ext_authz: Avoid calling check multiple times #13288
Conversation
This patch makes sure the filter sends check request once when buffer is full, while there might be more data to be decoded. Signed-off-by: Dhi Aurrahman <dio@tetrate.io>
|
@dio @brectanus-sigsci reported new evidence on the related issue. Can you take a look? I can review after that is settled /wait |
|
/retest |
|
Retrying Azure Pipelines, to retry CircleCI checks, use |
@junr03 @dio Seems good to review now. Just pinging on this. Thanks! |
There was a problem hiding this comment.
lgtm. although, I am less familiar than I would like with the filter requirements. Just to confirm @brectanus-sigsci this patch fixes your issue and is the expected behavior?
Signed-off-by: Dhi Aurrahman <dio@tetrate.io>
| if (buffer_data_ && !skip_check_) { | ||
| // When the filter is asked to buffer the data but the buffer is full, it skips buffering more | ||
| // data for the next iteration. | ||
| buffer_data_ = !isBufferFull(); | ||
| } |
There was a problem hiding this comment.
Can you just do buffer_data_ = false; here? When we continue after a pause aren't we done and never want to buffer again?
There was a problem hiding this comment.
Yes, you're right. Thank you for this. Updated.
Signed-off-by: Dhi Aurrahman <dio@tetrate.io>
| // After sending the out the check request, we don't need to buffer the data anymore. | ||
| buffer_data_ = false; |
There was a problem hiding this comment.
Sorry what I mean is just remove the if statement and universally set it to false. I think that should be fine?
/wait
There was a problem hiding this comment.
Yeah, sorry, my fault. Pushed an update.
Signed-off-by: Dhi Aurrahman <dio@tetrate.io>
|
@dio Can you create another docker image with the latest changes so I can retest? |
|
@brectanus-sigsci sorry for the delay, but here it is: |
|
@dio Retest. Still looks good. Thanks so much for getting this fixed! |
| // After sending the out the check request, we don't need to buffer the data anymore. | ||
| buffer_data_ = false; | ||
| } | ||
| // After sending the out the check request, we don't need to buffer the data anymore. |
There was a problem hiding this comment.
| // After sending the out the check request, we don't need to buffer the data anymore. | |
| // After sending the check request, we don't need to buffer the data anymore. |
/wait
|
Sorry merge main one more time? /wait |
|
Merge main once #13598 merges. Thanks! /wait |
|
/retest |
|
Retrying Azure Pipelines, to retry CircleCI checks, use |
* master: (22 commits) delay health checks until transport socket secrets are ready. (envoyproxy#13516) test, oauth2: Make sure config test runs field validation (envoyproxy#13496) [http] swap codec implementations to default new (envoyproxy#13579) wasm: update proxy-wasm-cpp-host (envoyproxy#13606) postgres: do not copy and linearize received data when it is not going to be used (envoyproxy#13393) configs: Update configs v2 -> v3 (envoyproxy#13562) http2: Remove RELEASE_ASSERTs in sendPendingFrames() error handling (envoyproxy#13546) dependencies: track untracked implied dependencies, wrapup dashboard. (envoyproxy#13571) listener: add match all filter chain (envoyproxy#13449) fix mistakes in docstrings (envoyproxy#13603) ratelimit: add route entry metadata to ratelimit actions (envoyproxy#13269) cluster manager: avoid immediate activation for dynamic inserted cluster when initialize (envoyproxy#12783) ext_authz: Avoid calling check multiple times (envoyproxy#13288) docs: Unexclude remaining configs from validation (envoyproxy#13534) build: update rules_rust to allow Rustc in RBE (envoyproxy#13595) docs: Update sphinxext.rediraffe (envoyproxy#13589) Deprecate moonjit support on Windows before beta (envoyproxy#13541) dependencies: bump LuaJIT to 2.1 branch HEAD @ e9af1ab. (envoyproxy#13474) docs: add TLS stats to cluster stats doc (envoyproxy#13561) ci: stop building alpine-debug images in favor of ubuntu-based debug image (envoyproxy#13598) ... Signed-off-by: Michael Puncel <mpuncel@squareup.com>
Commit Message: This patch makes sure the filter sends exactly only one check request when the buffer is full, while there might be more data to be decoded.
Risk Level: Low
Testing: Unit test
Docs Changes: N/A
Release Notes: N/A
Fixes #13260
Signed-off-by: Dhi Aurrahman dio@tetrate.io