Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Service config parse failures should be UNAVAILABLE #9346

Merged
merged 1 commit into from Jul 8, 2022
Merged

Service config parse failures should be UNAVAILABLE #9346

merged 1 commit into from Jul 8, 2022

Conversation

ejona86
Copy link
Member

@ejona86 ejona86 commented Jul 8, 2022

INVALID_ARGUMENT is propagated to the data plane if no previous config
is available. INVALID_ARGUMENT is reserved for application use; LBs
should pretty much use UNAVAILABLE exclusively.

While most of the changes are in xds, there do not appear to be likely
xds code paths that would propagate a bad status to the data plane.
Internal policies either don't use parseLoadBalancingPolicyConfig() and
instead have their configuration objects constructed directly or are
constructed transitively through the cluster manager which uses INTERNAL
if there's a child failure. There was a worrisome hole before this
commit for StatusRuntimeExceptions received by the cluster manager, but
the audit didn't find any locations throwing such an exception.
User-selected policies produce a NACK and are protected from the
existing xds client watcher paths. The worst that appears could happen
is the channel could panic (which uses INTERNAL) if a bug let a bad
configuration through.

@ejona86
Service config parse failures should be UNAVAILABLE
6d39f2f 
INVALID_ARGUMENT is propagated to the data plane if no previous config
is available. INVALID_ARGUMENT is reserved for application use; LBs
should pretty much use UNAVAILABLE exclusively.

While most of the changes are in xds, there do not appear to be likely
xds code paths that would propagate a bad status to the data plane.
Internal policies either don't use parseLoadBalancingPolicyConfig() and
instead have their configuration objects constructed directly or are
constructed transitively through the cluster manager which uses INTERNAL
if there's a child failure. There was a worrisome hole before this
commit for StatusRuntimeExceptions received by the cluster manager, but
the audit didn't find any locations throwing such an exception.
User-selected policies produce a NACK and are protected from the
existing xds client watcher paths. The worst that appears could happen
is the channel could panic (which uses INTERNAL) if a bug let a bad
configuration through.
@ejona86 ejona86 requested a review from temawi July 8, 2022 16:24
@ejona86 ejona86 added the TODO:backport PR needs to be backported. Removed after backport complete label Jul 8, 2022
@ejona86 ejona86 merged commit 19ad446 into grpc:master Jul 8, 2022
@ejona86 ejona86 deleted the service-config-parsing-unavailable branch July 8, 2022 22:49
@ejona86 ejona86 mentioned this pull request Jul 8, 2022
Merged
@ejona86 ejona86 removed the TODO:backport PR needs to be backported. Removed after backport complete label Jul 8, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 7, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@temawi temawi temawi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ejona86 @temawi