the 3.2 - main milestone Jun 15, 2023
@tsegismont
Copy link
Contributor Author

Thanks @geoand !

@geoand
Copy link
Contributor

geoand commented Jun 15, 2023

Thank you for this!

@tsegismont tsegismont deleted the changing_credentials branch June 29, 2023 09:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/dependencies Pull requests that update a dependency file area/persistence OBSOLETE, DO NOT USE area/reactive-sql-clients release/noteworthy-feature
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants