-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reduce the amount of allocations in policy use by trying a cached resolver first #11028
Conversation
Wrinkle is we can no longer give the nice 'reason' for which rule granted us. I noticed upstream doesn't have it - various ways to solve it including returning two lists or adding a source field to PolicyRule or switching to Bindings earlier. |
if kapi.Semantic.Equalities.DeepEqual(oldAllowAllPolicyRule, *obj) && obj.APIGroups == nil { | ||
// match the old allow all rule, but only if API groups is nil (not specified in the incoming JSON) | ||
oldAllowAllRule := obj.APIGroups == nil && | ||
// avoid calling the very expensive DeepEqual by inlining specific checks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Clever
len(obj.Resources) == 1 && obj.Resources[0] == internal.ResourceAll && | ||
len(obj.AttributeRestrictions.Raw) == 0 && len(obj.ResourceNames) == 0 && | ||
len(obj.NonResourceURLsSlice) == 0 && | ||
// semantic equalities will ignore nil vs empty for other fields as a safety |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add a scary comment here about not removing this check.
structure looks reasonable. |
6bd0732
to
9d23492
Compare
[test] |
0680d71
to
da79a0b
Compare
@knobuc @ramr router flake ^
|
2e65fc9
to
befa107
Compare
@derekwaynecarr from https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9552/
[test] |
Ok, now this is ready for review. On Sep 30, 2016, at 7:29 PM, OpenShift Bot notifications@github.com wrote: continuous-integration/openshift-jenkins/test SUCCESS ( — |
@@ -248,13 +252,23 @@ func (m *VirtualStorage) updateRoleBinding(ctx kapi.Context, name string, objInf | |||
return updatedRoleBinding, false, nil | |||
} | |||
|
|||
// modifyingRoleForEscalation tries to use the CachedRuleResolver if available to avoid expensive checks | |||
func (m *VirtualStorage) modifyingRoleForEscalation(binding authorizationinterfaces.RoleBinding) (authorizationinterfaces.Role, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand the method, but not the name. Looks like I made the name initially, but it sucks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Preference?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
roleForEscalationCheck
?
if err := addValerie.AddRole(); !kapierror.IsNotFound(err) { | ||
// try to add Valerie to a non-existent role, looping until it is true due to | ||
// the policy cache taking time to react | ||
if err := wait.Poll(time.Second, 2*time.Minute, func() (bool, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this is now necessary, it suggests we've gotten slower because the cache on the covers check falls through to live on a miss.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no, this is waiting for the cache to reflect the role deletion above (before it would have failed the live check immediately). 2 minutes seems egregious, though
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've seen integration tests pause for 30-60 seconds.
AWS broke [test] On Mon, Oct 3, 2016 at 2:02 PM, OpenShift Bot notifications@github.com
|
Finish your review! Or I'll turn on ReallyCrash On Oct 5, 2016, at 9:17 PM, OpenShift Bot notifications@github.com wrote: Origin Action Required: Pull request cannot be automatically merged, please — |
Do you have two of these? I swear I said this looked good. |
Hrm, never saw it. Bizarre. On Oct 7, 2016, at 9:50 AM, David Eads notifications@github.com wrote: Do you have two of these? I swear I said this looked good. — |
Mostly consistent with upstream - did not remove the reason field
9413e61
to
9ea0477
Compare
Significantly reduces the impact of allocations during policy alteration
Only in certain cases do we need to default the rule.
Evaluated for origin test up to 9ea0477 |
Updated and rebased on top of the change to all the same method signatures... |
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9782/) |
[merge] On Sat, Oct 8, 2016 at 10:55 PM, OpenShift Bot notifications@github.com
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9782/) (Image: devenv-rhel7_5156) |
Evaluated for origin merge up to 9ea0477 |
Simplified RuleResolver to be closer to upstream. Used a cached RuleResolver
in the NoEscalation checks and when fetching the binding on update. Remove a use of deepequal on a common path.
Not passing all tests yet, but @deads2k please take a look at the general structure.
This drops policy pretty far down the list in test-cmd - resolving #11003 for good
hopefully.