Add timeout parameter to http.send built-in function #2099
Assignees
Comments
patrick-east
added a commit
to patrick-east/opa
that referenced
this issue
Feb 14, 2020
There is a new optional `timeout` option to specify with `http.send` which will set a client timeout on the request. This will override the default 5 second timeout. This change also corrects the request to use the builtin context. This means that if the evaluation is canceled the request will also now be canceled. There is an environment variable for adjusting the default timeout which we should aim to remove in future OPA versions (when appropriate). For now though it is still supported, and will panic if supplied with an invalid value rather than previously ignoring it and effectively disable the timeout (0 == unlimited). Fixes: open-policy-agent#2099 Signed-off-by: Patrick East <east.patrick@gmail.com>
patrick-east
added a commit
that referenced
this issue
Feb 18, 2020
There is a new optional `timeout` option to specify with `http.send` which will set a client timeout on the request. This will override the default 5 second timeout. This change also corrects the request to use the builtin context. This means that if the evaluation is canceled the request will also now be canceled. There is an environment variable for adjusting the default timeout which we should aim to remove in future OPA versions (when appropriate). For now though it is still supported, and will panic if supplied with an invalid value rather than previously ignoring it and effectively disable the timeout (0 == unlimited). Fixes: #2099 Signed-off-by: Patrick East <east.patrick@gmail.com>
jenkins-stash-sync bot
pushed a commit
to Cray-HPE/cray-charts
that referenced
this issue
Feb 27, 2021
…name I was seeing lots of 503 UAEX failures on a system where the time for the request was ~5s. We'd seen this before but I'd increased the timeout in the envoyfilter to 10s. That change happened before I had to refactor JWT cert handling to move it from istio into OPA. Google turned up that the http.send function has a default 5s timeout[0]. I tried increasing the timeout on the system where the failures were happening and after this the 503 errors went away. [0] open-policy-agent/opa#2099 This change adds a variable to set the http timeout and defaults it to 10s. I also increased the default envoyfilter timeout to 25s since there are potentially 2 calls to http.send in the OPA rules. In addition I removed the /apis/rm paths from the auth checks because this service was actually removed (CASMSEC-307). Also, added the . to the DNS names in the JWKS query URLs. This prevents the resolver from going through the DNS search path so there's fewer DNS queries. CASMPET-3838 : SCALE: CSM 0.8.11: cray-opa pods being OOM killed at 2GiB (cherry picked from commit 8d71d3da16e3e6c45932a549cd91418031fef0c7)
jenkins-stash-sync bot
pushed a commit
to Cray-HPE/cray-opa
that referenced
this issue
Apr 6, 2021
…name I was seeing lots of 503 UAEX failures on a system where the time for the request was ~5s. We'd seen this before but I'd increased the timeout in the envoyfilter to 10s. That change happened before I had to refactor JWT cert handling to move it from istio into OPA. Google turned up that the http.send function has a default 5s timeout[0]. I tried increasing the timeout on the system where the failures were happening and after this the 503 errors went away. [0] open-policy-agent/opa#2099 This change adds a variable to set the http timeout and defaults it to 10s. I also increased the default envoyfilter timeout to 25s since there are potentially 2 calls to http.send in the OPA rules. In addition I removed the /apis/rm paths from the auth checks because this service was actually removed (CASMSEC-307). Also, added the . to the DNS names in the JWKS query URLs. This prevents the resolver from going through the DNS search path so there's fewer DNS queries. CASMPET-3838 : SCALE: CSM 0.8.11: cray-opa pods being OOM killed at 2GiB (cherry picked from commit 8d71d3da16e3e6c45932a549cd91418031fef0c7)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently the http.send built-in function recognizes an undocumented environment variable for controlling timeouts. This works fine in debug situations however users would be better off if they could control the timeout programmatically inside the policy. Note, if the http.send timeout is higher than the evaluation/request timeout, the latter should override.
The text was updated successfully, but these errors were encountered: