Reactive Datasource: support CredentialsProvider changing values by tsegismont · Pull Request #31873 · quarkusio/quarkus

tsegismont · 2023-03-15T18:28:31Z

Instead of:

creating pgConnectOptions after calling the CredentialsProvider on startup
using static pool configuration

We:

use dynamic pool configuration
call the Credentials provider every time a new connection must be created

This PR allows to support use cases like password rotation.

See also https://issues.redhat.com/projects/QUARKUS/issues/QUARKUS-2995

tsegismont · 2023-03-15T18:30:22Z

The first commit applies changes to the Reactive Pg Client extension only. I'll update the other reactive SQL client extensions after we've discussed the proposal.

tsegismont · 2023-03-15T18:32:33Z

@vietj can you please take a look (dynamic pool config implementation)

@cescoffier @geoand I've made changes so that the credentials provider is invoked on a worker thread, is that fine? The user might be doing blocking calls in the implementation.

geoand · 2023-03-16T08:40:35Z

I've made changes so that the credentials provider is invoked on a worker thread, is that fine? The user might be doing blocking calls in the implementation

Have you seen such use cases or users mentioning this?

tsegismont · 2023-03-16T09:55:17Z

Have you seen such use cases or users mentioning this?

I looked into this because of https://issues.redhat.com/projects/QUARKUS/issues/QUARKUS-2995

I haven't tried myself or seen reproducers. I'm trying to think about uses cases, like password rotation. The changing credentials must come from the disk or a remote system? If the lookup is made synchronously in the credentials provider, the event loop will be blocked.

We have two options, I think:

acknowledging the CredentialsProvider contract is synchronous and invoking it on a worker thread
invoking it on the event loop anyway and then we shall:
- document it
- recommend users to perform the new credentials lookup in a scheduled task

geoand · 2023-03-16T09:58:10Z

I guess we should have it on the worker thread for the time being and if the need arised, look into supporting the @Blockling / @NonBlocking annotations

cescoffier · 2023-03-16T14:29:56Z

The call to the credential provider must happen on a worker thread unfortunately (wrong design).

cescoffier

The idea looks good.

The credential provider must be called on a worker thread, as it may block.

ingmarfjolla · 2023-03-16T15:36:33Z

hello, i just verified that this fix seems to be working with this reproducer here (quarkus version 3.0.0.Alpha4): https://github.com/ingmarfjolla/quarkus-reactive. Thanks for working on this!

cc @senthilredhat @raffaelespazzoli

ingmarfjolla · 2023-03-16T15:50:00Z

the only thing i noticed is that the credential manager (vault in my case) seems to be called multiple times on 7 different event loop threads on startup, so the logs look something like :

2023-03-16 11:41:51,471 WARN [io.quarkus.vault.runtime.TimeLimitedBase] (vert.x-eventloop-thread-1) mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s {}  
2023-03-16 11:41:51,475 WARN [io.quarkus.vault.runtime.TimeLimitedBase] (vert.x-eventloop-thread-1) mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s {}  
2023-03-16 11:41:51,489 WARN [io.quarkus.vault.runtime.TimeLimitedBase] (vert.x-eventloop-thread-2) mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s {}  
2023-03-16 11:41:51,493 WARN [io.quarkus.vault.runtime.TimeLimitedBase] (vert.x-eventloop-thread-2) mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s {}  
...
2023-03-16 11:41:51,576 WARN [io.quarkus.vault.runtime.TimeLimitedBase] (vert.x-eventloop-thread-7) mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s mydbrole (database/creds) lease duration 60s is smaller than the renew grace period 3600s {}

tsegismont · 2023-03-17T09:06:35Z

The idea looks good.

Thank you @cescoffier

The credential provider must be called on a worker thread, as it may block.

👍

the only thing i noticed is that the credential manager (vault in my case) seems to be called multiple times on 7 different event loop threads on startup

@ingmarfjolla The crendentials provider can be invoked twice on startup by the extension, and then the default 5 max connections may be created immediately if you setup the database (perhaps with Hibernate Reactive) ?

A good way to check would be to log a fake error (new Exception()) in order to see the stack trace.

tsegismont · 2023-03-20T16:14:22Z

@cescoffier @geoand about credentials provider API: I took a look at the Vault extension implementation:

            return vaultDynamicCredentialsManager.getDynamicCredentials(DATABASE_DEFAULT_MOUNT, DEFAULT_REQUEST_PATH,
                    config.databaseCredentialsRole.get()).await().indefinitely();

Too bad the contract is synchronous because the implementation uses non blocking-APIs.

Do you think it is worth tracking in a separate issue? In the meantime, we definitely have to invoke this on a worker thread.

geoand · 2023-03-20T16:34:07Z

Yeah, I think we should open an issue about providing a new SPI

cescoffier · 2023-03-21T06:56:48Z

Yes, when I found out about the synchronous and blocking nature of the credential provider it was too late :-(. So, yes, please open an issue to switch to a non-blocking API.

tsegismont · 2023-03-21T22:07:50Z

The PR is ready for review

tsegismont · 2023-03-22T10:04:59Z

The failure looks unrelated

geoand · 2023-03-22T10:06:00Z

Yeah, totally unrelated

kdubb · 2023-06-09T20:50:12Z

🎉

tsegismont · 2023-06-10T09:02:09Z

The test failure looks unrelated

geoand · 2023-06-12T07:18:06Z

@kdubb what was the outcome of your experiment vs this?

kdubb · 2023-06-12T07:21:40Z

@tsegismont Is using the culmination of my original PR's against the vert.x sql client.

geoand · 2023-06-12T07:31:52Z

Excellent. @cescoffier are you still good with the latest version of the PR?

cescoffier · 2023-06-12T07:50:30Z

Yes, looks good to me.

kdubb · 2023-06-12T07:53:26Z

Is there any chance of this being back ported to 2.x? idle-timeout is the solution to many issues and discussions in the vault extension. It would be nice to have the functionality in both series if possible.

geoand · 2023-06-12T07:54:07Z

Is there any chance of this being back ported to 2.x

-1 as we really don't want to backport features to 2.x

geoand · 2023-06-12T08:20:45Z

Can we get one last rebase please so we can make sure CI is fine?

Instead of: - creating pgConnectOptions after calling the CredentialsProvider on startup - using static pool configuration We: - use dynamic pool configuration - call the Credentials provider every time a new connection must be created

tsegismont · 2023-06-12T08:42:46Z

Can we get one last rebase please so we can make sure CI is fine?

Done

geoand · 2023-06-12T08:43:31Z

Thanks!

quarkus-bot · 2023-06-12T15:18:55Z

Failing Jobs - Building `3e5afbf`

Status	Name	Step	Failures	Logs	Raw logs
⌛	Native Tests - Security1	`Build`	⚠️ Check →	Logs	Raw logs

tsegismont · 2023-06-12T15:30:01Z

@geoand this time it seems the build failed because one job ran out of time.

geoand · 2023-06-12T15:33:53Z

Yeah, I doubt it's related. @sberyozkin can you confirm?

tsegismont · 2023-06-14T19:11:35Z

@cescoffier @geoand can we go ahead and merge the PR?

tsegismont · 2023-06-15T07:18:54Z

Thanks @geoand !

geoand · 2023-06-15T07:19:21Z

Thank you for this!

tsegismont requested a review from geoand March 15, 2023 18:28

quarkus-bot Bot added the area/reactive-sql-clients label Mar 15, 2023

tsegismont requested a review from cescoffier March 15, 2023 18:28

tsegismont force-pushed the changing_credentials branch from 290c0a1 to b12de93 Compare March 15, 2023 18:34

cescoffier reviewed Mar 16, 2023

View reviewed changes

tsegismont force-pushed the changing_credentials branch from b12de93 to 49cc24f Compare March 20, 2023 17:50

tsegismont force-pushed the changing_credentials branch from 49cc24f to 4a4a3b9 Compare March 21, 2023 22:05

tsegismont marked this pull request as ready for review March 21, 2023 22:05

quarkus-bot Bot added area/dependencies Pull requests that update a dependency file area/persistence OBSOLETE, DO NOT USE labels Mar 21, 2023

tsegismont requested a review from cescoffier March 21, 2023 22:07

tsegismont mentioned this pull request Mar 21, 2023

CredentialsProvider API should be asynchronous #32021

Closed

This comment has been minimized.

Sign in to view

tsegismont force-pushed the changing_credentials branch from 4a4a3b9 to adebae9 Compare March 21, 2023 22:27

This comment has been minimized.

Sign in to view

geoand added release/noteworthy-feature and removed triage/on-ice Frozen until external concerns are resolved labels Jun 12, 2023

cescoffier approved these changes Jun 12, 2023

View reviewed changes

tsegismont force-pushed the changing_credentials branch from 8c9e5ca to 3e5afbf Compare June 12, 2023 08:42

geoand added the triage/waiting-for-ci Ready to merge when CI successfully finishes label Jun 12, 2023

geoand merged commit ac3129f into quarkusio:main Jun 15, 2023

quarkus-bot Bot removed the triage/waiting-for-ci Ready to merge when CI successfully finishes label Jun 15, 2023

quarkus-bot Bot added this to the 3.2 - main milestone Jun 15, 2023

tsegismont deleted the changing_credentials branch June 29, 2023 09:12

kdubb mentioned this pull request Jul 25, 2023

Add maxLifetime to reactive datasource configurations #34985

Merged

tsegismont mentioned this pull request Sep 15, 2025

CredentialsProvider API should be asynchronous #50047

Merged

Conversation

tsegismont commented Mar 15, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tsegismont commented Mar 15, 2023

Uh oh!

tsegismont commented Mar 15, 2023

Uh oh!

geoand commented Mar 16, 2023

Uh oh!

tsegismont commented Mar 16, 2023

Uh oh!

geoand commented Mar 16, 2023

Uh oh!

cescoffier commented Mar 16, 2023

Uh oh!

cescoffier left a comment

Choose a reason for hiding this comment

Uh oh!

ingmarfjolla commented Mar 16, 2023

Uh oh!

ingmarfjolla commented Mar 16, 2023

Uh oh!

tsegismont commented Mar 17, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tsegismont commented Mar 20, 2023

Uh oh!

geoand commented Mar 20, 2023

Uh oh!

cescoffier commented Mar 21, 2023

Uh oh!

tsegismont commented Mar 21, 2023

Uh oh!

This comment has been minimized.

This comment has been minimized.

tsegismont commented Mar 22, 2023

Uh oh!

geoand commented Mar 22, 2023

Uh oh!

kdubb commented Jun 9, 2023

Uh oh!

This comment has been minimized.

tsegismont commented Jun 10, 2023 via email

Uh oh!

geoand commented Jun 12, 2023

Uh oh!

kdubb commented Jun 12, 2023

Uh oh!

geoand commented Jun 12, 2023

Uh oh!

cescoffier commented Jun 12, 2023

Uh oh!

kdubb commented Jun 12, 2023

Uh oh!

geoand commented Jun 12, 2023

Uh oh!

geoand commented Jun 12, 2023

Uh oh!

tsegismont commented Jun 12, 2023

Uh oh!

geoand commented Jun 12, 2023

Uh oh!

quarkus-bot Bot commented Jun 12, 2023

Failing Jobs - Building 3e5afbf

Uh oh!

tsegismont commented Jun 12, 2023

Uh oh!

geoand commented Jun 12, 2023

Uh oh!

tsegismont commented Jun 14, 2023

Uh oh!

tsegismont commented Jun 15, 2023

Uh oh!

geoand commented Jun 15, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

tsegismont commented Mar 15, 2023 •

edited

Loading

tsegismont commented Mar 17, 2023 •

edited

Loading

Failing Jobs - Building `3e5afbf`

geoand commented Jun 15, 2023 •

edited

Loading