Dynamically reload strategies does not work with cluster - Githubissues

kuzzleio / kuzzle

Open-source Back-end, self-hostable & ready to use - Real-time, storage, advanced search - Web, Apps, Mobile, IoT -

https://kuzzle.io

Apache License 2.0

1.43k stars 123 forks source link

Dynamically reload strategies does not work with cluster #1128

Closed Tyki closed 6 years ago

Tyki commented 6 years ago

I want to reload dynamically some authentification strategies, based on a custom endpoint using a customController.

I'm resuming what I'm doing :

Call endpoint to reload strategy based on a name
pluginContext.accessors.strategies.delete(name)
pluginContext.accessors.strategies.add(name, configuration)

Expected Behavior

All nodes from the cluster are aware of this modification

Current Behavior

Only one node is aware of the modification, resulting in instable behavior on this modified strategy

Possible Solution

No idea.

Steps to Reproduce

Setup cluster of 2 kuzzle nodes (What I have actually)
Do a delete/add of a strategy
Constat that one node is aware of the modificatio and not the other

Context (Environment)

Kuzzle 1.2.10

Tyki commented 6 years ago

Some news on this ticket?

Aschen commented 6 years ago

We need to implement the same solution as for the user/role propagation across the cluster. (ie. using Redis to store a shared state)

Tyki commented 6 years ago

Any ETA available? I need to communicate to my client the delay it will takes approximately

scottinet commented 6 years ago

Hi @Tyki, I'm looking at the issue.

First, a few questions:

if you delete the strategy without adding it back, can you confirm that it is deleted across all nodes of the cluster?
if the answer to the first question is "yes", can you check if waiting for the promise returned by context.strategies.remove before adding the strategy back solve the problem?

scottinet commented 6 years ago

@Aschen > auth strategies addition/deletion are already propagated across the cluster, at the moment there is nothing to implement

Tyki commented 6 years ago

No it's not, @ballinette suggested me to try that and somehow after the pluginContext.strategies.remove(name') on one node, the second node still allow to use the strategy

scottinet commented 6 years ago

I'm sorry, but I'm unable to reproduce the problem. I modified our plugin auth-local locally, adding 2 HTTP routes to add/remove the strategy dynamically, and then used it on 1 cluster node to deactivate/reactive the authentication strategy. Trying to log in on another cluster node behave accordingly, either login me in, or telling me the strategy does not exist, depending on what action I did last on the 1st cluster node.

Can you give us the version of Kuzzle and of the Cluster plugin you're using? And can you provide us with a code example reproducing the problem?

Aschen commented 6 years ago

Will be fixed by https://github.com/kuzzleio/kuzzle/pull/1145

scottinet commented 6 years ago

@Tyki > my apologies, I forgot to write the follow-up. So... as you know, the problem was a bit hard to track because it occured only on a cluster environment. And unfortunately, its cause is a design flaw with auth. strategies hot reload. Namely, these strategies weren't correctly propagated accross Kuzzle nodes because the Passport constructor was embedded inside the authenticator description. Thus #1145, changing how authentication strategies are to be declared.

scottinet commented 6 years ago

@Tyki > Kuzzle 1.4.0 is out and it solves this issue (and you'll also need Kuzzle Cluster v3.2.2) You'll have to declare authenticators during your plugin's initialization, and only the declared authenticators can be used to add new strategies during runtime.

For more information, see https://docs.kuzzle.io/plugins-reference/plugins-features/adding-authentication-strategy/