-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keycloak authorizer 'grants fetch retry' feature + tests #179
Conversation
Introduced `strimzi.authorization.grants.retries` broker option that signifies how many retries to attempt immediately in the same thread if the grants HTTP request fails. Status errors 401 and 403 don't trigger a re-attempt, all other failures do. This feature is useful in the environment where network is glitchy or a reverse proxy in front of the Keycloak server produces intermittent failures. Such an environment may be a given and the application developers may have no other option but to work within such constraints. Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
README.md
Outdated
Sometimes the deployment environment is such that there is a reverse proxy in front of the Keycloak, or some service like a network traffic analyzer, or flood protection server. | ||
Or, the network may be glitchy resulting in intermittent connection problems. By default, any error while getting the initial grants for the new session, | ||
will result in `AuthorizationException` returned to the Kafka client application. Upon client retrying some operation, the grants will be fetched again, | ||
since not yet available. The following option enables reattempting the fetching of grants immediately so that if subsequent fetch is successful the client doesn't | ||
receive the `AuthorizationException`. Provide the value greater than '0' to set the number of repeated attempts: | ||
- `strimzi.authorization.grants.retries` (e.g.: "1" - if initial fetching of grants for the session fails, immediately retry one more time) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I get it right, the default is 0 => no retry, or? Would be worth mentioning that 0 means no retries and not infinity retries. It would be also good to mention it here as the default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct. I guess we can improve this. Something like:
Sometimes the deployment environment is such that there is a reverse proxy in front of the Keycloak, or some service like a network traffic analyzer, or flood protection server. | |
Or, the network may be glitchy resulting in intermittent connection problems. By default, any error while getting the initial grants for the new session, | |
will result in `AuthorizationException` returned to the Kafka client application. Upon client retrying some operation, the grants will be fetched again, | |
since not yet available. The following option enables reattempting the fetching of grants immediately so that if subsequent fetch is successful the client doesn't | |
receive the `AuthorizationException`. Provide the value greater than '0' to set the number of repeated attempts: | |
- `strimzi.authorization.grants.retries` (e.g.: "1" - if initial fetching of grants for the session fails, immediately retry one more time) | |
Sometimes the deployment environment is such that there is a reverse proxy in front of the Keycloak, or some service like a network traffic analyzer, or flood protection server. | |
Or, the network may be glitchy resulting in intermittent connection problems. By default, any error while getting the initial grants for the new session, | |
will result in `AuthorizationException` returned to the Kafka client application. Upon client retrying some operation, the grants will be fetched again, | |
since not yet available. The following option enables reattempting the fetching of grants immediately so that if subsequent fetch is successful the client doesn't | |
receive the `AuthorizationException`. The default value is '0', meaning 'no retries'. Set the value to greater than '0' to set the maximum number of retries to attempt: | |
- `strimzi.authorization.grants.retries` (e.g.: "1" - if initial fetching of grants for the session fails, immediately retry one more time) |
In fact, you uncovered a bug, because you can right now configure -1 as the value which will result in grants not getting fetched even once!
Does this pertain to a reported issue (since I assume the motivation is not merely hypothetical)? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple of nits, otherwise LGTM.
|
||
try { | ||
if (t != null) { | ||
log.warn("Failed to fetch grants. Will retry (attempt no. " + i + ")", t); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it really a warn
level? I mean, the plugin is working exactly as expected (honouring the retry). Given the user has a flaky network (and presumably knows they do, since they configured the retries) is this something we should warn
about, or just info
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good point. This code is only executed when fetch retry is enabled so it makes sense that it's INFO.
It's not a hypothetical. I just realised though that fetching grants is not the only place that can experience this. There are also introspection endpoint, user endpoint, token requests for OAuth over PLAIN they can all experience these glitches, and the solution should be across the board with single config option covering it all. Thus, there should also be |
Co-authored-by: Tom Bentley <tombentley@users.noreply.github.com> Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
Looks like the last CI fail is an intermittent failure. More generally about this PR not addressing the whole problem of intermittent failure in communication with authorization server, I suggest we merge it, and make separate PRs for the other parts that need to be covered. The authorizer is configured differently from listeners anyway, so it has to use But maybe we should rename the config option to |
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
Introduced
strimzi.authorization.http.retries
broker option that signifies how many retries to attempt immediately in the same thread if the grants HTTP request fails. Status errors 401 and 403 don't trigger a re-attempt, all other failures do.This feature is useful in the environment where network is glitchy or a reverse proxy in front of the Keycloak server produces intermittent failures. Such an environment may be a given and the application developers may have no other option but to work within such constraints.
Signed-off-by: Marko Strukelj marko.strukelj@gmail.com