platform icon indicating copy to clipboard operation
platform copied to clipboard
verified publisher icon opentdf

Validate Configuration on Startup

Open ttschampel opened this issue 1 year ago • 1 comments

The platform should validate configuration state on startup, log configuration errors and then exit.

An example from bad configuration (ERS not enabled/defined in config) resulting in a runtime failure and the platform panics:

{"time":"2024-06-07T00:19:05.261969949Z","level":"DEBUG","msg":"verifying policy binding","namespace":"kas","requestBody.policy":"eyJ1dWlkIjoiNzRhNWZjODktZWFiZC00YWJkLTlkNmUtOGRkNjlhZTQwZjVhIiwiYm9keSI6eyJkYXRhQXR0cmlidXRlcyI6W3siYXR0cmlidXRlIjoiaHR0cHM6Ly9vcGVudGRmLmlvL2F0dHIvaW50ZWxsZWN0dWFscHJvcGVydHkvdmFsdWUvdHJhZGVzZWNyZXQiLCJpc0RlZmF1bHQiOmZhbHNlfV0sImRpc3NlbSI6W119fQ=="}
{"time":"2024-06-07T00:19:05.262143311Z","level":"DEBUG","msg":"extracting policy","namespace":"kas","requestBody.policy":"eyJ1dWlkIjoiNzRhNWZjODktZWFiZC00YWJkLTlkNmUtOGRkNjlhZTQwZjVhIiwiYm9keSI6eyJkYXRhQXR0cmlidXRlcyI6W3siYXR0cmlidXRlIjoiaHR0cHM6Ly9vcGVudGRmLmlvL2F0dHIvaW50ZWxsZWN0dWFscHJvcGVydHkvdmFsdWUvdHJhZGVzZWNyZXQiLCJpc0RlZmF1bHQiOmZhbHNlfV0sImRpc3NlbSI6W119fQ=="}
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x230 pc=0xe59f1a]

goroutine 227 [running]:
google.golang.org/grpc.(*ClientConn).Invoke(0x0, {0x1bc78b0?, 0xc0006e07b0?}, {0x18f9784?, 0xc0005fb600?}, {0x173c680?, 0xc0005fb600?}, {0x173c740?, 0xc0005fb640?}, {0x0, ...})
	/root/go/pkg/mod/google.golang.org/[email protected]/call.go:32 +0x5a
github.com/opentdf/platform/protocol/go/entityresolution.(*entityResolutionServiceClient).CreateEntityChainFromJwt(0xc0004bc420, {0x1bc78b0, 0xc0006e07b0}, 0xc0005fb600, {0x0, 0x0, 0x0})
	/app/protocol/go/entityresolution/entity_resolution_grpc.pb.go:53 +0xc8
github.com/opentdf/platform/service/authorization.(*AuthorizationService).GetDecisionsByToken(0xc00060a360, {0x1bc78b0, 0xc0006e07b0}, 0x4ab3c5?)
	/app/service/authorization/authorization.go:137 +0x1a3
github.com/opentdf/platform/protocol/go/authorization._AuthorizationService_GetDecisionsByToken_Handler({0x17067e0, 0xc00060a360}, {0x1bc78b0, 0xc0006e07b0}, 0xc000577b80, 0x0)
	/app/protocol/go/authorization/authorization_grpc.pb.go:131 +0x1a6
google.golang.org/grpc.(*Server).processUnaryRPC(0xc00070d400, {0x1bc78b0, 0xc000876090}, {0x1bd2ec0, 0xc00070e900}, 0xc0008645a0, 0xc000626030, 0x28ad6b8, 0x0)
	/root/go/pkg/mod/google.golang.org/[email protected]/server.go:1369 +0xdf8
google.golang.org/grpc.(*Server).handleStream(0xc00070d400, {0x1bd2ec0, 0xc00070e900}, 0xc0008645a0)
	/root/go/pkg/mod/google.golang.org/[email protected]/server.go:1780 +0xe8b
google.golang.org/grpc.(*Server).serveStreams.func2.1()
	/root/go/pkg/mod/google.golang.org/[email protected]/server.go:1019 +0x8b
created by google.golang.org/grpc.(*Server).serveStreams.func2 in goroutine 172
	/root/go/pkg/mod/google.golang.org/[email protected]/server.go:1030 +0x125

ttschampel avatar Jun 07 '24 14:06 ttschampel

I think something else to think about here is that we alway need some type of resolution service. So this either needs to be remote or enabled as it works now.

Also something @jrschumacher and @jakedoublev have brought up in the past is having some type of very basic resolution logic that is driven by configuration and it doesn't even reach out to keycloak.

strantalis avatar Jun 10 '24 13:06 strantalis