Project

General

Profile

Actions
Copy link

Bug #21907

closed

Uncached permission lookup in keep-web when handling s3 request

Added by Tom Clegg about 1 month ago. Updated 3 days ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Brett Smith
Category:
Keep
Target version:
Development 2024-07-24 sprint
Story points:
-
Release:
Arvados 3.0
Release relationship:
Auto

Description

In arvados:source:services/keep-web/s3.go

        if len(key) == 27 && key[5:12] == "-gj3su-" {
                // Access key is the UUID of an Arvados token, secret                                                                                         
                // key is the secret part.                                                                                                                    
                ctx := arvados.ContextWithAuthorization(r.Context(), "Bearer "+h.Cluster.SystemRootToken)
                err = client.RequestAndDecodeContext(ctx, &aca, "GET", "arvados/v1/api_client_authorizations/"+key, nil, nil)
                secret = aca.APIToken
        } else {
                // Access key and secret key are both an entire                                                                                               
                // Arvados token or OIDC access token.                                                                                                        
                ctx := arvados.ContextWithAuthorization(r.Context(), "Bearer "+unescapeKey(key))
                err = client.RequestAndDecodeContext(ctx, &aca, "GET", "arvados/v1/api_client_authorizations/current", nil, nil)
                secret = key
        }

Subtasks 1 (1 open0 closed)

Task #21915: Review 21907-cache-s3-tokenIn ProgressTom Clegg07/19/2024Actions

Related issues

Related to Arvados - Bug #21748: awscli downloads from keep-web slowly?In ProgressTom CleggActions
Actions
Copy link
 #1

Updated by Tom Clegg about 1 month ago

  • Related to Bug #21748: awscli downloads from keep-web slowly? added
Actions
Copy link
 #2

Updated by Peter Amstutz about 1 month ago

  • Target version set to Development 2024-07-03 sprint
Actions
Copy link
 #3

Updated by Peter Amstutz about 1 month ago

  • Category changed from API to Keep
Actions
Copy link
 #4

Updated by Peter Amstutz about 1 month ago

  • Assigned To set to Brett Smith
Actions
Copy link
 #5

Updated by Peter Amstutz 19 days ago

  • Target version changed from Development 2024-07-03 sprint to Development 2024-07-24 sprint
Actions
Copy link
 #6

Updated by Tom Clegg 7 days ago

Some implementation thoughts/hints
  • Pretty similar to #21901
  • Define a cachedS3Secret struct 
    type cachedS3Secret struct {
        secret string
        expiry time.Time
}
  • Add a map[string]cachedS3Secret to handler
  • Expiry time should be earlier of aca.ExpiresAt (assuming !aca.ExpiresAt.IsZero()) and time.Now().Add(h.Cluster.Collections.WebDAVCache.TTL.Duration())
Actions
Copy link
 #7

Updated by Brett Smith 4 days ago

  • Status changed from New to In Progress

21907-cache-s3-token @ 54d80de3f87fde4bfb83c3e1ad8161b595e6cf3c - developer-run-tests: #4350

  • All agreed upon points are implemented / addressed.
    • Yes. Because the current checks3signature method needs both the authorization UUID and token, as well as the ability to normalize it into a v2 token, it seemed most straightforward to cache the entire APIClientAuthorization object. But that's the only real difference from the proposed plan. Hope that's okay.
  • Anything not implemented (discovered or discussed during work) has a follow-up story.
    • N/A
  • Code is tested and passing, both automated and manual, what manual testing was done is described
    • See above. The branch includes a bunch of new tests.
  • Documentation has been updated.
    • N/A, pure performance improvement.
  • Behaves appropriately at the intended scale (describe intended scale).
    • No change in scale.
  • Considered backwards and forwards compatibility issues between client and server.
    • No compatibility change. Note there are zero changes to existing tests.
  • Follows our coding standards and GUI style guidelines.
    • Yes
Actions
Copy link
 #8

Updated by Tom Clegg 3 days ago

  • yes, caching the entire APIClientAuthorization object LGTM
  • checks3signature() needs to acquire h.s3secretCacheMtx.Lock() before doing the h.s3SecretCache[unescapedKey] lookup
  • NewCachedS3Secret should be unexported (i.e., newCachedS3Secret)
    • less critical: IsValidAt should be isValidAt (since the struct itself isn't exported the method is effectively private anyway, but in general methods like this can end up being called by other modules by virtue of satisfying an interface, so if that's not intended, I'd default to an unexported name)
  • maybe rename s3SecretCacheTidyDuration to s3SecretCacheTidyInterval?
  • it looks like checks3signature() doesn't write to aca, so it would be safe to make aca a pointer instead of a value, and avoid the extra copy when using a cached auth. That's a pretty tiny optimization, though, so leaving it alone would also be fine with me.
Actions
Copy link
 #9

Updated by Brett Smith 3 days ago

I had to rebase because I noticed the commit message had the wrong ticket number. 9e21b7cdd3e51afd02acdb8b2989dbe949da2680 is identical to what you reviewed before except for that edit to the commit message.

Everything you suggested sounds good to me. Made those changes and now at 24f9b12ff94f2725e4b797f92738ebd2e2b96852 - developer-run-tests: #4351

Actions
Copy link
 #10

Updated by Tom Clegg 3 days ago

LGTM, thanks!

Actions
Copy link
 #11

Updated by Brett Smith 3 days ago

  • Status changed from In Progress to Resolved
Actions
Copy link

Also available in: Atom PDF