THREESCALE-8000 + THREESCALE-8007 + THREESCALE-8252 (clear context policy) #1328
Conversation
samugi
force-pushed
the
THREESCALE-8000
branch
from
55289b0
to
9e61256
Compare
|
umm, maybe I do not understand the full context here, but I do not think that context should be clear at all. Maybe what we should do it drop support of SSL_context on ssl_certificate phase and keep as was before the change. |
The idea is based on the problem being that our code does not expect the context to be shared across different requests but rather for it to be scoped by request (this is true at least for the path routing algorithm and the routing policy). The option we are exploring here would address this by resetting the context at the beginning of each request (which is what this policy does), that should be equivalent to what happens when the ssl_certificate phase is not executed at all (i.e. there will be nothing in the Another option (which I believe is what you are suggesting?) would be to avoid interacting with the context in all the ssl_certificate phases across all policies but that seemed more of a breaking change due to this and this for example. |
samugi
changed the title
samugi
force-pushed
the
THREESCALE-8000
branch
from
b7c134f
to
fa873b1
Compare
|
After some more testing I found another problem with the same root cause: THREESCALE-8252. @eloycoto I just committed a slightly modified version of the policy that I believe to be a safer option: it resets the current context at the end of every request (in the log phase of the last policy in the chain) rather than at the beginning. This way the reset of the context will happen when no other policy will need to access to it, and so it will be reinitialized correctly in the This commit also takes care of THREESCALE-8252 because the original_request will be populated as normal here. I added integration tests to confirm all 3 issues are covered. |
|
umm, I do not think that will work @samugi , mainly because requests can be concurrent, and that can be a problem. SSL context should be disabled. |
@eloycoto does that mean concurrent requests could share the same context? I thought that wouldn't be possible especially since we are relying on In what scenario would properties of Also I thought we were relying on the SSL context for a few things now, am I wrong? I thought this to be the case for the TLS policy for example, which requires the service to have already been determined during the ssl_certificate phase. I'll double check though, maybe we are storing the service in the context for other reasons there, I haven't looked into that yet. Thanks for your feedback |
|
SSL certificate only happens once, on ssl_handshake, and from there many more requests to come. So, no set context on ssl_certificate and initialize on I mean, if you change this line should be ok: |
|
@eloycoto I already suggested the same and @samugi gave some reasoning why that wouldn't be a good idea. I forget exactly what that was now but I suspect it is something related to the fact that removing the context in the @samugi could you remind why else you thought that was a bad idea because I cannot remember now. I think I remember you preferred to keep the behaviour introduced in OpenResty and only improve how we manage the management of the context object right? I'd say in general that's the best approach and keep compatibility with as much OpenResty features as possible but I also think this was a breaking change in OpenResty that they didn't handle very well and as a result we have to cope with this somehow. One advantage to Samuele's proposal I'd say is that this behaviour could be configurable and so in future if we need to "enable" that OpenResty "feature" again then skipping or disabling the policy would be easy don't you think @eloycoto ? |
|
I discussed this with @kevprice83 this morning, here is a recap of our discussion: We believe we have
What would you think of the proposals above @eloycoto ? EDIT: After another quick sync with Kevin we deleted option 1 (current implementation) after we realized this to actually be problematic for concurrent requests (possibly what Eloy meant in his comment up here). I will wait for further comments before applying either option 2 or 3 (or anything else we will agree on). Also one more thing just to clarify a point from the previous comments: when you said "SSL context should be disabled." and "So, no set context on ssl_certificate and initialize on rewrite phase where the service will be in there.", did you in fact mean to suggest the context should be cleared during the |
|
Would be good to get some feedback from @sergioifg94 & @eguzki on that last comment maybe? |
There was a problem hiding this comment.
I think it would be useful to run the test requests concurrently to see the outcome. I'd expect one of them to fail in which case that would make it clearer that we then must clear the context at the end of the ssl_certificate_phase in the last policy in the policy chain. Other than that I think doing this as a separate policy is a good approach. Maybe using the concurrent library here?
t/apicast-policy-routing.t
Outdated
| httpc:close() | ||
| } | ||
| --- no_error_log | ||
| [error] |
There was a problem hiding this comment.
newline required at end of integration test files I think
t/apicast-policy-routing.t
Outdated
|
|
||
|
|
||
| === TEST 36: Multiple requests that reuse the same TCP connection. | ||
| Routing must work as expected to the right backend |
There was a problem hiding this comment.
"Routing policy must choose correct backend based on current configuration & request parameters"
t/apicast-policy-routing.t
Outdated
| version = 1.1 | ||
| }) | ||
| assert(res2, "Request failed"..(err2 or "")) | ||
| --check for incorrect routing THREESCALE-8007: |
There was a problem hiding this comment.
"Check if incorrect routing as reported in THREESCALE-8007 is happening:" might be a more explicit comment :)
…es care of concurrent requests scenarios. Adapted some tests to match hosts correctly since now those policy chains (that only include policies that don't implement ssl_certificate) no longer use the context.service defined in find_service.lua/ssl_certificate (that was obtained using the server_name of the SNI during the handshake), so they need to specify correct Host headers like in a real request scenario.
for this one I used request_pipeline. I then verified that in fact the tests fail when clearing the context in the log phase (which wouldn't handle concurrent requests) and pass when the context is cleared at the end of the |
|
yeah, make sense that ssl_certificate, because all connections do the ssl_handshake before it. I have another thing in mind here, use with tls_termination policy too, because clear the context is ssl_certificate happens before ssl_handshake on tls_termination. Please raise this issue to the QE team, @DavidRajnoha is no longer working on this, but I'm sure that @mganisin can make a test plan for this. But overall, it's testing that two services in the same APICAST landed in the right place. |
kevprice83
changed the title
This PR adds compatibility with this OpenResty change.
It takes care of clearing the local context at the beginning of every separate request.
We use the context to determine routing to Products (when APICAST_PATH_ROUTING is enabled) or to Backends (when using APIaaP). Both those routing scenarios can be affected by the bug when connections are reused (see also KCS1 and KCS2)