Spike Overview
JIRA ID: EUREKA-212 Investigate options for mod-scheduler handling changes in the system
Objective: When mod-scheduler triggers a timer, it impersonates the user who created that timer when making the API request. This ensures that a user cannot create a timer that performs actions they aren't authorized to do. However, if the user’s role or capability assignments change, or if the user is disabled or removed, the timer will no longer function.
Another potential issue arises if a timer is created for an API in the foo interface, and later the application providing the foo interface is disabled, upgraded to a new version that no longer includes that API, or if the API contract has changed.
Deliverables
Option 1 Event handler when the system has changed
The approach needs to handle various events, such as application updates, tenant disabling, and user capability updates. This requires complex business logic to check how each event might affect timers and disable them accordingly. Additionally, we need a dashboard displaying disabled timers with error explanations and reasons for the disablement so that administrators can resolve the issues.
Pros
The logic for disabling timers will be handled automatically, allowing the administrator to review the reason for the timer being disabled and decide whether to fix the issue or remove the timer.
Cons
The business logic may become complex as it involves mapping events to timers, which could be affected and might introduce errors that need to be identified and addressed.
Option 2 Circuit Breaker pattern
The approach will still allow timers to fail, but we will handle this more proactively. Based on the circuit breaker status, we will build a dashboard where administrators can see which timers have failed, for how long, and the cause of the error (e.g., route not found, connection timeout, access denied). This means administrators can check the capability settings for the user who ran the timer or remove the timer from the tenant if the required application is disabled/uninstalled.
The Circuit Breaker pattern has three states: Open, Closed, and Half-Open.
Closed State: The circuit breaker functions normally when the timer runs successfully. However, if timer failures exceed a threshold (to be decided), the circuit breaker trips and switches to the "open" state.
Open State: In this state, the timer will not try to execute in the next scheduled period.
Half-Open State: After a specified duration (to be decided), the circuit breaker transitions to the "half-open" state, allowing the timer to run in the next scheduled period. If it succeeds, the circuit breaker resets to the "closed" state, and the timer will operate as usual. If the requests fail, the circuit breaker returns the timer to the "open" state until the next timeout period.
Pros:
Simple implementation
Provides transparency for administrators to see which timers failed and for how long
Cons:
Users must resolve or disable the timers themselves and investigate the cause of the failures
Option 3 email notification when the timer failed
We can send an email each time a timer fails to notify the administrator. This email should include extra information such as the endpoint the timer tried to call, the user who ran it, and the error that caused the failure. This way, the administrator can review the emails and address the failed timers.
Pros
Simple implementation
Cons
It can flood the inbox with repeated emails when timers run frequently.
Option 4 Event handling approach during application uninstall
The solution will include functionality to remove all system timers associated with applications that have just been removed. We can obtain a list of these timers from the application descriptor and remove them accordingly. However, we cannot remove user timers linked to the uninstalled application. To determine which user timers need to be removed, we should create a new section in the module descriptor/application descriptor to define all possible endpoints that can be used for timers within the module. This approach allows us to map these endpoints to the timers and remove them as necessary. However, if an application is just updated to a new version, user timers should not be deleted.
Conclusion
I recommend choosing Option 2, as it provides transparency for the administrator by displaying which timers have failed, and their durations, and allows make decisions based on this dashboard.
Spike Status: COMPLITED