search

openconfig / gnsi

Apache License 2.0
20 stars 18 forks source link

authz: Clarity needed for few operations DURING Rotate() in progress #102

Closed ssachinbharadwaj closed 1 year ago

ssachinbharadwaj commented 1 year ago

In the authz spec, it is mentioned that the pushed policy becomes active immediately as below:

Because the policy uploaded during the gNSI.authz.Rotate() call becomes active immediately, the gNSI.authz.Probe() can be used to check if the uploaded policy provides the expected response without attempting performing the (potentially destructive) RPC in question while the gNSI.authz.Rotate() is still active (the stream is opened and the Finalize message has not been sent yet.

This is fine for Probe() RPC because it has to be tested before finalize.

When the Rotate() is in progress (After upload and before finalize) what is the expectation for the below two use case:

  1. A real RPC such as /gnmi.gNMI/Get or /gnmi.gNMI/Subscribe. Should this be authorized based on the newly pushed sandbox policy (which has not yet received finalize maybe because the test phase is taking time) or the current active policy. Is the "Step 3 (optional): Test/Validation by the client." performed only using Probe() RPC or does the controller fires the actual RPC also to perform the test?
  2. What should Get() RPC return in this intermediate state? Unlike pathz, the GetRequest does not take the PolicyInstance parameter.
haussli commented 1 year ago

IMO, the new policy becomes active, period. Probe() is simply a way to test the policy without executing the RPC in the Probe; ie: /gnmi.gNMI/Subscribe would be tested against policy but not executed.

morrowc commented 1 year ago

It sounds like the intention was: "Rotate applies a new policy immediately, the rotator should test with probe() messages to see that their intended result is live, and finalize() when that's done"

Because 'live immediately', I expect that new rpcs between the start of Rotate() and Finalize() would be evaluated under the newly placed policy. If the policy failes Probe() tests (for instance) or there are signals to the rotator that: "Hey, half my RPCs are failing? wut?" the rotator may choose to not Finalize() and disconnect forcing the previous policy to take up the active role.

make sense?

ssachinbharadwaj commented 1 year ago

Got it @morrowc. This answers my questions

In summary: In the intermittent state, all of them(Probe(), real RPC and Get()) behave as per the new policy even though Finalize is not yet issued. This is in line with the spec which mentions "active immediately".