Add prefer_module_identity_cache option (#543) (#547)

Adds the prefer_module_identity_cache (defaults to false) option in identityd's configuration. Current behavior is to request module identities from IoT Hub and fall back to a cached backup if the Hub request fails. This keeps identities in sync with IoT Hub, but results in extra requests to Hub that may not be necessary depending on use case. Setting prefer_module_identity_cache to true reverses the behavior so that the cached identities are preferred to IoT Hub requests. Requests to Hub are still made if identities are not found in the cache.
Azure · Sep 14, 2023 · 137258d · 137258d
1 parent d644195
commit 137258d
Show file tree

Hide file tree

Showing 30 changed files with 297 additions and 171 deletions.
diff --git a/aziotctl/aziotctl-common/src/config/apply.rs b/aziotctl/aziotctl-common/src/config/apply.rs
@@ -27,6 +27,7 @@ pub fn run(
         cloud_timeout_sec,
         cloud_retries,
         aziot_max_requests,
+        prefer_module_identity_cache,
         mut aziot_keys,
         mut preloaded_keys,
         cert_issuance,
@@ -343,6 +344,8 @@ pub fn run(
 
         homedir: super::AZIOT_IDENTITYD_HOMEDIR_PATH.into(),
 
+        prefer_module_identity_cache,
+
         max_requests: aziot_max_requests.identityd,
 
         cloud_timeout_sec,

diff --git a/aziotctl/aziotctl-common/src/config/super_config.rs b/aziotctl/aziotctl-common/src/config/super_config.rs
@@ -54,6 +54,9 @@ pub struct Config {
     #[serde(default, skip_serializing_if = "AziotMaxRequests::is_default")]
     pub aziot_max_requests: AziotMaxRequests,
 
+    #[serde(default)]
+    pub prefer_module_identity_cache: bool,
+
     pub provisioning: Provisioning,
 
     pub localid: Option<aziot_identityd_config::LocalId>,

diff --git a/aziotctl/aziotctl-common/test-files/apply/dps-symmetric-key-no-pad/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/dps-symmetric-key-no-pad/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 source = "dps"

diff --git a/aziotctl/aziotctl-common/test-files/apply/dps-symmetric-key/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/dps-symmetric-key/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 source = "dps"

diff --git a/aziotctl/aziotctl-common/test-files/apply/dps-tpm/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/dps-tpm/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 source = "dps"

diff --git a/aziotctl/aziotctl-common/test-files/apply/dps-x509-est-bootstrap-auto-renew/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/dps-x509-est-bootstrap-auto-renew/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 source = "dps"

diff --git a/aziotctl/aziotctl-common/test-files/apply/dps-x509-pkcs11-est-bootstrap/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/dps-x509-pkcs11-est-bootstrap/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 source = "dps"

diff --git a/...tctl/aziotctl-common/test-files/apply/dps-x509-pkcs11-est-custom-bootstrap/identityd.toml b/...tctl/aziotctl-common/test-files/apply/dps-x509-pkcs11-est-custom-bootstrap/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 source = "dps"

diff --git a/.../aziotctl-common/test-files/apply/dps-x509-pkcs11-est-subject-dn-bootstrap/identityd.toml b/.../aziotctl-common/test-files/apply/dps-x509-pkcs11-est-subject-dn-bootstrap/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 source = "dps"

diff --git a/aziotctl/aziotctl-common/test-files/apply/dps-x509-pkcs11-est/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/dps-x509-pkcs11-est/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 source = "dps"

diff --git a/aziotctl/aziotctl-common/test-files/apply/dps-x509-pkcs11-localca/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/dps-x509-pkcs11-localca/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 source = "dps"

diff --git a/aziotctl/aziotctl-common/test-files/apply/dps-x509-pkcs11/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/dps-x509-pkcs11/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 source = "dps"

diff --git a/aziotctl/aziotctl-common/test-files/apply/dps-x509/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/dps-x509/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 source = "dps"

diff --git a/aziotctl/aziotctl-common/test-files/apply/local-gateway/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/local-gateway/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 local_gateway_hostname = "my-gateway-device"

diff --git a/aziotctl/aziotctl-common/test-files/apply/manual-connection-string/config.toml b/aziotctl/aziotctl-common/test-files/apply/manual-connection-string/config.toml
@@ -1,3 +1,5 @@
+prefer_module_identity_cache = true
+
 [provisioning]
 source = "manual"
 connection_string = "HostName=example.azure-devices.net;DeviceId=my-device;SharedAccessKey=YXppb3QtaWRlbnRpdHktc2VydmljZXxhemlvdC1pZGU="
diff --git a/aziotctl/aziotctl-common/test-files/apply/manual-connection-string/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/manual-connection-string/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = true
 
 [provisioning]
 source = "manual"

diff --git a/aziotctl/aziotctl-common/test-files/apply/manual-symmetric-key-no-pad/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/manual-symmetric-key-no-pad/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 source = "manual"

diff --git a/aziotctl/aziotctl-common/test-files/apply/manual-symmetric-key/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/manual-symmetric-key/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 source = "manual"

diff --git a/aziotctl/aziotctl-common/test-files/apply/manual-x509-est-custom-http/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/manual-x509-est-custom-http/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 source = "manual"

diff --git a/aziotctl/aziotctl-common/test-files/apply/manual-x509-est-custom/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/manual-x509-est-custom/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 source = "manual"

diff --git a/aziotctl/aziotctl-common/test-files/apply/manual-x509-est-subject-dn/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/manual-x509-est-subject-dn/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 source = "manual"

diff --git a/aziotctl/aziotctl-common/test-files/apply/manual-x509-pkcs11/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/manual-x509-pkcs11/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 source = "manual"

diff --git a/aziotctl/aziotctl-common/test-files/apply/manual-x509/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/manual-x509/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 
 [provisioning]
 source = "manual"

diff --git a/aziotctl/aziotctl-common/test-files/apply/throttle-limits/identityd.toml b/aziotctl/aziotctl-common/test-files/apply/throttle-limits/identityd.toml
@@ -1,5 +1,6 @@
 hostname = "my-device"
 homedir = "/var/lib/aziot/identityd"
+prefer_module_identity_cache = false
 max_requests = 50
 
 [provisioning]

diff --git a/aziotctl/config/unix/template.toml b/aziotctl/config/unix/template.toml
@@ -29,15 +29,29 @@
 # cloud_retries controls how many times a request may be retried should it fail.
 # The client will always send at least one attempt, so its value will be the number
 # of retries after the first attempt should that fail (i.e. cloud_retries = 2
-# means that the client will make a total of 3 attempts). 
+# means that the client will make a total of 3 attempts).
 #
-# cloud_timeout_sec has a minimum of 70s to allow hub to throttle requests. 
+# cloud_timeout_sec has a minimum of 70s to allow hub to throttle requests.
 # If a request is throttled, it will enter an exponential backoff with 4 retries instead
 # of using the configured value. The configured value is used for all other errors.
 #
 # cloud_timeout_sec = 70
 # cloud_retries = 1
 
+# ==============================================================================
+# Module identity cache preference
+# ==============================================================================
+#
+# The default behavior is to request module identities from IoT Hub and fall back to a
+# cached backup if the Hub request fails. This keeps identities in sync with IoT Hub,
+# but results in extra requests to Hub that may not be necessary depending on use case.
+#
+# Setting prefer_module_identity_cache to true reverses the behavior so that the cached
+# identities are preferred to IoT Hub requests. Requests to Hub are still made if identities
+# are not found in the cache.
+#
+# prefer_module_identity_cache = false
+
 # ==============================================================================
 # Provisioning
 # ==============================================================================

diff --git a/aziotctl/src/config/mp.rs b/aziotctl/src/config/mp.rs
@@ -75,6 +75,8 @@ To reconfigure IoT Identity Service, run:
 
         aziot_max_requests: Default::default(),
 
+        prefer_module_identity_cache: Default::default(),
+
         aziot_keys: Default::default(),
 
         preloaded_keys: Default::default(),

diff --git a/aziotctl/src/internal/check/checks/host_connect_iothub.rs b/aziotctl/src/internal/check/checks/host_connect_iothub.rs
@@ -219,6 +219,7 @@ mod tests {
             max_requests: 10,
             cloud_retries: 1,
             cloud_timeout_sec: 1,
+            prefer_module_identity_cache: false,
             provisioning: device_provisioning,
             principal: Vec::new(),
             endpoints: Endpoints::default(),

diff --git a/identity/aziot-identityd-config/src/lib.rs b/identity/aziot-identityd-config/src/lib.rs
@@ -21,6 +21,9 @@ pub struct Settings {
 
     pub homedir: std::path::PathBuf,
 
+    #[serde(default)]
+    pub prefer_module_identity_cache: bool,
+
     /// Maximum number of simultaneous requests per user that identityd will service.
     #[serde(
         default = "http_common::Incoming::default_max_requests",