[Django4.2 upgrade]: Upgrade django-oauth-lib to latest 2.x.x version

openedx / edx-platform

The Open edX LMS & Studio, powering education sites around the world!

https://openedx.org

GNU Affero General Public License v3.0

7.47k stars 3.89k forks source link

[Django4.2 upgrade]: Upgrade django-oauth-lib to latest 2.x.x version #32884

Open mumarkhan999 opened 1 year ago

mumarkhan999 commented 1 year ago

Description

A PR (link) was created in which we're unpinning django-oauth-toolket and oauthlib.
The oauthlib has been updated successfully but for django-oauth-toolkit we faced some brokers. And we could only upgrade django-oauth-toolkit to the latest 1.x.x version.
Our aim is to upgrade it to the latest 2.x.x version.

Blocker

The main blocker, we faced that in version 2.0.0, django-oauth-toolkit is saving the client-secret as a hashed value instead of plain text. https://django-oauth-toolkit.readthedocs.io/en/latest/changelog.html#id12:~:text=%231093%20(Breaking,before%20hitting%20Save
If we do any attempt to migrate DOT to 2.x.x, it will update all the existing client secrets as well.

And then we can't downgrade its version. It's only one way.

raise IrreversibleError("Operation %s in %s is not reversible" % (operation, self))
django.db.migrations.exceptions.IrreversibleError: Operation <RunPython <function forwards_func at 0x7f6956652430>> in oauth2_provider.0006_alter_application_client_secret is not reversible

robrap commented 1 year ago

Note: We may need a communication plan around this in case any teams like Enterprise, etc., rely on having access in the database, and may need time to transfer credentials to a password manager like Keeper. Also, we should certainly mention this on https://openedx.atlassian.net/wiki/spaces/COMM/pages/3726802953/Next+Release+Quince.

mumarkhan999 commented 1 year ago

Previous PRs to unpin DOT version

mumarkhan999 commented 1 year ago

While unpinning DOT from version 1.3.2 we had to face some issues. I'm mentioning my findings here so that when we proceed with the further upgrade, we are already aware of those issues.

The db tables against this package have millions of records in the Prod database. So in future upgrades, if we have any migrations to apply, there would certainly be a downtime for the site as these tables will be locked. DOT is related to user logins so the site will be unfunctional when the migrations are applied.
While working on this DOT upgrade (PR LINK), the expected downtime for the site was 3 minutes which was calculated on Prod replica. But when the changes were actually deployed, the downtime reached upto 20-23 minutes.

select count(*) from oauth2_provider_application;

count(*)
740

mysql> select count(*) from oauth2_provider_accesstoken;

count(*)
20552959

select count(*) from oauth2_provider_grant;

count(*)
25264

katebygrace commented 1 year ago

Is this in active development?

mumarkhan999 commented 1 year ago

@katebygrace:

No, this issue will be picked after Django42 and MySQL8 upgrade.

katebygrace commented 1 year ago

Got it, thank you! Where is the Django42 work tracked? (I know where the mysql8 upgrade is)

mumarkhan999 commented 1 year ago

@katebygrace:

Here are the links

Board	Platform issue	Roadmap issue

katebygrace commented 1 year ago

Thank you!!