[grpc storage]: Propagate tenant to grpc backend #6030
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #6030 +/- ##
=======================================
Coverage 96.90% 96.90%
=======================================
Files 349 349
Lines 16599 16600 +1
=======================================
+ Hits 16086 16087 +1
Misses 329 329
Partials 184 184
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Signed-off-by: Benedikt Bongartz <bongartz@klimlive.de>
| // BearerTokenKey is the key name for the bearer token context value. | ||
| BearerTokenKey = "bearer.token" | ||
| // TenantKey is the key name for the x-tenant context value. | ||
| TenantKey = "x.tenant" |
There was a problem hiding this comment.
Does it make sense to reuse the configured tenant header key?
Coming from --multi-tenancy.header=x-scope-orgid?
There was a problem hiding this comment.
Well.. That should already be the case. Since tenancy.NewClientUnaryInterceptor and tenancy.NewClientStreamInterceptor are registered.
There was a problem hiding this comment.
Running Jaeger query without this patch:
SPAN_STORAGE_TYPE=grpc ./query --query.base-path=/ --grpc-storage.server=127.0.0.1:7777 --query.bearer-token-propagation=true --multi-tenancy.enabled=true --multi-tenancy.header=x-scope-orgid --query.grpc-server.host-port=localhost:16685 --query.http-server.host-port=localhost:16686 --admin.http.host-port=localhost:16687Then going a request:
curl -X GET "http://localhost:16686/api/traces?service=dummy" \
-H "Authorization: Bearer abc" \
-H "x-scope-orgid: 124"Will only propagate the following metadata:
Stream Request Metadata: map[:authority:[127.0.0.1:7777] bearer.token:[abc] content-type:[application/grpc] grpc-accept-encoding:[snappy,zstd,gzip] user-agent:[grpc-go/1.65.0]]Using this patch x.tenant:[124] will be part of it.
There was a problem hiding this comment.
Well.. That should already be the case. Since tenancy.NewClientUnaryInterceptor and tenancy.NewClientStreamInterceptor are registered.
Seems the problem was that this branch was never executed. Since the tenancy options from config_v1 have not been translated into config_v2.
jaeger/plugin/storage/grpc/factory.go
Lines 134 to 136 in 19386cf
After adding the tenancy options in TranslateToConfigV2 the tenant infos x-scope-orgid:[124] are propagated.
Stream Request Metadata: map[:authority:[127.0.0.1:7777] bearer.token:[abc] content-type:[application/grpc] grpc-accept-encoding:[snappy,zstd,gzip] user-agent:[grpc-go/1.67.0] x-scope-orgid:[124]]
|
This reverts commit 090962d. Signed-off-by: Benedikt Bongartz <bongartz@klimlive.de>
Signed-off-by: Benedikt Bongartz <bongartz@klimlive.de>
No, the header name x.tenant is not a standard header in gRPC. I followed the bearer token implementation with the naming.
Sure, I will document the outcome of this PR afterwards.
I think no. I'm also not sure if we should keep the |
What would those interceptors do with the headers? In case of outbound ones they read the values from designated keys in the Context, so I am not sure what a "generic" interceptor for "headers" would do. I do think we need an inbound interceptor for use in cmd/remote-storage, because it can be used to run storage backends natively supported by Jaeger which would be able to read those values from the Context. |
| @@ -38,6 +38,7 @@ func DefaultConfigV2() ConfigV2 { | |||
|
|
|||
| func (c *Configuration) TranslateToConfigV2() *ConfigV2 { | |||
| return &ConfigV2{ | |||
| Tenancy: c.TenancyOpts, | |||
There was a problem hiding this comment.
@mahadzaryab1 I think this is another example of divergence between v1/v2 configs - this is why my preference is always NOT to have separate configs, so that omissions like this won't happen. Do you want to take a look at that as part of #5229?
There was a problem hiding this comment.
@frzifus what kind of unit or e2e test could we have to catch this bug?
There was a problem hiding this comment.
I was going to add a unittest for this translate config function. But when I started to re-type this 4 line logic, I thought it doesnt make much sense.
An e2e test that runs jaeger-query with the SPAN_STORAGE_TYPE=grpc storage and the --multi-tenancy.header=x-scope-orgid flag and checks the metadata of the outgoing gRPC request would be perfect to avoid that issue in the future.
Similar to this: #6030 (comment)
@yurishkuro Would it be ok, creating an issue to keep track and submit something afterwards?
There was a problem hiding this comment.
An e2e test that runs jaeger-query with the SPAN_STORAGE_TYPE=grpc storage and the --multi-tenancy.header=x-scope-orgid flag and checks the metadata of the outgoing gRPC request would be perfect to avoid that issue in the future.
We have a grpc storage e2e test today. We can add a test there that will run the storage with tenancy enabled and store a span with tenant1 then try to retrieve it with tenant1 (found) and tenant2 (not found). The memory storage used in that e2e test already supports separation of data by tenant.
There was a problem hiding this comment.
It would be even better to do this with jaeger-v2 e2e tests, but one thing that I don't know about is how we can thread the tenant ID through the OTEL Collector pipeline, from OTLP receiver to jaeger-storage-extension.
mh.. y, I think you are right. In that case, we would need to attach a map as value and build something custom. Probably not worth it.
Its the case here, right? jaeger/cmd/remote-storage/app/server.go Lines 99 to 104 in 19386cf |
ah, so it handles tenancy but not the bearer token? I actually don't see anything grpc-related in pkg/bearertoken |
|
we should move |
y, I did not go through the code yet. It might be handled somewhere. But having a pkg with the gRPC impl. (similar to the tenant thing) would simplify it. |
yurishkuro
changed the title
) ## Which problem is this PR solving? - Resolves #6041 ## Description of the changes - We were currently maintaining two entirely separate configurations for v1 and v2 for the GRPC Storage Component and were initializing v1 configurations and then translating them to the v2 configurations which were the ones actually being used. This caused an issue where one configuration field was left out of the translation method (see #6030 for more details). - In this PR, we consolidate the v1 and v2 configurations into a single config type that is directly initialized to avoid having configurations that diverge or running into issues like the one described above. ## How was this change tested? - Unit tests were updated - Integration tests were not touched but should still pass since this was just an internal change and the interface was not touched ## Checklist - [x] I have read https://github.com/jaegertracing/jaeger/blob/master/CONTRIBUTING_GUIDELINES.md - [x] I have signed all commits - [x] I have added unit tests for the new functionality - [x] I have run lint and test steps successfully - for `jaeger`: `make lint test` - for `jaeger-ui`: `yarn lint` and `yarn test` --------- Signed-off-by: Mahad Zaryab <mahadzaryab1@gmail.com>
Which problem is this PR solving?
Description of the changes
Before the gRPC plugins were removed in Jaeger 1.58, tenant information was distributed in via the internal context.
With this change, the tenant information is also propagated to a removed grpc backend.
How was this change tested?
Checklist
jaeger:make lint testjaeger-ui:yarn lintandyarn testcc @albertteoh do you think we can get this into the next jaeger release tomorrow? ^^