Skip to content

fix: provider_data_var context leak (backport #5227)#5250

Open
jaideepr97 wants to merge 1 commit intollamastack:release-0.6.xfrom
jaideepr97:backport/pr-5227-release-0.6.x
Open

fix: provider_data_var context leak (backport #5227)#5250
jaideepr97 wants to merge 1 commit intollamastack:release-0.6.xfrom
jaideepr97:backport/pr-5227-release-0.6.x

Conversation

@jaideepr97
Copy link
Contributor

@jaideepr97 jaideepr97 commented Mar 23, 2026
edited
Loading

Summary

This backport was generated and pushed by claude

Backport of #5227 to release-0.6.x.

  • Fixes PROVIDER_DATA_VAR contextvar leak through long-lived background worker tasks (asyncio.create_task copies all contextvars at creation time, so workers permanently inherit the spawning request's auth identity)
  • Introduces a unified RequestContext in core/task.py that captures both OTel trace context and PROVIDER_DATA_VAR together, with helpers to capture at enqueue time and re-activate per work-item
  • Updates InferenceStore and OpenAIResponsesImpl background workers to use the new context propagation pattern

Adapted for release-0.6.x directory structure (meta_reference paths instead of builtin).

Closes #5221

Test plan

  • tests/unit/core/test_task.py (10 tests): Verifies RequestContext capture/activate semantics, detached task isolation for both OTel and PROVIDER_DATA_VAR, caller context restoration, queue-based propagation patterns, and cross-contamination prevention.
  • tests/unit/utils/inference/test_provider_data_leak.py (1 test): Reproduces the InferenceStore write queue leak end-to-end — two users store completions through the async queue, then verifies each user can only see their own completions via AuthorizedSqlStore access policies.
  • tests/unit/providers/agents/meta_reference/test_responses_background.py (6 new tests):
    • TestResponsesOtelContextPropagation (3 tests): Verifies OTel trace attribution through the responses background worker.
    • TestResponsesProviderDataPropagation (3 tests): Verifies user identity propagation through the responses background worker.

All 447 unit tests in affected directories pass. All pre-commit hooks pass.

Made with Cursor

@jaideepr97
fix: provider_data_var context leak (llamastack#5227) (backport)
c4547c3 
Backport of commit 9b86ce8 from main to release-0.6.x.

PROVIDER_DATA_VAR — the ContextVar that carries authenticated user
identity — leaks through asyncio.create_task copy semantics into
long-lived background workers. When a background worker is spawned, it
permanently inherits the spawning request's PROVIDER_DATA_VAR, causing
all subsequent DB writes to be stamped with the wrong user's identity.

This introduces a unified RequestContext in core/task.py that captures
both OTel trace context and PROVIDER_DATA_VAR together. Background
workers in InferenceStore and OpenAIResponsesImpl now capture context at
enqueue time and re-activate it per work-item, ensuring each operation
runs under the correct user identity and trace.

Adapted for release-0.6.x directory structure (meta_reference paths
instead of builtin).

Signed-off-by: Jaideep Rao <jrao@redhat.com>
Made-with: Cursor
@meta-cla meta-cla bot added the CLA Signed This label is managed by the Meta Open Source bot. label Mar 23, 2026
@jaideepr97 jaideepr97 mentioned this pull request Mar 23, 2026
Open
@iamemilio
Copy link
Contributor

iamemilio commented Mar 23, 2026

LGTM, can replace #5228 as well

@leseb
Copy link
Collaborator

leseb commented Mar 24, 2026

@jaideepr97 so this includes two PR in a single backport? if so, then this is wrong, we need 2 distincts commits (so 2 PRs) thanks

@jaideepr97
Copy link
Contributor Author

jaideepr97 commented Mar 24, 2026

@jaideepr97 so this includes two PR in a single backport? if so, then this is wrong, we need 2 distincts commits (so 2 PRs) thanks

if we need 2 separate commits so the git history matches what is in main then @iamemilio please fix #5228
but functionally it would be the same as just merging this PR because this one generalizes the changes in 5228 so it is a bit of a superset of sorts

@iamemilio
Copy link
Contributor

iamemilio commented Mar 24, 2026

I'll try to get to this later this week or next week in that case. My hands are pretty full right now and this is just a backport, so hopefully thats ok

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ashwinb ashwinb Awaiting requested review from ashwinb ashwinb is a code owner

@raghotham raghotham Awaiting requested review from raghotham raghotham is a code owner

@ehhuang ehhuang Awaiting requested review from ehhuang ehhuang is a code owner

@leseb leseb Awaiting requested review from leseb leseb is a code owner

@bbrowning bbrowning Awaiting requested review from bbrowning bbrowning is a code owner

@mattf mattf Awaiting requested review from mattf mattf is a code owner

@franciscojavierarceo franciscojavierarceo Awaiting requested review from franciscojavierarceo franciscojavierarceo is a code owner

@cdoern cdoern Awaiting requested review from cdoern cdoern is a code owner

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Meta Open Source bot.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jaideepr97 @iamemilio @leseb