Arvados

Federated block queries: currently do GET with a signed locator, returns content

We want to retrieve a federated block, save it, and returned the signed locator

Do a HEAD request (equivalent to the GET request) and look for a header that has a new locator with local block signature.

14199-copy-from-remote @ fde27ce0e46521db9828c228e7fb531e003724a8 https://ci.curoverse.com/view/Developer/job/developer-run-tests/918/

All keepstore GET and HEAD responses for block requests should support this new header/response

I haven't done this part: so far, the X-Keep-Signature header is ignored in GET requests that aren't proxied with the +R remote signature. IIRC this requirement was supposed to help long-running clients keep their signatures alive longer than blob-signature-ttl without creating a collection. It turns out not to be trivial to implement, and I'm now doubting [a] updating the block's timestamp on the storage backend is a reasonable way to do that, especially now that auto-expiring temp collections are supported, and [b] (even if so) it deserves to be rolled into this pull-from-remote story.

Responses with an X-Keep-Locator header must also include a "Vary: X-Keep-Signature" header.

I think the correct requirement is "Responses that can vary depending on the X-Keep-Signature request header," i.e., requests with +R signatures and no +A signatures in the path, regardless of whether the X-Keep-Signature/X-Keep-Locator headers appear. For example, if a client does "GET without x-k-s", then "GET with x-k-s", the first response has to include the Vary header to prevent a proxy from reusing it for the second request. Implemented accordingly.

14199-copy-from-remote @ 005951a5e62a55894eace6e8fb3fe91d5c4ba84c

Fixes occasional test suite deadlock/timeout. From commit message:

    If a KeepClient has been created using an API server address that is
    no longer reachable, calling keepclient.RefreshServiceDiscovery() puts
    the poll() goroutine into an endless retry loop, and a second call
    never returns because ent.clear is never ready to receive.

    Work around this in the pull worker tests by only refreshing services
    from the API server actually being used, not on additional ones
    referenced by previous test cases.

• It checks for the presence of X-Keep-Signature but doesn't check the value. Maybe there should be some validation, even if we don't do anything with it?

func (rrc *remoteResponseCacher) Flush(ctx context.Context) {

• This doesn't match the http.Flusher interface. Should it? Or should it be renamed? (maybe Finish())

Rest LGTM.

• invoke local cache/signature on X-Keep-Signature: local[, ...]
• rename Flush to Close (its semantics are much, um, closer to io.Closer than http.Flusher so this seems less confusing)

Tom Clegg wrote:

14199-copy-from-remote @ 77ee37c567ba73a0c33455ecf8d5c8200cf69d72

• invoke local cache/signature on X-Keep-Signature: local[, ...]
• rename Flush to Close (its semantics are much, um, closer to io.Closer than http.Flusher so this seems less confusing)

LGTM.