Namespaced actors (Multitenant placement service)

[elena-kolevska]

Description

This PR implements support for namespaced actors (multi-tenant placement service).

Requirements

• Multi-tenancy means that sidecars belonging to tenant A will not receive placement information for tenant B (As a consequence, multiple tenants can have actor types with the same name - a hotly requested feature).
• When mTLS is enabled, the sidecar reported namespace should be verified through spiffe ID. When mTLS is not enabled, we accept the reported namespace as-is.

Some implementation details

• The in-memory raft-based store was adapted to group placement data by namespace
• Placement tables are kept per namespace
• Sidecars in a namespace will only receive the placement table for their own namespace
• A stream connection pool will be kept per namespace

Backwards compatibility scenarios:

• The format of the placement table that the sidecars receive will not change, only its content will, making it fully backwards compatible.
• Old sidecars that use TLS do report their namespace at the moment; we will default to that one, even if the sidecar didn’t report it explicitly (because it’s on an old version).
• We have no way of knowing the namespace for old sidecars that do not use TLS. For these sidecars we will use a special “empty” namespace. When they connect to a new placement service, they will only get the actor types hosted on other old sidecars that are not on TLS (in the “empty namespace”).

TLS enabled

As soon as the placement server is updated, sidecars A, B and C will see each other’s actor types, and no others. The same is true for sidecars D, E and F.

TLS not enabled

• Sidecars A and B will not have information about the actor types hosted on sidecar C.
• Sidecar D will not have information about the actor types hosted on sidecar E and F.
• Sidecars C, E and F will see each other’s actor-types, as before

For true backwards compatibility, we would keep sending actor types from all six sidecars to the old sidecars, but this is a security concern and breaks the first requirement for multi-tenancy above (”sidecars belonging to tenant A will not receive placement information for tenant B”). A malicious sidecar could connect with an older version on purpose and see actor types that belong to other namespaces.

This behaviour will be clearly documented (”If you’re not using TLS you need to have a uniform version per namespace, either upgrade all sidecars in a namespace or none.”).

Issue reference

#4711
#3167

Checklist

Please make sure you've completed the relevant tasks for this PR, out of the following list:

• Code compiles correctly
• Created/updated tests
• Unit tests passing
• End-to-end tests passing
• Extended the documentation / Created issue in the https://github.com/dapr/docs/ repo: dapr/docs#[issue number]
• Specification has been updated / Created issue in the https://github.com/dapr/docs/ repo: dapr/docs#[issue number]
• Provided sample for the feature / Created issue in the https://github.com/dapr/docs/ repo: dapr/docs#[issue number]

[elena-kolevska]

We can discuss these numbers

[JoshVanL]

👍 1 second is fairly aggressive, but not insane. gRPC library uses 5 seconds by default https://github.com/grpc/grpc-go/blob/e22436abb80982dab3294250b7284eedd8f20768/examples/features/keepalive/server/main.go#L47

[yaron2]

We've seen recently a few examples of managed K8s clusters running in what appeared to be sporadically unreliable networks. In these cases 1 second does seem a bit aggressive, however if we're confident that reconnections shouldn't cause any widespread issues then I guess its fine to keep

[elena-kolevska]

Time in this case is the period of inactivity after which the server will try to ping the client to check if the stream is still alive. Knowing that the sidecars pings every second, maybe we can relax this requirement, and make it 2 seconds.
Timeout represents the duration after the ping during which the server will wait for a response, after which the connection is closed. I think we can increase this to 3 seconds, which will match the old faulty host detection timeout of 3 seconds.

[JoshVanL]

Some comments from me 🙂

[JoshVanL]

We have three wrapped contexts here in this function, as well as double selects, onces, defers etc. which can be tricky to follow. Would using a concurrency.RunnerManager per for loop help?

[elena-kolevska]

This is existing code I moved from membership.go to its own file. I would like to limit changes to that part, just so we can keep the scope of the PR smaller, but I agree that this is a good candidate for refactoring.

[JoshVanL]

Is this a transient error we can ignore? Should we not return the error here and ultimately close placement- given this could mean we can no longer write to the db (?).

[elena-kolevska]

Yes, this looks safe, because the loop will just restart. If there's a real problem with the raft node, it will lose its leader status anyway, which will cancel the context and the loop.

[JoshVanL]

I think require will cause a panic when an assertion fails inside a EventuallyWithT loop. Consider using assert, with an if check on the assertion to gate further assertions to avoid a nil pointer panic .

dapr/tests/integration/suite/actors/reminders/rebalancing.go

Line 123 in 58edd57

if assert.NoError(c, rErr) {

[elena-kolevska]

The requires should be ok, because they're under an if condition, but in the eventual case of them failing in the future, it's better to have them as asserts.
I also added a check for the element's presence.

[JoshVanL]

Please add tests which have namespace as an empty string. We should also include empty string namespace tests elsewhere if we don't already.

[elena-kolevska]

Yeah, we do. We have one here specific to dissemination, and there two in an auth context here and here.
I don't know if it makes sense to do the same for the quorum tests, since the namespace doesn't influence the leader election and dapr finding the right leader.

[JoshVanL]

Please pass as option as this function uses env var which can be awkward for testing.

[JoshVanL]

Are we ignoring errors here?

[elena-kolevska]

No, this just returns a bool indicating if the value already existed.

[JoshVanL]

Suggested change

	func getClient(t *testing.T, ctx context.Context, addr string) rtv1.DaprClient {
	t.Helper()
	conn, err := grpc.DialContext(ctx, addr, grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithBlock())
	require.NoError(t, err)
	t.Cleanup(func() { require.NoError(t, conn.Close()) })
	return rtv1.NewDaprClient(conn)
	}

[JoshVanL]

Suggested change

	client := getClient(t, ctx, n.daprd1.GRPCAddress())
	client := n.daprd1.GRPCClient()

[JoshVanL]

Please check there error type returned.

[elena-kolevska]

We shouldn't have an error here.

[JoshVanL]

This Eventually isn't doing anything.

[elena-kolevska]

We use it as a retry until placement is ready, and then check the error outside of the function.

[JoshVanL]

The Eventually is only going to be run once as c is not asserted. It doesn't seem like we need this Eventually if the tests are passing?

[elena-kolevska]

Ah yes! Fixed.

[JoshVanL]

Why are we doing this?

[elena-kolevska]

It was an old code I added to, but it doesn't make sense as it is... I changed it to return on any error.

[yaron2]

Incredibly happy to see this land.