fix: remove duplicate refresh operations #806
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
enocom
force-pushed
the
double-refresh-bug
branch
5 times, most recently
from
acd9a94 to
155cf30
Compare
When callers (like the Cloud SQL Proxy) warmup the background refresh with EngineVersion, the initial refresh operation starts with IAM Authn disabled. Then when a caller connects with IAM authentication, the existing refresh is invalidated (because it doesn't include the client's OAuth2 token). In effect, two refresh operations are completed when the dialer could have just run one initially. This commit ensures calls to EngineVersion respect the dialer's global IAM authentication setting. If IAM authentication is enabled at the dialer level, then EngineVersion will ensure the refresh operation uses IAM authentication. And only one refresh operation occurs between warmup and first connection. In cases where a dialer is initialized without IAM authentication, but then a call to dial requests IAM authentication, a second refresh is unavoidable. This seems to be an uncommon enough use case that it is an acceptable tradeoff given how IAM authentication is tightly coupled with the client certificate refresh. Separately, when Cloud SQL Proxy invocations start the Proxy with the --token flag in combination with IAM authentication, the underlying token does not have a corresponding refresh token and so cannot be refreshed. As a result, when the double calls occur (as described above), there is a third refresh attempt started because the token has a missing expiration field (there is only AccessToken, no RefreshToken, or Expiry). The dialer sees the missing expiration as an expired client certificate and immediately starts a new refresh. But because the dialer has already consumed two attempts, the rate limiter (2 initial attempts, then 30s/attempt) forces the client to wait 30s before connecting. This commit ensures that situation will not happen by using the correct client certificate expiration and not the invalid token expiration. For cases where the Cloud SQL Proxy configures the dialer with the --token flag (and no refresh token), the dialer will always default to using the client certificate's expiration. This means the refresh cycle will fail once the token expires. Fixes #771
enocom
force-pushed
the
double-refresh-bug
branch
from
155cf30 to
06cc954
Compare
Comment on lines
+397
to
+399
| i.mu.Lock() | ||
| useIAMAuthN = i.useIAMAuthNDial | ||
| i.mu.Unlock() |
There was a problem hiding this comment.
why do we need a lock around this?
There was a problem hiding this comment.
During my testing, this triggered a race condition between the read here and the write in UpdateRefresh. I wrapped it with a lock to prevent any data races in the case that a refresh is scheduled at the same time a refresh was being updated.
jackwotherspoon
approved these changes
May 21, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When callers (like the Cloud SQL Proxy) warmup the background refresh
with EngineVersion, the initial refresh operation starts with IAM Authn
disabled. Then when a caller connects with IAM authentication, the
existing refresh is invalidated (because it doesn't include the client's
OAuth2 token). In effect, two refresh operations are completed when the
dialer could have just run one initially.
This commit ensures calls to EngineVersion respect the dialer's global
IAM authentication setting. If IAM authentication is enabled at the
dialer level, then EngineVersion will ensure the refresh operation uses
IAM authentication. And only one refresh operation occurs between warmup
and first connection.
In cases where a dialer is initialized without IAM authentication, but
then a call to dial requests IAM authentication, a second refresh is
unavoidable. This seems to be an uncommon enough use case that it is an
acceptable tradeoff given how IAM authentication is tightly coupled with
the client certificate refresh.
Separately, when Cloud SQL Proxy invocations start the Proxy with the
--token flag in combination with IAM authentication, the underlying
token does not have a corresponding refresh token and so cannot be
refreshed. As a result, when the double calls occur (as described
above), there is a third refresh attempt started because the token has a
missing expiration field (there is only AccessToken, no RefreshToken, or
Expiry).
The dialer sees the missing expiration as an expired client certificate
and immediately starts a new refresh. But because the dialer has already
consumed two attempts, the rate limiter (2 initial attempts, then
30s/attempt) forces the client to wait 30s before connecting.
This commit ensures that situation will not happen by using the correct
client certificate expiration and not the invalid token expiration. For
cases where the Cloud SQL Proxy configures the dialer with the --token
flag (and no refresh token), the dialer will always default to using the
client certificate's expiration. This means the refresh cycle will fail
once the token expires.
Fixes #771