Implement an identity cache in aws-smithy-runtime #3062
Conversation
jdisanti
force-pushed
the
jdisanti-identity-cache
branch
3 times, most recently
from
80861fb to
67665e7
Compare
jdisanti
force-pushed
the
jdisanti-identity-cache
branch
from
67665e7 to
4574ba7
Compare
|
A new generated diff is ready to view.
A new doc preview is ready to view. |
| pub fn buffer_time_jitter_fraction(mut self, buffer_time_jitter_fraction: fn() -> f64) -> Self { | ||
| self.set_buffer_time_jitter_fraction(Some(buffer_time_jitter_fraction)); | ||
| self | ||
| } |
There was a problem hiding this comment.
does this need to be pub, even feature gated?
There was a problem hiding this comment.
It doesn't look like this is even used in tests anymore. I'm going to make it private and cfg(test) in case its needed in the future.
| LazyCache::new( | ||
| self.time_source.unwrap_or_default(), | ||
| self.sleep_impl.unwrap_or_else(|| { | ||
| default_async_sleep().expect("no default sleep implementation available") |
There was a problem hiding this comment.
should this come from a runtime plugin / runtime components?
There was a problem hiding this comment.
Good call out. I refactored it so that these come in through a RuntimeComponents argument on ResolveIdentity so that they will work correctly with config overrides.
| let mut partition = self.partitions.read().unwrap().get(&key).cloned(); | ||
| if partition.is_none() { | ||
| let mut partitions = self.partitions.write().unwrap(); | ||
| // Another thread could have inserted the partition before we acquired the lock, | ||
| // so double check before inserting it. | ||
| partitions | ||
| .entry(key) | ||
| .or_insert_with(|| ExpiringCache::new(self.buffer_time)); | ||
| drop(partitions); | ||
|
|
||
| partition = self.partitions.read().unwrap().get(&key).cloned(); | ||
| } | ||
| partition.expect("inserted above if not present") |
There was a problem hiding this comment.
because it's so easy to mess up RWLock caches, you may want to consider writing the code in a way where you explictly drop() the locks
| .or_insert_with(|| ExpiringCache::new(self.buffer_time)); | ||
| drop(partitions); | ||
|
|
||
| partition = self.partitions.read().unwrap().get(&key).cloned(); |
There was a problem hiding this comment.
since this pattern only works for append-only caches, it may be worth noting that entries are never removed.
| let jitter = self | ||
| .buffer_time | ||
| .mul_f64((self.buffer_time_jitter_fraction)()); | ||
|
|
||
| // Logging for cache miss should be emitted here as opposed to after the call to | ||
| // `cache.get_or_load` above. In the case of multiple threads concurrently executing | ||
| // `cache.get_or_load`, logging inside `cache.get_or_load` ensures that it is emitted | ||
| // only once for the first thread that succeeds in populating a cache value. | ||
| tracing::info!( | ||
| "identity cache miss occurred; added new AWS identity (took {:?})", | ||
| time.now().duration_since(start_time) | ||
| ); |
There was a problem hiding this comment.
should probably note the impact of jitter on the buffer time in the docs above.
| NoCache.into_shared() | ||
| } | ||
|
|
||
| /// Configure a lazy identity cache. |
There was a problem hiding this comment.
one more line that identities are lazily loaded when requested would probably be helpful here
| fn resolve_cached_identity<'a>( | ||
| &'a self, | ||
| resolver: SharedIdentityResolver, | ||
| config_bag: &'a ConfigBag, |
There was a problem hiding this comment.
do we want to be giving it the entire config bag? should this have just auth params instead?
There was a problem hiding this comment.
Identity resolution isn't supposed to have access to the auth parameters per the spec.
| * SPDX-License-Identifier: Apache-2.0 | ||
| */ | ||
|
|
||
| use std::future::Future; |
There was a problem hiding this comment.
do we want this to be in runtime-api instead? I think we've hit other issues where this primitive wasn't accessible to the dependency tree.
There was a problem hiding this comment.
It looks like aws-config is the only other place that uses it, and that depends on aws-smithy-runtime. So I think it's fine where it is. We can always move/re-export it later if we need to.
jdisanti
force-pushed
the
jdisanti-identity-cache
branch
from
4574ba7 to
b7b7b97
Compare
|
A new generated diff is ready to view.
A new doc preview is ready to view. |
|
A new generated diff is ready to view.
A new doc preview is ready to view. |
|
A new generated diff is ready to view.
A new doc preview is ready to view. |
|
A new generated diff is ready to view.
A new doc preview is ready to view. |
This PR adds a
ResolveCachedIdentitytrait, and adapts the existing LazyCredentialsCache implementation to it. It does NOT make this cache used yet, as that will be done as a separate PR to keep code review smaller.Notable differences from the credentials cache:
SharedIdentityResolverso that operation config overrides of the identity resolver will result in the correct identity being resolved.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.