credentials: implement file-based JWT Call Credentials (part 1 for A97) #8431
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #8431 +/- ##
==========================================
- Coverage 82.27% 80.73% -1.55%
==========================================
Files 414 415 +1
Lines 40424 40976 +552
==========================================
- Hits 33259 33081 -178
- Misses 5795 6220 +425
- Partials 1370 1675 +305
🚀 New features to boost your workflow:
|
dimpavloff
changed the title
|
@dfawley hey 👋 Given you approved A97, would you mind having a cursory look at the PR to confirm if at least at a high level the approach looks good? |
|
I will take a look at this , I need to go through the gRFC first. |
dfawley
requested review from
easwars and
eshitachandwani
and removed request for
dfawley
|
Sorry for the delay here. @easwars would you be able to review this change? I think you have more background into some of the things than I do, like the bootstrap integration. Thank you! |
|
Thank you for your contribution @dimpavloff. Yes, it would be nice if you can split this into smaller PRs. I will continue to use this PR to review the JWT call credentials implementation. If you can move the xDS implementation out to one or more PRs, I would greatly appreciate that and would be happy to review them as well. |
|
|
||
| // Verify cached expiration is 30 seconds before actual token expiration | ||
| impl := creds.(*jwtTokenFileCallCreds) | ||
| impl.mu.RLock() |
There was a problem hiding this comment.
Please only test the API surface. Relying on implementation internals in tests makes them brittle and would result in test changes when any changes to implementation is made.
There was a problem hiding this comment.
I assume you are referring to using a private field rather than obtaining mu specifically.
In general I agree -- white box tests may get fragile and break during a refactor. However, this test and the next couple of ones are about the caching behaviour -- it is meant to be transparent to the external API. If I don't make assertions about the private fields, the tests may pass trivially and become more flaky (e.g. when testing the backoff in the next test).
One alternative could be factoring out these behaviours out into a separate private struct with "public" functions which expose the same information. Given that it would require shifting the majority of the implementation into that struct, I'm not sure it is an improvement from the current approach.
Please do let me know your thoughts and if you have other suggestions.
…hed value; also explain preemptive refresh test
There was a problem hiding this comment.
Thanks for the review @arjan-bal . Could you please take another look?
There was a problem hiding this comment.
Some minor comments and one pending unresolved comment about using strings.Cut while parsing the JWT.
|
Great, thank you both for all the feedback! I'll tidy up the other PR soon |
Part one for grpc/proposal#492 (A97).
This is done in a new
credentials/jwtpackage to provide file-based PerRPCCallCredentials. It can be used beyond XDS. The package handles token reloading, caching, and validation as per A97 .There will be a separate PR which uses it in
xds/bootstrap.Whilst implementing the above, I considered
credentials/oauthandcredentials/xdspackages instead of creating a new one. The former package hasNewJWTAccessFromKeyandjwtAccesswhich seem very relevant at first. However, I think thejwtAccessbehaviour seems more tailored towards Google services. Also, the refresh, caching, and error behaviour for A97 is quite different than what's already there and therefore a separate implementation would have still made sense.WRT
credentials/xds, it could have been extended to both handle transport and call credentials. However, this is a bit at odds with A97 which says that the implementation should be non-XDS specific and, from reading between the lines, usable beyond XDS.I think the current approach makes review easier but because of the similarities with the other two packages, it is a bit confusing to navigate. Please let me know whether the structure should change.
Relates to istio/istio#53532
RELEASE NOTES:
credentials/jwtpackage providing file-based JWT PerRPCCredentials (A97).