openwhisk-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Thömmes <markusthoem...@apache.org>
Subject Re: Extend the SPI entitlement interface
Date Mon, 04 Nov 2019 07:40:17 GMT
Hi Steffen,

the interface is already Future[Boolean], why is it not sufficient to fail
the future if the network calls fail for any reason in this case? After
all, that's what the Future's failure mode is all about. Or asked
differently: What states does a failed Future represent today?

Cheers,
Markus

Am So., 3. Nov. 2019 um 17:27 Uhr schrieb Steffen Rost <srost@de.ibm.com>:

> The current implementation of the entitlement SPI allows providers to
> return only true (entitled/valid) or false (not entitled/invalid) as
> result of an entitlement request. While this is sufficient if the
> entitlement request is performed offline it doesn't allow to signal that
> the entitlement request couldn't be performed at all when calling an
> external entitlement service failed because of a network error or
> unavailability of the service itself. In order to address these cases we
> propose to change the entitlement SPI interface from Future[Boolean] to
> Future[Option[Boolean]] (for implementation details please follow the link
> under [1])
>
> In our IBM Functions service we use IAM (Identity and Access Management).
> For IAM enabled namespaces an IAM/Bearer token is passed on each request
> which is checked for access allowance on the requested namespace resources
> using an external policy system. If the request succeeds an user identity
> is created which is passed to user/system containers and can be used to
> create triggers or to reach out to other services.
>
> A problem arises if the entitlement request to the external policy system
> cannot be performed. As mentioned before this could happen due to a
> temporary network outage, the unavailability of the external service or
> the service decides to throttle the request due to availability issues. In
> any of these cases the SPI provider can currently only return invalid
> which is interpreted as 403/Forbidden even though the request would be
> perfectly valid if it could only have been done. In our system this
> problem caused recently many customer complains as triggers were disabled
> because of those false positives.
>
> With the proposed change our IAM entitlement SPI implementation could
> return none in such cases to signal that the entitlement couldn't be done
> allowing the caller to act more appropriate, for example do not disable
> the trigger.
>
> I will open a pull request for the proposed interface change. Feel free to
> comment now to this mail or to the pull request.
>
>
> [1]
>
> https://github.com/apache/openwhisk/blob/7062549035eb45f376653ce2433fcbe70e6fd806/core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/Entitlement.scala#L180-L189
>
>
> Mit freundlichen Gruessen / Kind regards
> Steffen Rost
>
> ------------------------------------------------------------------------------------------------------------------------------------------
> IBM Cloud Functions Development
> Phone +49-7031-16-4841 (Fax: -3545)
> E-Mail: srost@de.ibm.com
>
> ------------------------------------------------------------------------------------------------------------------------------------------
> IBM Deutschland Research & Development GmbH
> Vorsitzender des Aufsichtsrats: Matthias Hartmann -- Geschäftsführung:
> Dirk Wittkopp
> Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart,
> HRB 243294
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message