The current implementation of the entitlement SPI allows providers to return only true (entitled/valid) or false (not entitled/invalid) as result of an entitlement request. While this is sufficient if the entitlement request is performed offline it doesn't allow to signal that the entitlement request couldn't be performed at all when calling an external entitlement service failed because of a network error or unavailability of the service itself. In order to address these cases we propose to change the entitlement SPI interface from Future[Boolean] to Future[Option[Boolean]] (for implementation details please follow the link under [1])
In our IBM Functions service we use IAM (Identity and Access Management). For IAM enabled namespaces an IAM/Bearer token is passed on each request which is checked for access allowance on the requested namespace resources using an external policy system. If the request succeeds an user identity is created which is passed to user/system containers and can be used to create triggers or to reach out to other services. A problem arises if the entitlement request to the external policy system cannot be performed. As mentioned before this could happen due to a temporary network outage, the unavailability of the external service or the service decides to throttle the request due to availability issues. In any of these cases the SPI provider can currently only return invalid which is interpreted as 403/Forbidden even though the request would be perfectly valid if it could only have been done. In our system this problem caused recently many customer complains as triggers were disabled because of those false positives. With the proposed change our IAM entitlement SPI implementation could return none in such cases to signal that the entitlement couldn't be done allowing the caller to act more appropriate, for example do not disable the trigger. I will open a pull request for the proposed interface change. Feel free to comment now to this mail or to the pull request. [1] https://github.com/apache/openwhisk/blob/7062549035eb45f376653ce2433fcbe70e6fd806/core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/Entitlement.scala#L180-L189 Mit freundlichen Gruessen / Kind regards Steffen Rost ------------------------------------------------------------------------------------------------------------------------------------------ IBM Cloud Functions Development Phone +49-7031-16-4841 (Fax: -3545) E-Mail: [email protected] ------------------------------------------------------------------------------------------------------------------------------------------ IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Matthias Hartmann -- Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294
