Skip to content

Security/version compatibility filter is not applied uniformly across discovery paths #293

Description

@conradbzura

Description

The security/version compatibility filter (secure-match + same-major version floor) is applied only on WorkerProxy's pool_uri construction path (proxy.py:513-518) and the static-workers path (proxy.py:521-535). User-supplied discovery subscribers are trusted verbatim (proxy.py:519-520), and WorkerPool's own subscriptions filter by tag only (pool.py:456/491) or not at all (pool.py:513/548) — incompatible or security-mismatched workers are admitted to the pool.

Expected behavior

Every discovery source passes one admission gate: the security and version rules apply at _worker_sentinel admission regardless of how the proxy was constructed, so an incompatible worker is never admitted rather than failing later at connect/handshake with transient-error and eviction noise. Construction-path filters retain their tag semantics. This is a behavior change for callers relying on unfiltered custom discovery and should be called out as such.

Root cause

The combined filter is built inside WorkerProxy.__init__'s pool_uri match arm as a subscription filter (LocalDiscovery(pool_uri).subscribe(filter=combined_filter)) rather than as an admission rule in the sentinel, so only construction paths that build their own subscription apply it. The discovery= arm assigns the supplied subscriber verbatim, and WorkerPool builds its subscriptions with tag-only predicates (pool.py:802-804), leaving no compatibility check on those paths.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions