feat(meta): watch and reload license key from file (#18768)

Signed-off-by: Bugen Zhao <[email protected]>
risingwavelabs · Oct 9, 2024 · 2478845 · 2478845
1 parent ee4d9e7
commit 2478845
Show file tree

Hide file tree

Showing 10 changed files with 314 additions and 5 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/src/cmd_all/src/standalone.rs b/src/cmd_all/src/standalone.rs
@@ -468,6 +468,7 @@ mod test {
                             dangerous_max_idle_secs: None,
                             connector_rpc_endpoint: None,
                             license_key: None,
+                            license_key_file: None,
                             temp_secret_file_dir: "./meta/secrets/",
                         },
                     ),

diff --git a/src/license/src/key.rs b/src/license/src/key.rs
@@ -18,6 +18,17 @@ use std::str::FromStr;
 use serde::{Deserialize, Serialize};
 
 /// A license key with the paid tier that only works in tests.
+///
+/// The content is a JWT token with the following payload:
+/// ```text
+/// License {
+///     sub: "rw-test",
+///     iss: Test,
+///     tier: Paid,
+///     cpu_core_limit: None,
+///     exp: 9999999999,
+/// }
+/// ```
 pub(crate) const TEST_PAID_LICENSE_KEY_CONTENT: &str =
  "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.\
   eyJzdWIiOiJydy10ZXN0IiwidGllciI6InBhaWQiLCJpc3MiOiJ0ZXN0LnJpc2luZ3dhdmUuY29tIiwiZXhwIjo5OTk5OTk5OTk5fQ.\

diff --git a/src/license/src/manager.rs b/src/license/src/manager.rs
@@ -43,7 +43,7 @@ pub enum Tier {
 ///
 /// The issuer must be `prod.risingwave.com` in production, and can be `test.risingwave.com` in
 /// development. This will be validated when refreshing the license key.
-#[derive(Debug, Clone, Deserialize)]
+#[derive(Debug, Clone, Deserialize, PartialEq, Eq)]
 pub enum Issuer {
     #[serde(rename = "prod.risingwave.com")]
     Prod,
@@ -58,10 +58,13 @@ pub enum Issuer {
 /// The content of a license.
 ///
 /// We use JSON Web Token (JWT) to represent the license. This struct is the payload.
+///
+/// Prefer calling [`crate::Feature::check_available`] to check the availability of a feature,
+/// other than directly checking the content of the license.
 // TODO(license): Shall we add a version field?
-#[derive(Debug, Clone, Deserialize)]
+#[derive(Debug, Clone, PartialEq, Eq, Deserialize)]
 #[serde(rename_all = "snake_case")]
-pub(super) struct License {
+pub struct License {
     /// Subject of the license.
     ///
     /// See <https://tools.ietf.org/html/rfc7519#section-4.1.2>.
@@ -171,7 +174,10 @@ impl LicenseManager {
     /// Get the current license if it is valid.
     ///
     /// Since the license can expire, the returned license should not be cached by the caller.
-    pub(super) fn license(&self) -> Result<License, LicenseKeyError> {
+    ///
+    /// Prefer calling [`crate::Feature::check_available`] to check the availability of a feature,
+    /// other than directly calling this method and checking the content of the license.
+    pub fn license(&self) -> Result<License, LicenseKeyError> {
         let license = self.inner.read().unwrap().license.clone()?;
 
         // Check the expiration time additionally.

diff --git a/src/meta/Cargo.toml b/src/meta/Cargo.toml
@@ -43,6 +43,7 @@ jsonbb = { workspace = true }
 maplit = "1.0.2"
 memcomparable = { version = "0.2" }
 mime_guess = "2"
+notify = { version = "6", default-features = false, features = ["macos_fsevent"] }
 num-integer = "0.1"
 num-traits = "0.2"
 otlp-embedded = { workspace = true }
@@ -105,6 +106,8 @@ expect-test = "1.5"
 rand = { workspace = true }
 risingwave_hummock_sdk = { workspace = true, features = ["test"] }
 risingwave_test_runner = { workspace = true }
+tempfile = "3"
+tracing-subscriber = "0.3"
 
 [features]
 test = []

diff --git a/src/meta/node/src/lib.rs b/src/meta/node/src/lib.rs
@@ -17,6 +17,7 @@
 
 mod server;
 
+use std::path::PathBuf;
 use std::time::Duration;
 
 use clap::Parser;
@@ -192,6 +193,10 @@ pub struct MetaNodeOpts {
     #[override_opts(path = system.license_key)]
     pub license_key: Option<LicenseKey>,
 
+    /// The path of the license key file to be watched and hot-reloaded.
+    #[clap(long, env = "RW_LICENSE_KEY_PATH")]
+    pub license_key_file: Option<PathBuf>,
+
     /// 128-bit AES key for secret store in HEX format.
     #[educe(Debug(ignore))] // TODO: use newtype to redact debug impl
     #[clap(long, hide = true, env = "RW_SECRET_STORE_PRIVATE_KEY_HEX")]
@@ -465,6 +470,7 @@ pub fn start(
                     .meta
                     .developer
                     .actor_cnt_per_worker_parallelism_soft_limit,
+                license_key_path: opts.license_key_file,
             },
             config.system.into_init_system_params(),
             Default::default(),

diff --git a/src/meta/node/src/server.rs b/src/meta/node/src/server.rs
@@ -398,6 +398,7 @@ pub async fn start_service_as_election_leader(
         meta_store_impl,
     )
     .await?;
+    let _ = env.may_start_watch_license_key_file()?;
     let system_params_reader = env.system_params_reader().await;
 
     let data_directory = system_params_reader.data_directory();

diff --git a/src/meta/src/manager/env.rs b/src/meta/src/manager/env.rs
@@ -13,6 +13,7 @@
 // limitations under the License.
 
 use std::ops::Deref;
+use std::path::PathBuf;
 use std::sync::Arc;
 
 use risingwave_common::config::{
@@ -296,6 +297,8 @@ pub struct MetaOpts {
     // Cluster limits
     pub actor_cnt_per_worker_parallelism_hard_limit: usize,
     pub actor_cnt_per_worker_parallelism_soft_limit: usize,
+
+    pub license_key_path: Option<PathBuf>,
 }
 
 impl MetaOpts {
@@ -362,6 +365,7 @@ impl MetaOpts {
             table_info_statistic_history_times: 240,
             actor_cnt_per_worker_parallelism_hard_limit: usize::MAX,
             actor_cnt_per_worker_parallelism_soft_limit: usize::MAX,
+            license_key_path: None,
         }
     }
 }
@@ -523,6 +527,7 @@ impl MetaSrvEnv {
                 }
             }
         };
+
         Ok(env)
     }