feat: make access check timeout configurable via ACCESS_CHECK_TIMEOUT_SECONDS

Allow operators to tune the access validation timeout (default 15s) via
the ACCESS_CHECK_TIMEOUT_SECONDS environment variable on the deployment.
This provides a safety valve for environments with slower external models
where the default may be insufficient.

Signed-off-by: Wen Liang <liangwen12year@gmail.com>

Author: liangwen12year

maas-api/cmd/main.go

@@ -148,7 +148,7 @@ func registerHandlers(ctx context.Context, log *logger.Logger, router *gin.Engin
 
 	subscriptionSelector := subscription.NewSelector(log, cluster.MaaSSubscriptionLister)
 
-	modelManager, err := models.NewManager(log)
+	modelManager, err := models.NewManager(log, cfg.AccessCheckTimeoutSeconds)
 	if err != nil {
 		log.Fatal("Failed to create model manager", "error", err)
 	}

maas-api/internal/config/config.go

@@ -46,6 +46,12 @@ type Config struct {
 	// Default: 30 days. Minimum: 1 day.
 	APIKeyMaxExpirationDays int
 
+	// AccessCheckTimeoutSeconds bounds the total duration of model access validation.
+	// This limits the staleness window between when access is checked and when the
+	// response reaches the client. Models whose probes don't complete within this
+	// window are excluded (fail-closed). Default: 15 seconds. Minimum: 1 second.
+	AccessCheckTimeoutSeconds int
+
 	// Deprecated flag (backward compatibility with pre-TLS version)
 	deprecatedHTTPPort string
 }
@@ -56,6 +62,7 @@ func Load() *Config {
 	gatewayName := env.GetString("GATEWAY_NAME", constant.DefaultGatewayName)
 	secure, _ := env.GetBool("SECURE", false)
 	maxExpirationDays, _ := env.GetInt("API_KEY_MAX_EXPIRATION_DAYS", constant.DefaultAPIKeyMaxExpirationDays)
+	accessCheckTimeoutSeconds, _ := env.GetInt("ACCESS_CHECK_TIMEOUT_SECONDS", 15)
 
 	c := &Config{
 		Name:                      env.GetString("INSTANCE_NAME", gatewayName),
@@ -69,6 +76,7 @@ func Load() *Config {
 		DebugMode:                 debugMode,
 		DBConnectionURL:           "", // Loaded from K8s secret via LoadDatabaseURL()
 		APIKeyMaxExpirationDays:   maxExpirationDays,
+		AccessCheckTimeoutSeconds: accessCheckTimeoutSeconds,
 		// Deprecated env var (backward compatibility with pre-TLS version)
 		deprecatedHTTPPort: env.GetString("PORT", ""),
 	}
@@ -141,6 +149,10 @@ func (c *Config) Validate() error {
 		return errors.New("API_KEY_MAX_EXPIRATION_DAYS must be at least 1")
 	}
 
+	if c.AccessCheckTimeoutSeconds < 1 {
+		return errors.New("ACCESS_CHECK_TIMEOUT_SECONDS must be at least 1")
+	}
+
 	return nil
 }
 

maas-api/internal/handlers/models_test.go

@@ -320,7 +320,7 @@ func TestListingModels(t *testing.T) {
 	}
 	router, _ := fixtures.SetupTestServer(t, config)
 
-	modelMgr, errMgr := models.NewManager(testLogger)
+	modelMgr, errMgr := models.NewManager(testLogger, 15)
 	require.NoError(t, errMgr)
 
 	// Set up test fixtures
@@ -435,7 +435,7 @@ func TestListingModelsWithSubscriptionHeader(t *testing.T) {
 	}
 	router, _ := fixtures.SetupTestServer(t, config)
 
-	modelMgr, errMgr := models.NewManager(testLogger)
+	modelMgr, errMgr := models.NewManager(testLogger, 15)
 	require.NoError(t, errMgr)
 
 	_, cleanup := fixtures.StubTokenProviderAPIs(t)
@@ -657,7 +657,7 @@ func TestListModels_ReturnAllModels(t *testing.T) {
 		},
 	}
 
-	modelMgr, err := models.NewManager(testLogger)
+	modelMgr, err := models.NewManager(testLogger, 15)
 	require.NoError(t, err)
 
 	subscriptionSelector := subscription.NewSelector(testLogger, subscriptionLister)
@@ -839,7 +839,7 @@ func TestListModels_DeduplicationBySubscription(t *testing.T) {
 		},
 	}
 
-	modelMgr, err := models.NewManager(testLogger)
+	modelMgr, err := models.NewManager(testLogger, 15)
 	require.NoError(t, err)
 
 	subscriptionSelector := subscription.NewSelector(testLogger, subscriptionLister)
@@ -950,7 +950,7 @@ func TestListModels_DifferentModelRefsWithSameModelID(t *testing.T) {
 		},
 	}
 
-	modelMgr, err := models.NewManager(testLogger)
+	modelMgr, err := models.NewManager(testLogger, 15)
 	require.NoError(t, err)
 
 	subscriptionSelector := subscription.NewSelector(testLogger, subscriptionLister)
@@ -1050,7 +1050,7 @@ func TestListModels_DifferentModelRefsWithSameURLAndModelID(t *testing.T) {
 		},
 	}
 
-	modelMgr, err := models.NewManager(testLogger)
+	modelMgr, err := models.NewManager(testLogger, 15)
 	require.NoError(t, err)
 
 	subscriptionSelector := subscription.NewSelector(testLogger, subscriptionLister)
@@ -1149,7 +1149,7 @@ func TestListModels_DifferentModelRefsWithSameModelIDAndDifferentSubscriptions(t
 		},
 	}
 
-	modelMgr, err := models.NewManager(testLogger)
+	modelMgr, err := models.NewManager(testLogger, 15)
 	require.NoError(t, err)
 
 	subscriptionSelector := subscription.NewSelector(testLogger, subscriptionLister)

maas-api/internal/models/discovery.go

@@ -37,27 +37,35 @@ const (
 	httpIdleConnTimeout     = 90 * time.Second
 	maxDiscoveryConcurrency = 10
 
-	// accessCheckTimeout bounds the total duration of FilterModelsByAccess.
+	// defaultAccessCheckTimeout bounds the total duration of FilterModelsByAccess.
 	// This limits the staleness window between when access is checked and when
 	// the response reaches the client. Models whose probes don't complete within
 	// this window are excluded (fail-closed).
-	accessCheckTimeout = 15 * time.Second
+	defaultAccessCheckTimeout = 15 * time.Second
 )
 
 // Manager runs access validation (probe model endpoints) for models listed from MaaSModelRef.
 type Manager struct {
-	logger     *logger.Logger
-	httpClient *http.Client
+	logger             *logger.Logger
+	httpClient         *http.Client
+	accessCheckTimeout time.Duration
 }
 
 // NewManager creates a Manager for filtering models by access. The client uses InsecureSkipVerify
 // for cluster-internal probes; auth is enforced by the gateway/model server.
-func NewManager(log *logger.Logger) (*Manager, error) {
+// accessCheckTimeoutSeconds controls the total duration bound for access validation;
+// if <= 0, the default of 15 seconds is used.
+func NewManager(log *logger.Logger, accessCheckTimeoutSeconds int) (*Manager, error) {
 	if log == nil {
 		return nil, errors.New("log is required")
 	}
+	timeout := defaultAccessCheckTimeout
+	if accessCheckTimeoutSeconds > 0 {
+		timeout = time.Duration(accessCheckTimeoutSeconds) * time.Second
+	}
 	return &Manager{
-		logger: log,
+		logger:             log,
+		accessCheckTimeout: timeout,
 		httpClient: &http.Client{
 			Timeout: httpClientTimeout,
 			Transport: &http.Transport{
@@ -88,7 +96,7 @@ func (m *Manager) FilterModelsByAccess(ctx context.Context, models []Model, auth
 	}
 
 	// Bound the total access-check duration to limit the staleness window.
-	ctx, cancel := context.WithTimeout(ctx, accessCheckTimeout)
+	ctx, cancel := context.WithTimeout(ctx, m.accessCheckTimeout)
 	defer cancel()
 
 	m.logger.Debug("FilterModelsByAccess: validating access for models", "count", len(models), "subscriptionHeaderProvided", subscriptionHeader != "")
@@ -228,7 +236,7 @@ func (m *Manager) fetchModelsWithRetry(ctx context.Context, authHeader string, s
 		return lastResult != authRetry, nil
 	}); err != nil {
 		if errors.Is(err, context.DeadlineExceeded) || ctx.Err() == context.DeadlineExceeded {
-			m.logger.Debug("Access validation failed: context deadline exceeded", "service", meta.ServiceName, "endpoint", meta.Endpoint, "timeout", accessCheckTimeout)
+			m.logger.Debug("Access validation failed: context deadline exceeded", "service", meta.ServiceName, "endpoint", meta.Endpoint, "timeout", m.accessCheckTimeout)
 		} else {
 			m.logger.Debug("Access validation failed: model fetch backoff exhausted", "service", meta.ServiceName, "endpoint", meta.Endpoint, "error", err)
 		}