Skip to content

Move external auth cache configuration into the pool object #5983

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Sep 24, 2024
Merged

Move external auth cache configuration into the pool object #5983

merged 5 commits into from
Sep 24, 2024

Conversation

contificate
Copy link
Contributor

These simple changes move configuration options into the pool object.

I suspect there are better approaches (naming and convention wise) than what is done here, and I'm happy to rebase those changes in. This feature has been tested manually and works. XenRT tests that exercise this code path properly are still in progress.

In future, I wonder if there are less invasive ways we could consider for providing feature configuration (rather than adding more fields to extant objects, whose database records are already overly large from the content they store). Perhaps we could introduce a variant datatype to the datamodel (akin to DBus' Variant) such that fields similar to other_config : (string -> string) map could be more adequately typed (config : (string -> variant) map). This adds a kind of dynamic - transient - nature to the configuration that we may not want, though.

robhoes
robhoes reviewed Sep 12, 2024
View reviewed changes
@contificate contificate force-pushed the pool-cache-config branch 2 times, most recently from 6546b35 to 38a7397 Compare September 16, 2024 12:57
@psafont
Copy link
Member

psafont commented Sep 16, 2024

Can we hide this fields from normal clients? It seems to me these should be internal configuration, and we don't want users meddling with these.

@contificate
Copy link
Contributor Author

I've updated this so that the related fields are DynamicRO and have specific setter messages that do some some checks: cache size must be non-negative (but may be zero), cache entry expiry must be > 0.

@contificate
Copy link
Contributor Author

Can we hide this fields from normal clients? It seems to me these should be internal configuration, and we don't want users meddling with these.

In the sense of ~internal_only:true on each relevant field in the datamodel? Does that stop this getting advertised in object snapshots from event.from? (I'm not familiar with information hiding at the level of the SDK).

@contificate contificate marked this pull request as ready for review September 16, 2024 13:20
lindig
lindig approved these changes Sep 17, 2024
View reviewed changes
@contificate contificate force-pushed the pool-cache-config branch 3 times, most recently from 272d0b5 to 9bac528 Compare September 17, 2024 11:25
@contificate
Copy link
Contributor Author

I've added ~hide_from_docs:true to all 3 of the related setter messages for these configuration options.

lindig
lindig approved these changes Sep 17, 2024
View reviewed changes
@contificate contificate force-pushed the pool-cache-config branch 2 times, most recently from 530c750 to 6c4d34f Compare September 19, 2024 13:40
psafont
psafont reviewed Sep 19, 2024
View reviewed changes
psafont
psafont reviewed Sep 19, 2024
View reviewed changes
minglumlu
minglumlu reviewed Sep 23, 2024
View reviewed changes
minglumlu
minglumlu reviewed Sep 23, 2024
View reviewed changes
minglumlu
minglumlu reviewed Sep 23, 2024
View reviewed changes
@contificate contificate force-pushed the pool-cache-config branch 2 times, most recently from a7ea1bd to 8d6bd54 Compare September 23, 2024 08:17
robhoes
robhoes reviewed Sep 23, 2024
View reviewed changes
robhoes
robhoes reviewed Sep 23, 2024
View reviewed changes
ocaml/xapi/xapi_pool.ml
if capacity < 0L then
raise Api_errors.(Server_error (invalid_cache_size, []))
else
Db.Pool.set_ext_auth_cache_size ~__context ~self ~value:capacity
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't you want to call clear_external_auth_cache here (and in the following function) to ensure that changes get picked up immediately, without having to restart xapi?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That could be the behaviour, if we wanted it. It's just quite a static setting overall, in that we don't support changing the size in a dynamic way that would imply the truncation of the cache's current contents at runtime. Kind of hoping these settings are fairly static and never played with.

You don't need to restart xapi though, as disable and re-enabling both external authentication generally and the cache feature has the effect of clearing the cache (upon disable). So the new changes would be picked up at the next external authentication attempt.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, that's fine. If we were to actually publish this in the API docs, it would be good to mention this there (the need to disable+re-enable).

CP-51034: Add cache-related fields to pool object
773b1bb 
Adds 3 new fields to the pool object:

- ext_auth_cach_enabled: bool

  Specifies whether or not external authentication caching is enabled for this
  pool. The field is false by default.

- ext_auth_cach_size: int

  Specifies the maximum capacity of the external authentication cache. Its
  default value is 50.

- ext_auth_cache_expiry: int

  Specifies how long cached entries should remain cached. The default value is
  300 seconds (5 minutes).

Previously, these options were configured from xapi.conf, but in the case of
designation of new pool coordinator (by autonomous means or otherwise), we
would like for the feature's configuration to be adopted by new coordinator
(without necessitating duplicate xapi configurations across hosts in the pool).
The cache's contents itself will not be preserved, but caching will resume on
the new coordinator if it was enabled on the previous coordinator.

Signed-off-by: Colin James <colin.barr@cloud.com>
Colin James added 4 commits September 24, 2024 09:33
CP-51034: Expose cache options to xe CLI
ce7e543 
Signed-off-by: Colin James <colin.barr@cloud.com>
CP-50134: Replace Xapi_globs usage w/ pool config
68744c2 
Replaces the usages of Xapi_globs within external authentication cache-related
code to query the pool object for its configuration options.

Signed-off-by: Colin James <colin.barr@cloud.com>
CP-51034: Inject expiry instead of using global
19c6371 
Modifies external authentication cache-related code to no longer rely on a
globally-specified expiry time (TTL). Instead, caches are constructed with a
given expiry time that they will endow entries with for the extent of their
lifetime.

There are now no usages of Xapi_globs in cache-related code, so those
configuration options can be removed.

Signed-off-by: Colin James <colin.barr@cloud.com>
CP-51034: Remove cache options from Xapi_globs
1c00a73 
Removes the global options that were once used to configure the external
authentication cache. This is safe to do as the cache now configures itself
from the pool object.

Adds a few lines of debug messages.

Signed-off-by: Colin James <colin.barr@cloud.com>
@contificate contificate added this pull request to the merge queue Sep 24, 2024
Merged via the queue into xapi-project:master with commit d0bc11a Sep 24, 2024
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robhoes robhoes robhoes approved these changes

@lindig lindig lindig approved these changes

@psafont psafont psafont approved these changes

@minglumlu minglumlu minglumlu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@contificate @psafont @robhoes @lindig @minglumlu