Add credential provider support

aembke / fred.rs

An async Redis client for Rust.

Apache License 2.0

384 stars 62 forks source link

Add credential provider support #285

Closed nakedible-p closed 2 months ago

nakedible-p commented 2 months ago

This is a draft of the changes to add credential provider support. Not meant to be merged before further work.

Usage would be something like:

    config.credential_provider = Some(Arc::new(|| async {
        tokio::time::sleep(std::time::Duration::from_secs(1)).await;
        Ok((Some("username".to_string()), Some("password".to_string())))
    }));

Fixes #284

nakedible-p commented 2 months ago

@aembke This is currently basically just a sample, or proof of concept, of what the implementation could be. There's no tests, no sentinel support, etc. But I want to put this out early to you to see if there's a chance that something like this could be merged and to get early feedback on the design.

aembke commented 2 months ago

Hi @nakedible-p, thanks for putting that together. This looks good so I'm happy to merge it behind a new FF sometime this week. I'll cherry-pick this into a working branch and try out a few tests. I might make a few cosmetic changes, such as using a trait object similar to Arc<dyn Resolve> and Arc<dyn ReplicaFilter>, but overall this looks good.

nakedible-p commented 2 months ago

Okay, happy to hand it over as is. You know best what fits in your codebase so it's more efficient that way. All code submitted under CC0, so feel free to do with it as you please. Or if you want me to refine it further, just let me know what you need, happy to do that as well. And disclaimer: 100% untested at this point. I think probably the Debug trait thing is a bit wrong right now.

aembke commented 2 months ago

One question just came to mind - in some cases with clusters it's common for many connections to be created at once. Do you have any preference on whether the client should call the creds callback once for each connection, or just once per cluster sync, or maybe even just once per some interval (combined with some kind of caching perhaps)?

nakedible-p commented 2 months ago

Once for each connection. It's easy enough to build the caching / whatever logic on the credential provider side if necessary.

In practice, with AWS, a token in just in-memory calculation based on the current AWS credentials, so it's cheap to do even if it happens a lot.

aembke commented 2 months ago

Thanks @nakedible-p, this will be cherry-picked and added in https://github.com/aembke/fred.rs/pull/288