feat(taskbroker): Add Authentication to Push Taskbroker#580
Open
james-mcnulty wants to merge 1 commit intomainfrom
Open
feat(taskbroker): Add Authentication to Push Taskbroker#580james-mcnulty wants to merge 1 commit intomainfrom
james-mcnulty wants to merge 1 commit intomainfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Linear
Completes STREAM-845
Description
Currently, taskworkers pull tasks from taskbrokers via RPC. This approach works, but has some drawbacks. Therefore, we want taskbrokers to push tasks to taskworkers instead. Read this page on Notion for more information.
This PR adds authentication to the push taskbroker using the same scheme as we use now. If the user provides a list of secrets in the configuration, the taskbroker will add a
sentry-signaturefield to the RPC metadata. The value of this field is<name of the method>:<body>run through HMAC-SHA256 and hexadecimal encoded.The worker side of this authentication scheme is already implemented. When the taskbroker sends a
PushTaskRequest, if the worker has a list of secrets provided, it reconstructs the signature using each secret and checks whether it matches the one included in the request. If it does, the call proceeds. If it doesn't, the server returns code 16 (unauthenticated).Details
WorkerClient::sendto accept a list of secrets (which may be empty)sentry_signature_hexto compute the signaturesentry_signature_hexcomputes the signature as expected