Page MenuHomePhabricator
Create Task
Maniphest T134811

Consider REST with SSL (HyperSwitch/Cassandra) for session storage
Closed, ResolvedPublic
Actions

Description

User sessions and chronology protector positions are stored in Redis now.

For ChronologyProtector (and possibly the sessions in edge cases), we want writes to happen in all DCs at once. BagOStuff::set() already supports this concept, but we don't respect it in our current Redis setup (which relies on Redis replication). We also can't handle the case when a single Redis server goes down in a DC (since get/set would re-hash differently in each DC).

T111575 has a patch to mitigate the sync write and sever failure cases. One limitation to that approach is that it only tries writes once instead of being eventually consistent. For sessions and ChronologyProtector, this is OK (since they regenerate), but not ideal. It also requires encryption between redis <=> apaches for cross DC writes. Redis does not support this, so hacks would be needed.

Cassandra could handle all of these problems. For example, the php-driver supports SSL per http://datastax.github.io/php-driver/features/ssl_encryption/ . Another library is https://github.com/duoshuo/php-cassandra . https://gerrit.wikimedia.org/r/#/c/238370/ could be changed to use one of these.

Probably a tiny cluster with SSDs could be used, since the use case is different (high read, latency sensitive, low writes) than any of the others, and should be isolated a bit due to the nature of sessions.

Since the creation of this task the plan has evolved to not use Cassandra from MediaWiki PHP directly, but instead communicate with Cassandra via a HyperSwitch instance (HyperSwitch is the library behind Wikimedia RESTBase).

Related Objects
Search...

Event Timeline

aaron created this task.May 9 2016, 8:39 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptMay 9 2016, 8:39 PM
mobrovac subscribed.May 9 2016, 9:03 PM

I think we could accommodate that as part of the existing RESTBase install, as I imagine we are talking about a rather limited amount of data. We might also get away with MW not needing a php Cassandra driver if we set up appropriate routes in RESTBase. Because we are talking about sensitive data which definitely shouldn't be exposed to external clients, we can set up a fake domain in RESTBase, which would allow MW to reference it via VRS while at the same time not exposing it to the public.

Joe added a project: SRE.May 11 2016, 4:36 PM
Joe subscribed.
Joe added a comment.May 12 2016, 5:53 AM

I would like to keep session management in a pretty confined environment - I would frankly avoid using the cassandra cluster we use for restbase for it.

mobrovac added a comment.May 12 2016, 7:03 AM
In T134811#2288254, @Joe wrote:

I would like to keep session management in a pretty confined environment - I would frankly avoid using the cassandra cluster we use for restbase for it.

Makes sense. I would prefer to do so too, but proposed it as a quick'n'dirty work-around. I do agree, though, that keeping such information in Cassandra greatly simplifies session storage when cross- and multi-DC concepts come into play.

Krinkle updated the task description. (Show Details)May 12 2016, 5:03 PM
aaron renamed this task from Consider cassandra for session storage (and SSL) to Consider cassandra for session storage (with SSL).May 14 2016, 12:57 PM
aaron moved this task from Inbox, needs triage to Backlog: Maintenance, non-prioritized on the Performance-Team board.May 16 2016, 6:53 PM
Smalyshev subscribed.May 25 2016, 4:17 PM
aaron created subtask T137272: Create BagOStuff subclass for HTTP.Jun 8 2016, 6:52 AM
Smalyshev added a comment.Jun 8 2016, 4:12 PM

Regarding the drivers - php-driver is a PHP extension, so we'd need to port it to HHVM if we want to use it in production. I'll check how php-cassandra works, it may be easier.

aaron added a comment.Jun 8 2016, 4:50 PM

If we go with restbase, then the subclass will just use MultiHttpClient. It could either talk to a local http restbase endpoint (which itself uses TLS) or the client can also use https for good measure (if that is supported). The main thing I care about is that no unencrypted traffic goes across DCs.

aaron renamed this task from Consider cassandra for session storage (with SSL) to Consider restbase/cassandra for session storage (with SSL).Jun 9 2016, 10:36 PM
aaron added a parent task: T111575: Make $wgSessionCacheType and $wgMainStash caches multi-DC ready.Jun 9 2016, 10:46 PM
Smalyshev closed subtask T137272: Create BagOStuff subclass for HTTP as Resolved.Jul 6 2016, 6:36 PM
Smalyshev mentioned this in T128602: RFC: Backend for synchronized data from Wikipedia mobile apps.Jul 19 2016, 5:55 PM
Krinkle renamed this task from Consider restbase/cassandra for session storage (with SSL) to Consider REST with SSL (HyperSwitch/Cassandra) for session storage.Jul 20 2016, 4:25 PM
Krinkle updated the task description. (Show Details)
GWicke mentioned this in T140813: Protect sensitive user-related information with a UserData / auth / session service.Jul 20 2016, 6:44 PM
aaron added a project: Wikimedia-Multiple-active-datacenters.Aug 12 2016, 4:49 AM
aaron mentioned this in T111575: Make $wgSessionCacheType and $wgMainStash caches multi-DC ready.Sep 4 2016, 12:33 PM
PleaseStand subscribed.Sep 4 2016, 3:10 PM
aaron moved this task from Backlog to Doing on the Wikimedia-Multiple-active-datacenters board.Sep 15 2016, 4:20 PM
Gilles moved this task from Backlog: Maintenance, non-prioritized to Blocked (old) on the Performance-Team board.Dec 7 2016, 7:39 PM
aaron moved this task from Doing to Next-up on the Wikimedia-Multiple-active-datacenters board.Dec 14 2016, 5:13 PM
elukey subscribed.Feb 6 2017, 9:47 AM
Krinkle edited projects, added Multiple-active-datacenters archived; removed Wikimedia-Multiple-active-datacenters, Sustainability.May 3 2017, 7:37 PM
Krinkle edited projects, added Sustainability (MediaWiki-MultiDC); removed Multiple-active-datacenters archived.May 3 2017, 7:58 PM
Krinkle moved this task from Later to Discuss next on the Sustainability (MediaWiki-MultiDC) board.May 5 2017, 3:29 AM
aaron lowered the priority of this task from Medium to Low.May 26 2017, 11:40 PM
Joe added a comment.May 29 2017, 6:56 AM

I've seen there hasn't been much going on on this task, but I want to have the opportunity to say that I don't think it's a good idea to put a software created for other purposes (HS) to serve our sessions.

Specifically, we want to create a dedicated service that is simple and specialized enough to be able to add features like (first things off the top of my head) brute-force-attack detection or token generation.

mobrovac added a comment.May 29 2017, 2:53 PM
In T134811#3297472, @Joe wrote:

I've seen there hasn't been much going on on this task, but I want to have the opportunity to say that I don't think it's a good idea to put a software created for other purposes (HS) to serve our sessions.

Specifically, we want to create a dedicated service that is simple and specialized enough to be able to add features like (first things off the top of my head) brute-force-attack detection or token generation.

HyperSwitch is a generic REST API router library with added candy like pluggable (route) filters and a request template compiler. It itself does not expose any functionality, so it seems like a perfect fit for what we want here, given that the service's API will be relatively simple (get/set), leaving us room to focus on the actual issues that you mentioned.

Joe added a comment.May 29 2017, 2:55 PM
In T134811#3298450, @mobrovac wrote:
In T134811#3297472, @Joe wrote:

I've seen there hasn't been much going on on this task, but I want to have the opportunity to say that I don't think it's a good idea to put a software created for other purposes (HS) to serve our sessions.

Specifically, we want to create a dedicated service that is simple and specialized enough to be able to add features like (first things off the top of my head) brute-force-attack detection or token generation.

HyperSwitch is a generic REST API router library with added candy like pluggable (route) filters and a request template compiler. It itself does not expose any functionality, so it seems like a perfect fit for what we want here, given that the service's API will be relatively simple (get/set), leaving us room to focus on the actual issues that you mentioned.

Oh, sorry, I must have misread: what the task means is that we'll use the HS library while writing a new service? That makes much more sense, thanks :)

elukey mentioned this in T151466: Performance Q2 2017/18 goal: Install and use mcrouter in deployment-prep.May 30 2017, 8:05 AM
GWicke moved this task from Backlog to blocked on the Services board.Jul 12 2017, 5:20 PM
GWicke edited projects, added Services (blocked); removed Services.
aaron removed aaron as the assignee of this task.Oct 5 2017, 1:12 AM
aaron mentioned this in T91820: Create HTTP verb and sticky cookie DC routing in VCL .Jun 6 2018, 6:46 AM
Imarlier added subscribers: tstarling, Imarlier.Jun 21 2018, 9:41 AM

@tstarling It's our (Perf team's) impression that we wouldn't be the ones taking this on. Does that seem right to you?

Krinkle edited projects, added Performance-Team (Radar); removed Performance-Team.Jun 21 2018, 11:28 AM
Krinkle moved this task from Limbo to Watching on the Performance-Team (Radar) board.
mobrovac edited projects, added Services (designing); removed Services (blocked).Jun 21 2018, 2:38 PM
In T134811#4304623, @Imarlier wrote:

@tstarling It's our (Perf team's) impression that we wouldn't be the ones taking this on. Does that seem right to you?

We will tackle this in the second half of FY18/19 as part of the platform evolution CDP.

mobrovac added a project: Platform Team Legacy (Designing).Dec 20 2018, 12:55 PM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 8:40 PM
Mholloway subscribed.Feb 24 2019, 11:20 PM
mobrovac closed this task as Resolved.Feb 27 2019, 11:35 PM
mobrovac claimed this task.

The session management service is being currently developed. The work is tracked in T206016: Create a service for session storage and related tickets. Resolving this one, as this is (almost) the route we went with :P

CCicalese_WMF edited projects, added Platform Team Workboards (Done with CPT); removed Platform Team Legacy (Designing).Mar 4 2019, 5:40 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL