Change how the key ring cache is updated #54675
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I wanted to address two concerns: 1. If there is a cached key ring, but it is expired, the first thread to discover this will _synchronously_ refresh the cache - other threads will continue to use the old value. 2. If a key ring refresh is forced, it will always hit the backing repository, even if several threads want a refresh at the same time. With this change, _all_ key ring updates are computed on a thread-pool thread and callers block exactly when there is no cached key ring for them to fall back on (first run, for example) or if they are forcing a refresh (an in-flight refresh is considered satisfactory). Moving this work to a background thread will give us more room to be generous with retries when (e.g.) Azure KeyVault is unreachable or a file is locked. The old behavior can be restored using the appcontext switch `Microsoft.AspNetCore.DataProtection.KeyManagement.DisableAsyncKeyRingUpdate`. This is a safety valve and not part of configuration - we'll remove the switch and the old code path in the next release if nothing blows up. Micro-benchmarking (on 9.0 on x64) shows that the new version has comparable performance in the common case of finding an unexpired key ring in the cache.
ghost
added
the
amcasey
commented
Mar 21, 2024
amcasey
commented
Mar 21, 2024
amcasey
commented
Mar 21, 2024
amcasey
commented
Mar 21, 2024
| mockCacheableKeyRingProvider.Setup(o => o.GetCacheableKeyRing(updatedKeyRingTime)) | ||
| .Returns<DateTimeOffset>(dto => | ||
| { | ||
| // at this point we're inside the critical section - spawn the background thread now |
There was a problem hiding this comment.
This test was unsalvageable because it depended upon the lambda being evaluated under a particular lock. MultipleThreadsSeeExpiredCachedValue attempts to provide analogous coverage.
dotnet-policy-service
bot
added
the
pending-ci-rerun
captainsafia
approved these changes
Apr 15, 2024
src/DataProtection/DataProtection/src/KeyManagement/KeyRingProvider.cs
Outdated
Show resolved
Hide resolved
BrennanConroy
approved these changes
Apr 18, 2024
src/DataProtection/DataProtection/src/KeyManagement/KeyRingProvider.cs
Outdated
Show resolved
Hide resolved
|
Thanks @captainsafia and @BrennanConroy! This was a complicated one. |
halter73
reviewed
Apr 22, 2024
halter73
reviewed
Apr 22, 2024
| if (newCacheableKeyRing is null) | ||
| { | ||
| // There will have been a better exception from the winning thread | ||
| throw Error.KeyRingProvider_RefreshFailedOnOtherThread(); |
There was a problem hiding this comment.
The exception must have already happened at this point. Why can't we capture it and throw it from any thread that fails to retrieve the KeyRing due to the exception?
There was a problem hiding this comment.
I didn't think it would be helpful to print the underlying exception once per affected task, even if we were to add a note that it was being re-reported from elsewhere.
There was a problem hiding this comment.
I still think it's more helpful than throwing a generic exception. We don't have to log it each time.
There was a problem hiding this comment.
As a compromise, I've attached existingTask.Exception as the inner exception.
amcasey
added a commit
to amcasey/aspnetcore
that referenced
this pull request
Apr 22, 2024
- Take locks earlier since they're going to be taken anyway - Observe exceptions on background tasks - Rethrow task exceptions in the standard way - Remove redundant Volatiles - Attach an inner exception on losing threads
amcasey
added a commit
that referenced
this pull request
Apr 23, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I wanted to address two concerns:
With this change, all key ring updates are computed on a thread-pool thread and callers block exactly when there is no cached key ring for them to fall back on (first run, for example) or if they are forcing a refresh (an in-flight refresh is considered satisfactory).
Moving this work to a background thread will give us more room to be generous with retries when (e.g.) Azure KeyVault is unreachable or a file is locked.
The old behavior can be restored using the appcontext switch
Microsoft.AspNetCore.DataProtection.KeyManagement.DisableAsyncKeyRingUpdate. This is a safety valve and not part of configuration - we'll remove the switch and the old code path in the next release if nothing blows up.Micro-benchmarking (on 9.0 on x64) shows that the new version has comparable performance in the common case of finding an unexpired key ring in the cache.