-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keep credentials cached across build commands. #16822
Conversation
cb02a7c
to
c836978
Compare
When using a credential helper, the lifetime of the credential cache is currently tied to an individual command, which causes the helper to be called for every command resulting in poor incremental build latency for builds using a non-trivial helper. Since the cache must be shared by RemoteModule and BazelBuildServiceModule, I've introduced a new CredentialModule whose sole purpose is to provide access to it.
c836978
to
4e469f7
Compare
cc @Yannic |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly drive-by comment, will take a closer look tomorrow.
I think if we cache credentials accross invocations, we need to make the helper part of the cache key
Could you elaborate on the scenario you're concerned about? It's not immediately obvious to me that changing the helper necessarily invalidates credentials that were obtained before. |
@Override | ||
public void beforeCommand(CommandEnvironment env) { | ||
// Update the cache expiration policy according to the command options. | ||
AuthAndTLSOptions authAndTlsOptions = env.getOptions().getOptions(AuthAndTLSOptions.class); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably clear the cache when the command is clean
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I think that's probably expected behavior for bazel clean
. It also gives us a reliable way to bust the cache. Added a test and amended the flag description to document this behavior.
Caffeine.newBuilder().expireAfterWrite(Duration.ZERO).build(); | ||
|
||
/** Returns the credential cache. */ | ||
public Cache<URI, ImmutableMap<String, ImmutableList<String>>> getCredentialCache() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure whether this is the best way to provide the cache. For now it seems fine as we have limited scope but if we ever want to share the cache for more modules (e.g. for bzlmod), please consider adding a provider to ServerBuilder
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Acknowledged; I'd prefer to wait until repository fetching is wired up to see how the whole thing looks.
I think in any case we'd still want this module to host the beforeCommand
logic (otherwise we'd have to arbitrarily choose one of the many modules that will eventually use credentials, making the scope unclear).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW, there's https://cs.opensource.google/bazel/bazel/+/master:src/main/java/com/google/devtools/build/lib/runtime/ServerBuilder.java;l=202;bpv=1;bpt=1 which we may be able to re-use for the credential helper.
3eb5b06
to
4e3caeb
Compare
Let's say someone does a build with |
I think it can be argued both ways: if I'm replacing But assuming we do want to make it part of the key: how far do we want to go? Are you proposing to only take the name of the helper into account, or also the executable it points to, the values of environment variables, etc? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will let you and Yannic decide whether to include helper inside the key. Other part LGTM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with starting with just the URI as cache key. Shouldn't be too hard to change if a more concrete use case comes up. I also expect that we need to change the key in any case once we tackle scopes for credentials from helpers.
Thanks, I'll merge this as-is then. I agree that we're going to have to think more carefully about it (cache invalidation: one of the two famously hard problems in compsci :)) |
When using a credential helper, the lifetime of the credential cache is currently tied to an individual command, which causes the helper to be called for every command resulting in poor incremental build latency for builds using a non-trivial helper. Since the cache must be shared by RemoteModule and BazelBuildServiceModule, I've introduced a new CredentialModule whose sole purpose is to provide access to it. Closes bazelbuild#16822. PiperOrigin-RevId: 491598103 Change-Id: Ib668954b635a0e9498f0a7418707d6a2dfae0265
When using a credential helper, the lifetime of the credential cache is currently tied to an individual command, which causes the helper to be called for every command resulting in poor incremental build latency for builds using a non-trivial helper. Since the cache must be shared by RemoteModule and BazelBuildServiceModule, I've introduced a new CredentialModule whose sole purpose is to provide access to it. Closes bazelbuild#16822. PiperOrigin-RevId: 491598103 Change-Id: Ib668954b635a0e9498f0a7418707d6a2dfae0265
When using a credential helper, the lifetime of the credential cache is currently tied to an individual command, which causes the helper to be called for every command resulting in poor incremental build latency for builds using a non-trivial helper. Since the cache must be shared by RemoteModule and BazelBuildServiceModule, I've introduced a new CredentialModule whose sole purpose is to provide access to it. Closes bazelbuild#16822. PiperOrigin-RevId: 491598103 Change-Id: Ib668954b635a0e9498f0a7418707d6a2dfae0265
When using a credential helper, the lifetime of the credential cache is currently tied to an individual command, which causes the helper to be called for every command resulting in poor incremental build latency for builds using a non-trivial helper. Since the cache must be shared by RemoteModule and BazelBuildServiceModule, I've introduced a new CredentialModule whose sole purpose is to provide access to it. Closes #16822. PiperOrigin-RevId: 491598103 Change-Id: Ib668954b635a0e9498f0a7418707d6a2dfae0265 Co-authored-by: kshyanashree <109167932+kshyanashree@users.noreply.github.com>
When using a credential helper, the lifetime of the credential cache is currently tied to an individual command, which causes the helper to be called for every command resulting in poor incremental build latency for builds using a non-trivial helper. Since the cache must be shared by RemoteModule and BazelBuildServiceModule, I've introduced a new CredentialModule whose sole purpose is to provide access to it. Closes #16822. PiperOrigin-RevId: 491598103 Change-Id: Ib668954b635a0e9498f0a7418707d6a2dfae0265
When using a credential helper, the lifetime of the credential cache is currently tied to an individual command, which causes the helper to be called for every command resulting in poor incremental build latency for builds using a non-trivial helper.
Since the cache must be shared by RemoteModule and BazelBuildServiceModule, I've introduced a new CredentialModule whose sole purpose is to provide access to it.