Skip to content

[v12] Firestore backend improvements #28738

Merged
rosstimothy merged 5 commits into
branch/v12from
bot/backport-28473-branch/v12
Jul 6, 2023
Merged

[v12] Firestore backend improvements #28738
rosstimothy merged 5 commits into
branch/v12from
bot/backport-28473-branch/v12

Conversation

@rosstimothy
Copy link
Copy Markdown
Contributor

@rosstimothy rosstimothy commented Jul 5, 2023

Backport #28473 to branch/v12

@rosstimothy
Test concurrent compare and swaps
74dd148 
The backend test suite was not validating that simultaneous CAS
operations result in only one attempt succeeding. The test now
runs multiple concurrent CAS operations and ensures that only a
single operation succeeds. This shortcoming with the test allowed
the Firestore backend to pass the compliance test while not perfoming
CAS in an atomic manner.
@rosstimothy
Firestore backend improvements
af6d0e3 
1) CAS now utilizes a transaction to ensure the operation is atomic

The original implementation did not use transactions which violated
the atomic guarantees of the CAS operation. The backend compliance
test was able to catch this when it was updated to run concurrent
CAS opertations.

2) Update is limited to updating a value

The original implementation of Update was actually doing a get and
then upsert. However, there are no guarantees that prevent a delete
from occurring between get and upsert, which means Update would
upsert the value instead of failing. Instead of get and then upsert
we now update the document using the (firestore.DocumentRef) Update
method.

3) Watching items from the collection filters out any audit events

If Teleport is configured to use the same collection for backend state
and audit events the collection watcher ends up consuming all audit
events as empty backend items. To avoid this the watcher is now filtering
out any collections which have an empty key since it is not possible
for backend resources to be written without a key this will only
exclude audit events which have a different schema.

4) SearchEvents now filters out backend resources

Similar to above, the Firestore events implementation now excludes
any documents which have an empty session id to prevent backend
resources from getting included in queries for audit events if the
collection is being shared.
@rosstimothy
speed up backend test suite
8718734
@rosstimothy
conditionally delete expired items on get
229d0ac
@rosstimothy
fix: cleanup tests
c3126c8
@rosstimothy rosstimothy marked this pull request as ready for review July 6, 2023 14:45
@github-actions github-actions Bot added audit-log Issues related to Teleports Audit Log size/md labels Jul 6, 2023
@public-teleport-github-review-bot public-teleport-github-review-bot Bot removed the request for review from espadolini July 6, 2023 15:00
@rosstimothy rosstimothy added this pull request to the merge queue Jul 6, 2023
Merged via the queue into branch/v12 with commit b94ca0f Jul 6, 2023
@rosstimothy rosstimothy deleted the bot/backport-28473-branch/v12 branch July 6, 2023 17:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@espadolini espadolini espadolini approved these changes

@fspmarshall fspmarshall fspmarshall approved these changes

+1 more reviewer

@jakule jakule jakule approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

audit-log Issues related to Teleports Audit Log backport size/md

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rosstimothy @espadolini @jakule @fspmarshall