already_exists and already_published for CreateVolume and xxxPublishVolume RPCs #158
Conversation
CreateVolume, ControllerPublishVolume, and NodePublishVolume are idempotent RPCs and it MAY be useful for a CO, operator, or CSI/gRPC intermediary to know when a request was both successful and did not ultimately change the state of the system.
|
I think it should either be a required This is already required by the current spec to return |
|
I wonder if there are cases where it'll be awkward for a plugin to understand whether a volume already exists (which will be needed if
If one of our overarching goals is to simplify things for plugin writers, then I'd argue that an OPTIONAL |
|
ping @julian-hj @cpuguy83 |
|
I'm confused, why are we using this instead of a status code? |
|
Was discussed and decided upon at the last community sync. Basically we
didn't do enough e2e testing up front and passing response+error back from
the server through the golang/grpc client layer doesn't work like we
thought it should. Of the options discussed, passing back an additional
boolean was the option that we (mostly) agreed on.
https://docs.google.com/document/d/1-oiNg5V_GtS_JBAEViVBhZ3BYVFlbSz70hreyaD7c5Y/edit#heading=h.xzorxa44tuy0
…On Mon, Dec 4, 2017 at 9:33 AM, Brian Goff ***@***.***> wrote:
I'm confused, why are we using this instead of a status code?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#158 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACPVLDyHrjbBZzufijnWkUoypKPE8WhPks5s9ALQgaJpZM4QvsJc>
.
|
|
This seems to muddy the error handling quite a lot. To get around the various issues with intermediate layers, could we specify that an ALREADY_EXISTS response needs to have encoded in the details the volume ID, and then have a |
|
Hi @cpuguy83, I agree with you completely. Julian was adamant that the error should not contain any information other than the error due to concerns around logging of sensitive details (despite the fact that no RPC current returns sensitive information as part of the official model). I was frankly tired of arguing for the idiomatic approach to this issue and just consented to the compromise. I do not care for it, and this is the reason gRPC errors can marshal protobuf objects into the error details, but I was the only person on the call defending the idiomatic approach. |
|
In this case, volume ID's should not be sensitive and should be expected to log. So just to be clear, I'm 👎 on this change. It's making some really nasty compromises on the interface before we even do the first pre-release. |
|
Hi @cpuguy83, I believe that Julian was referring to the possibility that a However, neither case is specified in the spec today and as such I agree that the current approach is idiosyncratic with respect to how gRPC intends errors and error details to be returned. |
|
@cpuguy83, can you sync with @julian-hj on this? Honestly, I am fine with either approach, but I don't want this to block the release. |
|
I guess I am stuck on the notion that returning an error as a second response to a supposedly idempotent function is idiomatic. I find that hard to believe. Can you guys point to examples of functions that claim to be idempotent, and return data payloads in the error details? |
|
@akutz @cpuguy83 will you guys be ok if |
|
👎 on adding the field. It is optional and therefore cannot be relied upon by the CO. We lose referential transparency (a precondition for idempotency) making the API awkward to satisfy and consume. The benefit does not outweigh the cost. I like returning |
|
Let's err on the side of leaving out fields that can always be added for v0.2. Ripping them out for v0.2 is much harder. |
|
I think it's fair to have the SP return an OK response when it already exists assuming the SP has determined that it is the same volume and not just some other volume with the same name. If we want to aid debugging, we could come up with a proto to deal with this to embed in the status details (even for OK responses... I think this should be fine...), but I'm not sure this should be a requirement for v0.1. |
|
@akutz @julian-hj @saad-ali, ping? will you be OK if the SP return an OK response when the volume already exists? |
|
Hi @jieyu, Not really. This is the point of the gRPC error details. :( I can live with returning a successful result IFF we also declare that an SP may enable debug mode and return In other words, returning OK is the default mode, but COs should also still be aware that an SP MAY return an idempotent error with an embedded object. |
|
I would argue that “idempotent error” is an oxymoron. If calling the method a second time with the same arguments is an error, then the method is not idempotent. So I think we have to decide if we want to return an error, or we want to claim idempotency. For my part, I am fine with Jie’s suggestion. If we really believe that the methods are idempotent, then an ALREADY_EXISTS status is pretty much useless anyway. I am going to go offline for the rest of the day because I am in jury duty. Apologies for any delayed responses. |
The patch fixed the error codes that are related to idempotency: (1) For `CreateVolume`, if the volume already exists and is compatible, return OK instead. If the volume exists but not compatible, return ALREADY_EXISTS. (2) For `DeleteVolume`, if the volume does not exist, return OK instead. (3) For `ControllerUnpublishVolume`, if the volume is already detached from the node, return OK instead. Fixes container-storage-interface#157 xref container-storage-interface#158
|
I created #160 based on the conversion above. PTAL |
|
Close this one as #160 has landed. |
Rationale for using
google.protobuf.BoolValue:boolis falsebooltype for this flag then plugins that don't setalready_existsat all will end up sending a defaultfalsevalue, even if the volume already existed. this isn't a huge deal from a CO-behavior perspective but it kills the debugging story: what use is a debugging field if you can't rely on it to tell you something meaningful?BoolValueis unset, because it's a wrapper type. this paves the way for a nice debugging story, wherein plugins that don't setalready_existsin a response will not being sending a misleadingfalsevalue; plugins that explicitly setalready_existsin a response will be sending the value that they intend a CO/operator to observe.