New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Long import wait times in ansible-galaxy collection publish
break on token expiration
#70019
Comments
Files identified in the description: If these files are incorrect, please update the |
cc @jborean93 |
We are seeing this issue again from zuul.a.c: https://531158b3c666dfe23d04-1adeb2dd807d37c59df6de684f878814.ssl.cf5.rackcdn.com/789ed6d245acafa51750ea0e08581b9dd0f7ec0c/release/release-ansible-collection-automation-hub/1e1c1be/job-output.html#l917 It would be appreciated if we could fix this. |
While this should still be fixed, if the client does time out while waiting for the import with this error the import does continue in the background so the publish will continue. You will just have to manually wait for the import steps to complete. |
While that is true, passing --no-wait would be the better option. In this case, we actively want to wait for AH to return the import result. As such, there is a cap of 15mins right now, and we have to race AH to get the collection processed by then. |
We are sadly seeing this issue again today while publishing content from Zuul to automation hub. It would be very helpful to have ansible-galaxy CLI refresh the token while dealing with long import times on automation hub. As a user, there is no good solution for us when we run into this, as so far each instances has been Automation hub usually dealing with slow imports. |
SUMMARY
The
ansible-galaxy collection publish
command, when interacting with Automation Hub, uses the Keycloak authentication protocol to fetch an access token for API requests during the session. It continues to use this token for the length of the process. When performing a collection publish operation, the client polls the import task endpoint repeatedly until getting a failed or success status on the import to report to the user.The Keycloak access token expires after 15 minutes (900 seconds) and imports can some times take longer than this 15 minute expiration. If this is the case, the polling requests will suddenly fail with a 401 Authentication Error response. The import will appear to fail and the user will not observe the right result.
ISSUE TYPE
COMPONENT NAME
ansible-galaxy
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
Fedora 30
STEPS TO REPRODUCE
The problem will occur when the import works for Automation Hub are busy and the import has to wait in the queue before running. The best way to reproduce this would be to publish multiple collections in a very short timeframe or in parallel.
EXPECTED RESULTS
Ideally, the imports would complete faster, but in the case that they take longer, the client should continue to poll the import task and update the user when the import begins and when it finally finishes.
If the token expires, the client should fetch a fresh one and continue its operation normally.
ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: