Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

generic etcd should surface ctx/obj namespace mismatches #5684

Closed
bprashanth opened this issue Mar 19, 2015 · 6 comments
Closed

generic etcd should surface ctx/obj namespace mismatches #5684

bprashanth opened this issue Mar 19, 2015 · 6 comments
Assignees
@bprashanth
Labels
area/api Indicates an issue on api area. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery.

Comments

@bprashanth
Copy link
Contributor

Currently its hard to surface a mismatch context in an update via generic etcd. If I do something like:

obj.Namespace = "valid"
update(api.WithNamespace(ctx, "invalid"), obj)

it will fail in the get with whatever go-etcd error, because the path /invalid/objname doesn't exist; and if i do:

obj.Namespace = "valid"
update(api.WithNamespace(ctx, "valid_different"), obj)

it will fail with a resource version mismatch (so NewConflict), because the get will return the object in /valid_different/objname, but its resource version is different.

Ideally both these cases should fail with a NewBadRequest. This would happen if the validation flow reaches BeforeUpdate, but it fails due to the mentioned checks earlier in the callstack. To catch both cases we probably need to refactor the namespace checking out of BeforeCreate and BeforeUpdate into a common location and call it from generic/etcd.update.
@bprashanth bprashanth added area/api Indicates an issue on api area. team/master sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Mar 19, 2015
@derekwaynecarr
Copy link
Member

Doesn't a KeyFunc handle this already with meta.namespacekeyfunc

Sent from my iPhone

On Mar 19, 2015, at 7:42 PM, Prashanth B notifications@github.com wrote:

Currently its hard to surface a mismatch context in an update via generic etcd. If I do something like:

obj.Namespace = "valid"
update(api.WithNamespace(ctx, "invalid"), obj)
it will fail in the get with whatever go-etcd error, because the path /invalid/objname doesn't exist; and if i do:

obj.Namespace = "valid"
update(api.WithNamespace(ctx, "valid_different"), obj)
it will fail with a resource version mismatch (so NewConflict), because the get will return the object in /valid_different/objname, but its resource version is different.

Ideally both these cases should fail with a NewBadRequest. This would happen if the validation flow reaches BeforeUpdate, but it fails due to the mentioned checks earlier in the callstack. To catch both cases we probably need to refactor the namespace checking out of BeforeCreate and BeforeUpdate into a common location and call it from generic/etcd.update.


Reply to this email directly or view it on GitHub.

@bprashanth
Copy link
Contributor Author

It doesn't take the namespace from the objectmeta, it just takes strings and the context (https://github.com/GoogleCloudPlatform/kubernetes/blob/master/pkg/registry/generic/etcd/etcd.go#L117).

So essentially it grabs the namespace from the ctx, the name from the object (via ObjectNameFunc) and constructs the path to the resource using the prefix specified in the constructor (eg: /registry/pods). In my second example, it would construct something like /registry/pods/valid_different/objname, and use that for the GET to retrieve the existing object.

I need it to barf saying the ctx.namespace != obj.Namespace upfront. This happens automatically later in the call graph but that code will never really execute because something else will give up.

Unless I misunderstood what you meant by meta.namespacekeyfunc, do you mean define one?

@derekwaynecarr
Copy link
Member

Sorry. Was referring to here:

https://github.com/GoogleCloudPlatform/kubernetes/blob/master/pkg/registry/generic/etcd/etcd.go#L119

Sent from my iPhone

On Mar 19, 2015, at 9:13 PM, Prashanth B notifications@github.com wrote:

It doesn't take the namespace from the objectmeta, it just takes strings and the context (https://github.com/GoogleCloudPlatform/kubernetes/blob/master/pkg/registry/generic/etcd/etcd.go#L117).

So essentially it grabs the namespace from the ctx, the name from the object (via ObjectNameFunc) and constructs the path to the resource using the prefix specified in the constructor (eg: /registry/pods). In my second example, it would construct something like /registry/pods/valid_different/objname, and use that for the GET to retrieve the existing object.

I need it to barf saying the ctx.namespace != obj.Namespace upfront. This happens automatically later in the call graph but that code will never really execute because something else will give up.

Unless I misunderstood what you meant by meta.namespacekeyfunc, do you mean define one?


Reply to this email directly or view it on GitHub.

@bprashanth
Copy link
Contributor Author

Ah, yes that's the ns on the context, i'd like to compare that against the ns on the objectmeta of the update payload.

@derekwaynecarr
Copy link
Member

Seems like we could do something in validation.go in the object meta update possibly.

Sent from my iPhone

On Mar 20, 2015, at 12:35 AM, Prashanth B notifications@github.com wrote:

Ah, yes that's the ns on the context, i'd like to compare that against the ns on the objectmeta of the update payload.


Reply to this email directly or view it on GitHub.

@bprashanth
Copy link
Contributor Author

Yeah, BeforeUpdate (https://github.com/GoogleCloudPlatform/kubernetes/blob/master/pkg/registry/generic/etcd/etcd.go#L288) would be the perfect spot, but it won't get there. It'll fail before in 1 of 2 ways:

  1. The object under the bad ns doesn't exist: it'll fail with whatever error go-etcd returns (https://github.com/GoogleCloudPlatform/kubernetes/blob/1291401c2ec48be26cf28a15778d5b3c2248d3ea/pkg/tools/etcd_helper.go#L163)
  2. The object under the bad ns exists, we'll get it and compare resource versions with the update payload, and complain about bad rv (https://github.com/GoogleCloudPlatform/kubernetes/blob/master/pkg/registry/generic/etcd/etcd.go#L284).

I would expect a BadRequest instead that complains about the ns mismatch. 2 is easily fixable, as I can just re-order those 2 checks and force BeforeUpdate to happen first, but for 1 I'll need to parse out the ns from the objectmeta before the Get. Currently etcd/generic tries to stay hermetic and only access things on api objects via pre-defined functions/a strategy, so I'm thinking something along those lines.

@mbforbes mbforbes added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Mar 20, 2015
@bprashanth bprashanth mentioned this issue Mar 21, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bprashanth bprashanth

Labels
area/api Indicates an issue on api area. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mbforbes @mikedanese @derekwaynecarr @bprashanth