docs: mark matching API and related features as alpha#16210
docs: mark matching API and related features as alpha#16210htuch merged 13 commits intoenvoyproxy:mainfrom
Conversation
Signed-off-by: Snow Pettersen <snowp@lyft.com>
Signed-off-by: Snow Pettersen <snowp@lyft.com>
Signed-off-by: Snow Pettersen <snowp@lyft.com>
Signed-off-by: Snow Pettersen <snowp@lyft.com>
| // might repeat several times until the final OnMatch (or no match) is decided. | ||
| // | ||
| // This API is a work in progress. | ||
| // This API is currently considered experimental and is a work in progress. |
There was a problem hiding this comment.
Can you add a [#experimental: tag and render this as a warning box? @phlax could you help @snowp with this if possible? It should be doable in https://github.com/envoyproxy/envoy/blob/main/tools/protodoc/protodoc.py.
Also, can https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/threat_model#threat-model be updated to explicitly state anything flagged as experimental is out-of-scope?
There was a problem hiding this comment.
Is https://github.com/envoyproxy/envoy/pull/16210/files#diff-7e7afbba95a0599ef388b3eb10e44c6cf3520dd65c24ef0f8d77e790d683a537L80-R83 not sufficient for updating the threat model? Anywhere else I should point out that experimental features are not covered?
There was a problem hiding this comment.
the cache filter probs wants to be marked as experimental too i think
There was a problem hiding this comment.
apologies - i misread comment - i can help adding the annotation + parser if its helpful to
Signed-off-by: Snow Pettersen <snowp@lyft.com>
Signed-off-by: Snow Pettersen <snowp@lyft.com>
| it should be hardened with this model in mind. Security issues related to core code will usually | ||
| trigger the security release process as described in this document. | ||
| Anything in the Envoy core may be used in both untrusted and trusted deployments, with the exception | ||
| of features explicitly marked as experimental. As a consequence, it should be hardened with this model |
There was a problem hiding this comment.
"marked as experimental; experimental features are only supported in trusted deployments and do not qualify for treatment under the threat model below" or something like that.
tools/protodoc/protodoc.py
Outdated
| experimental_warning = '' | ||
| if annotations.EXPERIMENTAL_ANNOTATION in comment.annotations: | ||
| experimental_warning = ( | ||
| '.. warning::\n This API is experimental and is not covered by the security posture.\n\n' |
There was a problem hiding this comment.
"not covered by the threat model" (and link back to the RST for this)
htuch
left a comment
htuch
left a comment
There was a problem hiding this comment.
Just a general comment, we now have multiple notions of WiP:
- This experimental protodoc tag.
- The not-implemented-hide protodoc tag (sort of overlaps but not exactly).
alphastatus on the extension.work_in_progressproto annotation.
Is it clear which to use and where?
|
I think the need for experimental comes in here for core protos that are experimental: the protos live in a file with existing stable protos (maybe it shouldn't have, that way we could have just marked this as alpha/work-in-progress). I also think the WIP tag only works for extension docs, which isn't going to be applicable to these core protos. Perhaps we should add docs somewhere or attempt to reconcile these variations? For example, we could have a message level WIP annotation instead of this new experimental tag? |
seems like a good idea - but it would be good to get something one way or another, so im +1 to adding it for now unless we can resolve upstream quickly
my feeling is that experimental needs to be distinct from WIP |
|
Maybe replace WIP annotations with experimental at file level? Docs coverage in |
htuch
left a comment
htuch
left a comment
There was a problem hiding this comment.
LGTM modulo api/STYLE.md update on the range of experimental/WiP/alpha etc.
Signed-off-by: Snow Pettersen <snowp@lyft.com>
api/STYLE.md
Outdated
| implementation. These indicate that the entity is not implemented in Envoy and the entity | ||
| should be hidden from the Envoy documentation. | ||
|
|
||
| * Use a `[#experimental:]` annotation in comments for messages that are considered experimental |
There was a problem hiding this comment.
I thought that generally alpha things weren't considered to be in the threat model. Maybe we should just tag this alpha instead?
@yanavlasov for thoughts
There was a problem hiding this comment.
This gets to my comment above #16210 (review). I think the issue is we can only tag as alpha at file level. @snowp points out that sometimes we want to tag at feature level.
There was a problem hiding this comment.
Right, but can we call them both alpha, rather than alpha and experimental? Unless there are actual differences, but I think the description above could apply to either so I'd lean towards calling it alpha and shipping :-)
There was a problem hiding this comment.
Yes, I'm good with more consistent terminology here, that helps reduce some of the confusion.
Signed-off-by: Snow Pettersen <snowp@lyft.com>
alyssawilk
left a comment
alyssawilk
left a comment
There was a problem hiding this comment.
nice! Just a few more comments for all the shepherds' reviews matter more here =P
api/STYLE.md
Outdated
| should be hidden from the Envoy documentation. | ||
|
|
||
| * Use a `[#alpha:]` annotation in comments for messages that are considered alpha | ||
| and are not subject to the threat model. This differs from the work-in-progress/alpha tagging |
There was a problem hiding this comment.
I think we need to update this comment given it's now alpha tagging :-)
I think also worth calling out that things tagged alpha are not yet subject to the stable API policies and security release policies.
There was a problem hiding this comment.
Hmm we still have extension level alpha tagging which differs from this alpha tag which is the only way to mark messages within core as alpha. What kind of change were you thinking about?
There was a problem hiding this comment.
I was trying to resolve the two, and have alpha tagging for extensions be functionally the same as alpha tagging for messages and fields, which is basically that both are WIP, not stable APIs and less trusted code.
|
|
||
| .. attention:: | ||
|
|
||
| The composite filter is experimental and is currently under active development. |
There was a problem hiding this comment.
optional: experimental -> alpha here and below?
alyssawilk
left a comment
alyssawilk
left a comment
There was a problem hiding this comment.
oh and PR name/description experimental -> alpha?
Signed-off-by: Snow Pettersen <snowp@lyft.com>
snowp
changed the title
|
|
||
| .. attention:: | ||
|
|
||
| The matching API is experimental and is currently under active development. |
| alpha_warning = '' | ||
| if annotations.ALPHA_ANNOTATION in comment.annotations: | ||
| experimental_warning = ( | ||
| '.. warning::\n This API is alpha and is not covered by the :ref:`threat model <arch_overview_threat_model>`.\n\n' |
There was a problem hiding this comment.
FWIW, we have a broader issue which we can resolve after we land this PR. We have both implementation and API alpha/experimental/unknown robustness status. An API is not really insecure in and of itself, this is an implementation attribute.
We really need a way to mark in the protos client specific implementation status details, since Envoy vs. gRPC support for a feature might have different implementation status.
I started to explore this in #11085, but it's not really something I have b/w for. Maybe @phlax this can be part of the docs/tooling roadmap?
CC @markdroth
There was a problem hiding this comment.
I agree, it would be nice to have some generic solution for this kind of thing. Matt has been saying for a while that we need a way to have client-specific docs in the proto files, not just for API status but for any type of documentation. Although as the number of xDS clients grows, I'm not sure how feasible it will be to document all of the in the same proto files. But this is definitely something we need to come up with a good strategy for.
htuch
left a comment
htuch
left a comment
There was a problem hiding this comment.
LGTM modulo nit. Will leave final sign-off/merge to @alyssawilk
Signed-off-by: Snow Pettersen <snowp@lyft.com>
|
/lgtm api |
Marks the matching API more clearly as experimental and updates the composite filter security posture to reflect this. Signed-off-by: Snow Pettersen <snowp@lyft.com>
5 participants
Commit Message: Marks the matching API more clearly as experimental and updates the composite filter security posture to reflect this.
Additional Description:
Risk Level: Low, docs only
Testing: n/a
Docs Changes: n/a
Release Notes: n/a
Platform Specific Features: n/a