alt api key

generall · generall · commit 264d7a75457f · 2025-12-28T14:45:17.000+01:00
diff --git a/lib/collection/src/shards/channel_service.rs b/lib/collection/src/shards/channel_service.rs
@@ -27,17 +27,25 @@ pub struct ChannelService {
     pub current_rest_port: u16,
     /// Instance wide API key if configured, must be used with care.
     pub api_key: Option<String>,
+
+    /// Alternative API key, works the same as `api_key`. Intended for rolling key updates.
+    pub alt_api_key: Option<String>,
 }
 
 impl ChannelService {
     /// Construct a new channel service with the given REST port.
-    pub fn new(current_rest_port: u16, api_key: Option<String>) -> Self {
+    pub fn new(
+        current_rest_port: u16,
+        api_key: Option<String>,
+        alt_api_key: Option<String>,
+    ) -> Self {
         Self {
             id_to_address: Default::default(),
             id_to_metadata: Default::default(),
             channel_pool: Default::default(),
             current_rest_port,
             api_key,
+            alt_api_key,
         }
     }
 
@@ -222,6 +230,7 @@ impl Default for ChannelService {
             channel_pool: Default::default(),
             current_rest_port: 6333,
             api_key: None,
+            alt_api_key: None,
         }
     }
 }
diff --git a/lib/collection/src/shards/transfer/snapshot.rs b/lib/collection/src/shards/transfer/snapshot.rs
@@ -236,14 +236,21 @@ pub(super) async fn transfer_snapshot(
 
     // Recover shard snapshot on remote
     log::trace!("Transferring and recovering shard {shard_id} snapshot on peer {remote_peer_id}");
+
+    // Since we are providing access to local instance, any of the API keys can be used
+    let local_api_key = channel_service
+        .api_key
+        .as_deref()
+        .or(channel_service.alt_api_key.as_deref());
+
     remote_shard
         .recover_shard_snapshot_from_url(
             collection_id,
             shard_id,
             &shard_download_url,
             SnapshotPriority::ShardTransfer,
             // Provide API key here so the remote can access our snapshot
-            channel_service.api_key.as_deref(),
+            local_api_key,
         )
         .await
         .map_err(|err| {
diff --git a/lib/collection/tests/integration/common/mod.rs b/lib/collection/tests/integration/common/mod.rs
@@ -101,7 +101,7 @@ pub async fn new_local_collection(
         Default::default(),
         CollectionShardDistribution::all_local(Some(config.params.shard_number.into()), 0),
         None,
-        ChannelService::new(REST_PORT, None),
+        ChannelService::new(REST_PORT, None, None),
         dummy_on_replica_failure(),
         dummy_request_shard_transfer(),
         dummy_abort_shard_transfer(),
@@ -136,7 +136,7 @@ pub async fn load_local_collection(
         path,
         snapshots_path,
         Default::default(),
-        ChannelService::new(REST_PORT, None),
+        ChannelService::new(REST_PORT, None, None),
         dummy_on_replica_failure(),
         dummy_request_shard_transfer(),
         dummy_abort_shard_transfer(),
diff --git a/lib/collection/tests/integration/continuous_snapshot_test.rs b/lib/collection/tests/integration/continuous_snapshot_test.rs
@@ -80,7 +80,7 @@ async fn test_continuous_snapshot() {
         Arc::new(storage_config),
         shard_distribution,
         None,
-        ChannelService::new(REST_PORT, None),
+        ChannelService::new(REST_PORT, None, None),
         dummy_on_replica_failure(),
         dummy_request_shard_transfer(),
         dummy_abort_shard_transfer(),
diff --git a/lib/collection/tests/integration/snapshot_recovery_test.rs b/lib/collection/tests/integration/snapshot_recovery_test.rs
@@ -77,7 +77,7 @@ async fn _test_snapshot_and_recover_collection(node_type: NodeType) {
         Arc::new(storage_config),
         shard_distribution,
         None,
-        ChannelService::new(REST_PORT, None),
+        ChannelService::new(REST_PORT, None, None),
         dummy_on_replica_failure(),
         dummy_request_shard_transfer(),
         dummy_abort_shard_transfer(),
@@ -137,7 +137,7 @@ async fn _test_snapshot_and_recover_collection(node_type: NodeType) {
         recover_dir.path(),
         snapshots_path.path(),
         Default::default(),
-        ChannelService::new(REST_PORT, None),
+        ChannelService::new(REST_PORT, None, None),
         dummy_on_replica_failure(),
         dummy_request_shard_transfer(),
         dummy_abort_shard_transfer(),
diff --git a/lib/storage/tests/integration/alias_tests.rs b/lib/storage/tests/integration/alias_tests.rs
@@ -91,7 +91,7 @@ fn test_alias_operation() {
         update_runtime,
         general_runtime,
         ResourceBudget::default(),
-        ChannelService::new(6333, None),
+        ChannelService::new(6333, None, None),
         0,
         Some(propose_operation_sender),
     ));
diff --git a/src/common/auth/mod.rs b/src/common/auth/mod.rs
@@ -3,6 +3,7 @@ use std::sync::Arc;
 use collection::operations::shard_selector_internal::ShardSelectorInternal;
 use collection::operations::types::ScrollRequestInternal;
 use common::counter::hardware_accumulator::HwMeasurementAcc;
+use itertools::Itertools;
 use segment::types::{WithPayloadInterface, WithVector};
 use storage::content_manager::errors::StorageError;
 use storage::content_manager::toc::TableOfContent;
@@ -24,12 +25,18 @@ pub struct AuthKeys {
     /// A key allowing Read or Write operations
     read_write: Option<String>,
 
+    /// Alternative to `read_write` key
+    alt_read_write: Option<String>,
+
     /// A key allowing Read operations
     read_only: Option<String>,
 
     /// A JWT parser, based on the read_write key
     jwt_parser: Option<JwtParser>,
 
+    /// Alternative JWT parser, based on the alt_read_write key
+    alt_jwt_parser: Option<JwtParser>,
+
     /// Table of content, needed to do stateful validation of JWT
     toc: Arc<TableOfContent>,
 }
@@ -42,14 +49,20 @@ pub enum AuthError {
 }
 
 impl AuthKeys {
-    fn get_jwt_parser(service_config: &ServiceConfig) -> Option<JwtParser> {
+    fn get_jwt_parser(service_config: &ServiceConfig) -> (Option<JwtParser>, Option<JwtParser>) {
         if service_config.jwt_rbac.unwrap_or_default() {
-            service_config
-                .api_key
-                .as_ref()
-                .map(|secret| JwtParser::new(secret))
+            (
+                service_config
+                    .api_key
+                    .as_ref()
+                    .map(|secret| JwtParser::new(secret)),
+                service_config
+                    .alt_api_key
+                    .as_ref()
+                    .map(|secret| JwtParser::new(secret)),
+            )
         } else {
-            None
+            (None, None)
         }
     }
 
@@ -59,15 +72,22 @@ impl AuthKeys {
     pub fn try_create(service_config: &ServiceConfig, toc: Arc<TableOfContent>) -> Option<Self> {
         match (
             service_config.api_key.clone(),
+            service_config.alt_api_key.clone(),
             service_config.read_only_api_key.clone(),
         ) {
-            (None, None) => None,
-            (read_write, read_only) => Some(Self {
-                read_write,
-                read_only,
-                jwt_parser: Self::get_jwt_parser(service_config),
-                toc,
-            }),
+            (None, None, None) => None,
+            (read_write, alt_read_write, read_only) => {
+                let (jwt_parser, alt_jwt_parser) = Self::get_jwt_parser(service_config);
+
+                Some(Self {
+                    read_write,
+                    alt_read_write,
+                    read_only,
+                    jwt_parser,
+                    alt_jwt_parser,
+                    toc,
+                })
+            }
         }
     }
 
@@ -98,13 +118,20 @@ impl AuthKeys {
             ));
         }
 
-        if let Some(claims) = self.jwt_parser.as_ref().and_then(|p| p.decode(key)) {
+        let (claims, errors): (Vec<_>, Vec<_>) =
+            [self.jwt_parser.as_ref(), self.alt_jwt_parser.as_ref()]
+                .into_iter()
+                .flatten()
+                .filter_map(|p| p.decode(key))
+                .partition_result();
+
+        if let Some(claims) = claims.into_iter().next() {
             let Claims {
                 sub,
                 exp: _, // already validated on decoding
                 access,
                 value_exists,
-            } = claims?;
+            } = claims;
 
             if let Some(value_exists) = value_exists {
                 self.validate_value_exists(&value_exists).await?;
@@ -113,6 +140,12 @@ impl AuthKeys {
             return Ok((access, InferenceToken(sub)));
         }
 
+        // JTW parser exists, but can't decode the token
+        if let Some(error) = errors.into_iter().next() {
+            return Err(error);
+        }
+
+        // No JTW parser configured
         Err(AuthError::Unauthorized(
             "Invalid API key or JWT".to_string(),
         ))
@@ -167,8 +200,14 @@ impl AuthKeys {
     /// Check if a key is allowed to write
     #[inline]
     fn can_write(&self, key: &str) -> bool {
-        self.read_write
+        let can_write = self
+            .read_write
+            .as_ref()
+            .is_some_and(|rw_key| ct_eq(rw_key, key));
+        let alt_can_write = self
+            .alt_read_write
             .as_ref()
-            .is_some_and(|rw_key| ct_eq(rw_key, key))
+            .is_some_and(|alt_rw_key| ct_eq(alt_rw_key, key));
+        can_write || alt_can_write
     }
 }
diff --git a/src/consensus.rs b/src/consensus.rs
@@ -1486,7 +1486,7 @@ mod tests {
             update_runtime,
             general_runtime,
             ResourceBudget::default(),
-            ChannelService::new(settings.service.http_port, None),
+            ChannelService::new(settings.service.http_port, None, None),
             persistent_state.this_peer_id(),
             Some(operation_sender.clone()),
         );
@@ -1511,7 +1511,7 @@ mod tests {
             6335,
             ConsensusConfig::default(),
             None,
-            ChannelService::new(settings.service.http_port, None),
+            ChannelService::new(settings.service.http_port, None, None),
             handle.clone(),
             false,
         )
diff --git a/src/main.rs b/src/main.rs
@@ -348,8 +348,11 @@ fn main() -> anyhow::Result<()> {
 
     // Channel service is used to manage connections between peers.
     // It allocates required number of channels and manages proper reconnection handling
-    let mut channel_service =
-        ChannelService::new(settings.service.http_port, settings.service.api_key.clone());
+    let mut channel_service = ChannelService::new(
+        settings.service.http_port,
+        settings.service.api_key.clone(),
+        settings.service.alt_api_key.clone(),
+    );
 
     if is_distributed_deployment {
         // We only need channel_service in case if cluster is enabled.
diff --git a/src/settings.rs b/src/settings.rs
@@ -35,6 +35,10 @@ pub struct ServiceConfig {
     #[serde(default)]
     pub verify_https_client_certificate: bool,
     pub api_key: Option<String>,
+
+    /// Same as `api_key`, can be used for rolling key rotation.
+    pub alt_api_key: Option<String>,
+
     pub read_only_api_key: Option<String>,
     #[serde(default)]
     pub jwt_rbac: Option<bool>,
@@ -308,14 +312,25 @@ impl Settings {
         // Using HMAC-SHA256, recommended secret size is 32 bytes
         const JWT_RECOMMENDED_SECRET_LENGTH: usize = 256 / 8;
 
+        let all_keys_are_empty = self.service.api_key.clone().unwrap_or_default().is_empty()
+            && self
+                .service
+                .alt_api_key
+                .clone()
+                .unwrap_or_default()
+                .is_empty();
+
+        let any_api_key_is_short = self.service.api_key.clone().unwrap_or_default().len()
+            < JWT_RECOMMENDED_SECRET_LENGTH
+            || self.service.alt_api_key.clone().unwrap_or_default().len()
+                < JWT_RECOMMENDED_SECRET_LENGTH;
+
         // Log if JWT RBAC is enabled but no API key is set
         if self.service.jwt_rbac.unwrap_or_default() {
-            if self.service.api_key.clone().unwrap_or_default().is_empty() {
+            if all_keys_are_empty {
                 log::warn!("JWT RBAC configured but no API key set, JWT RBAC is not enabled")
             // Log if JWT RAC is enabled, API key is set but smaller than recommended size for JWT secret
-            } else if self.service.api_key.clone().unwrap_or_default().len()
-                < JWT_RECOMMENDED_SECRET_LENGTH
-            {
+            } else if any_api_key_is_short {
                 log::warn!(
                     "It is highly recommended to use an API key of {JWT_RECOMMENDED_SECRET_LENGTH} bytes when JWT RBAC is enabled",
                 )
diff --git a/src/tonic/api/snapshots_api.rs b/src/tonic/api/snapshots_api.rs
@@ -259,20 +259,30 @@ impl ShardSnapshots for ShardSnapshotsService {
     ) -> Result<Response<RecoverSnapshotResponse>, Status> {
         let access = extract_access(&mut request);
         let request = request.into_inner();
+
         validate_and_log(&request);
 
+        let RecoverShardSnapshotRequest {
+            collection_name,
+            shard_id,
+            snapshot_location,
+            snapshot_priority,
+            checksum,
+            api_key,
+        } = request;
+
         let timing = Instant::now();
 
         common::snapshots::recover_shard_snapshot(
             self.toc.clone(),
             access,
-            request.collection_name,
-            request.shard_id,
-            request.snapshot_location.try_into()?,
-            request.snapshot_priority.try_into()?,
-            request.checksum,
+            collection_name,
+            shard_id,
+            snapshot_location.try_into()?,
+            snapshot_priority.try_into()?,
+            checksum,
             self.http_client.clone(),
-            request.api_key,
+            api_key,
         )
         .await?;
 
diff --git a/tests/consensus_tests/auth_tests/test_jwt_validation.py b/tests/consensus_tests/auth_tests/test_jwt_validation.py
@@ -2,7 +2,7 @@
 import requests
 from consensus_tests import fixtures
 
-from .utils import API_KEY_HEADERS, READ_ONLY_API_KEY, REST_URI, SECRET, encode_jwt
+from .utils import API_KEY_HEADERS, READ_ONLY_API_KEY, REST_URI, SECRET, encode_jwt, ALT_SECRET
 
 COLL_NAME = "jwt_test_collection"
 OTHER_COLL_NAME = "jwt_other_test_collection"
@@ -59,6 +59,11 @@ def scroll_with_token(collection: str, token: str) -> requests.Response:
 
 
 def test_value_exists_claim():
+    value_exists_claim_check(SECRET)
+    value_exists_claim_check(ALT_SECRET)
+
+s
+def value_exists_claim_check(secret):
     validation_collection = "jwt_validation_collection"
 
     key = "tokenId"
@@ -70,7 +75,8 @@ def test_value_exists_claim():
             "matches": [{"key": key, "value": value}],
         },
     }
-    token = encode_jwt(claims, SECRET)
+
+    token = encode_jwt(claims, secret)
 
     # Check that token does not work with unexisting collection
     with pytest.raises(requests.HTTPError):
diff --git a/tests/consensus_tests/auth_tests/utils.py b/tests/consensus_tests/auth_tests/utils.py
diff --git a/tests/consensus_tests/test_shard_snapshot_transfer.py b/tests/consensus_tests/test_shard_snapshot_transfer.py

Original file line number	Diff line number	Diff line change
`@@ -27,17 +27,25 @@ pub struct ChannelService {`
`27`	`27`	`pub current_rest_port: u16,`
`28`	`28`	`/// Instance wide API key if configured, must be used with care.`
`29`	`29`	`pub api_key: Option<String>,`
	`30`	`+`
	`31`	+ /// Alternative API key, works the same as `api_key`. Intended for rolling key updates.
	`32`	`+ pub alt_api_key: Option<String>,`
`30`	`33`	`}`
`31`	`34`
`32`	`35`	`impl ChannelService {`
`33`	`36`	`/// Construct a new channel service with the given REST port.`
`34`		`- pub fn new(current_rest_port: u16, api_key: Option<String>) -> Self {`
	`37`	`+ pub fn new(`
	`38`	`+ current_rest_port: u16,`
	`39`	`+ api_key: Option<String>,`
	`40`	`+ alt_api_key: Option<String>,`
	`41`	`+ ) -> Self {`
`35`	`42`	`Self {`
`36`	`43`	`id_to_address: Default::default(),`
`37`	`44`	`id_to_metadata: Default::default(),`
`38`	`45`	`channel_pool: Default::default(),`
`39`	`46`	`current_rest_port,`
`40`	`47`	`api_key,`
	`48`	`+ alt_api_key,`
`41`	`49`	`}`
`42`	`50`	`}`
`43`	`51`
`@@ -222,6 +230,7 @@ impl Default for ChannelService {`
`222`	`230`	`channel_pool: Default::default(),`
`223`	`231`	`current_rest_port: 6333,`
`224`	`232`	`api_key: None,`
	`233`	`+ alt_api_key: None,`
`225`	`234`	`}`
`226`	`235`	`}`
`227`	`236`	`}`