-
Notifications
You must be signed in to change notification settings - Fork 25.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DataProtection and scaling /8 #33104
base: main
Are you sure you want to change the base?
Conversation
I think my statement was correct, but I agree that it could mislead new users and should be updated. It is true that someone has to decide and configure where that shared storage location will be, but that someone may not be the app author (e.g. in ACA or App Services on Windows). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for driving this, @Rick-Anderson! I appreciate it.
aspnetcore/security/data-protection/configuration/scaling/includes/scaling7.md
Show resolved
Hide resolved
author: acasey | ||
description: Learn how to configure Data Protection in ASP.NET Core for multi-instance apps. | ||
ms.author: acasey | ||
ms.custom: mvc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Rick-Anderson Do you happen to know what this means/does? I just copied it from the overview.
Co-authored-by: Andrew Casey <amcasey@users.noreply.github.com>
* Newly created Azure Container Apps built using ASP.NET Core Kestrel. For more information see [Autoscaling considerations | ||
](/azure/container-apps/dotnet-overview#autoscaling-considerations). | ||
|
||
The following distributed environments do ***NOT*** provide automatic key storage in a shared location: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I might characterize these as scenarios where keys will not be shared across instances (even if they have a shared location).
* Separate [deployment slots](/azure/app-service/deploy-staging-slots), such as Staging and Production. | ||
* Azure Container Apps built using ASP.NET Core Kestrel 7.0 or earlier. For more information see [Autoscaling considerations | ||
](/azure/container-apps/dotnet-overview#autoscaling-considerations). | ||
* Asp.net core apps hosted on multiple non-Azure VMs that don't use server affinity. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Server affinity doesn't get you shared storage, it makes shared storage unnecessary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Out of curiosity, how are we going to keep this up-to-date if/when non-Azure clouds add support for this (which they can straightforwardly do, if they're interested)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Out of curiosity, how are we going to keep this up-to-date if/when non-Azure clouds add support for this (which they can straightforwardly do, if they're interested)?
See #33108
Co-authored-by: Andrew Casey <amcasey@users.noreply.github.com>
The following distributed environments provide automatic key storage in a shared location: | ||
|
||
* [Azure apps](/aspnet/core/security/data-protection/configuration/default-settings). For more information see <xref:security/data-protection/configuration/default-settings#key-management>. | ||
* Newly created Azure Container Apps built using ASP.NET Core. For more information see [Autoscaling considerations |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've asked ACA for a date we can use in place of "newly created".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you get a date?
The following distributed environments provide automatic key storage in a shared location: | ||
|
||
* [Azure apps](/aspnet/core/security/data-protection/configuration/default-settings). For more information see <xref:security/data-protection/configuration/default-settings#key-management>. | ||
* Newly created Azure Container Apps built using ASP.NET Core. For more information see [Autoscaling considerations |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@claudiaregio Can you remember how we scoped this? I've suddenly remembered that this might only affect Aspire apps for now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@claudiaregio Can you remember how we scoped this? I've suddenly remembered that this might only affect Aspire apps for now?
* Newly created Azure Container Apps built using ASP.NET Core. For more information see [Autoscaling considerations | ||
](/azure/container-apps/dotnet-overview#autoscaling-considerations). | ||
|
||
The following scenarios do ***NOT*** provide automatic key storage in a shared location: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This list still feels off to me. What if we framed it as a list of caveats and dropped the mention of non-Azure and ARR?
If ARR is important, we could say that it's an alternative (that applies everywhere, not just non-Azure) though, personally, I think we covered that adequately in the intro.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@amcasey Can you use the suggestion feature to rough draft your approach? I can wordsmith your suggestion
|
||
## Managing Data Protection keys outside the app | ||
|
||
An app with multiple instances may occasionally see an error like `System.Security.Cryptography.CryptographicException: The key {A6EF5BC2-FDCC-4C0C-A3A5-CDA9A1733D70} was not found in the key ring.`. This can happen when instances get out of sync and data protected on one instance (e.g. an anti-forgery token) is unprotected on another instance (e.g. because a form was served from the former and posted to the latter) that doesn't yet know about that key. When this happens, an app user may have to resubmit a form or re-authenticate (if it was an authentication token that couldn't be unprotected). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wordsmith away.
|
||
For example, with Azure blob storage as the key repository, the key manager could be a simple console app run on a schedule. | ||
|
||
```csharp |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm sure there's a more conventional way to include code samples. Let me know if you want a zip of the project.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved them.
|
||
Note that app instances will throw exceptions if they need to perform any `Protect` or `Unprotect` operations before the key manager has run for the first time, so it is preferable to execute it before creating app instances. | ||
|
||
:::moniker-end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I couldn't figure out a nice way to phrase "ACA will do this for you automatically, if you let it".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
review my rewrite and use the suggestion feature if needed.
Co-authored-by: Andrew Casey <amcasey@users.noreply.github.com>
aspnetcore/security/data-protection/configuration/scaling/includes/scaling7.md
Show resolved
Hide resolved
The following distributed environments do ***NOT*** provide automatic key storage in a shared location: | ||
|
||
* Separate [deployment slots](/azure/app-service/deploy-staging-slots), such as Staging and Production. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@amcasey @adityamandaleeka, for customers on the .NET 8+, the list where it doesn't work is just deployment slots. Is that the only place it doesn't work with .NET 8+
The following distributed environments provide automatic key storage in a shared location: | ||
|
||
* [Azure apps](/aspnet/core/security/data-protection/configuration/default-settings). For more information see <xref:security/data-protection/configuration/default-settings#key-management>. | ||
* Newly created Azure Container Apps built using ASP.NET Core Kestrel. For more information see [Autoscaling considerations |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@amcasey What's newly created? Can we be more precise?
|
||
For example, with Azure blob storage as the key repository, the key manager could be a simple console app run on a schedule. | ||
|
||
```csharp |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved them.
|
||
Note that app instances will throw exceptions if they need to perform any `Protect` or `Unprotect` operations before the key manager has run for the first time, so it is preferable to execute it before creating app instances. | ||
|
||
:::moniker-end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
review my rewrite and use the suggestion feature if needed.
|
||
var hostBuilder = new HostApplicationBuilder(); | ||
|
||
// hostBuilder.Configuration.AddJsonFile("appsettings.json", optional: false, reloadOnChange: false); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@amcasey not needed so commented out. Will remove line or comment characters.
{ | ||
"AzureURIs": { | ||
"BlobStorage": "https://<storage-account>.blob.core.windows.net/<container>/keys.xml", | ||
"KeyVault": "https://<key-vault-name>.vault.azure.net/keys/<key-name>/" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"KeyVault": "https://<key-vault-name>.vault.azure.net/keys/<key-name>/" | |
"KeyVault": "https://<key-vault-name>.vault.azure.net/" |
Pls review my suggested change from your version.
"Logging": { | ||
"LogLevel": { | ||
"Default": "Information", | ||
"Microsoft.AspNetCore": "Warning" | ||
} | ||
}, | ||
"AllowedHosts": "*" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can remove this JSON but that's what the templates produce and in the article I yellow highlight the AKV URIs
Fixes #32530
Replaces #33086
@amcasey maybe I don't understand the topic, In your draft " However, when an app scales horizontally by adding more instances, it becomes necessary to explicitly configure Data Protection to establish a shared storage location for Data Protection keys. "
But not in all horizontal scaling (right). It's important to not assume much knowledge for newer users.
I think we can lower the friction if I use your draft to create the article.
Internal previews