Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable auth gracefully without impacting existing watchers #13577

Merged
merged 1 commit into from
Jan 4, 2022
Merged

Disable auth gracefully without impacting existing watchers #13577

merged 1 commit into from
Jan 4, 2022

Conversation

sayap
Copy link
Contributor

@sayap sayap commented Dec 31, 2021

This attempts to fix a special case of the problem described in #12385,
where trying to do clientv3.Watch with an expired token would result
in ErrGRPCPermissionDenied, due to the failing authorization check in
isWatchPermitted. Furthermore, the client can't auto recover, since
shouldRefreshToken rightly returns false for the permission denied
error.

In this case, we would like to have a runbook to dynamically disable
auth, without causing any disruption. Doing so would immediately expire
all existing tokens, which would then cause the behavior described
above. This means existing watchers would still work for a period of
time after disabling auth, until they have to reconnect, e.g. due to a
rolling restart of server nodes.

This commit adds a client-side fix and a server-side fix, either of
which is sufficient to get the added test case to pass. Note that it is
an e2e test case instead of an integration one, as the reconnect only
happens if the server node is stopped via SIGINT or SIGTERM.

A generic fix for the problem described in #12385 would be better, as
that shall also fix this special case. However, the fix would likely be
a lot more involved, as some untangling of authn/authz is required.

@sayap
Disable auth gracefully without impacting existing watchers
17fd2e7 
This attempts to fix a special case of the problem described in etcd-io#12385,
where trying to do `clientv3.Watch` with an expired token would result
in `ErrGRPCPermissionDenied`, due to the failing authorization check in
`isWatchPermitted`. Furthermore, the client can't auto recover, since
`shouldRefreshToken` rightly returns false for the permission denied
error.

In this case, we would like to have a runbook to dynamically disable
auth, without causing any disruption. Doing so would immediately expire
all existing tokens, which would then cause the behavior described
above. This means existing watchers would still work for a period of
time after disabling auth, until they have to reconnect, e.g. due to a
rolling restart of server nodes.

This commit adds a client-side fix and a server-side fix, either of
which is sufficient to get the added test case to pass. Note that it is
an e2e test case instead of an integration one, as the reconnect only
happens if the server node is stopped via SIGINT or SIGTERM.

A generic fix for the problem described in etcd-io#12385 would be better, as
that shall also fix this special case. However, the fix would likely be
a lot more involved, as some untangling of authn/authz is required.
@mitake
Copy link
Contributor

mitake commented Jan 1, 2022

@sayap thanks for the PR, let me check.

mitake
mitake approved these changes Jan 3, 2022
View reviewed changes
Copy link
Contributor

@mitake mitake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks! Defer to @spzala @ptabor

spzala
spzala approved these changes Jan 4, 2022
View reviewed changes
Copy link
Member

@spzala spzala left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm
Thanks @sayap

@spzala spzala merged commit a96f5ee into etcd-io:main Jan 4, 2022
@sayap sayap mentioned this pull request Jun 15, 2022
Closed
liangyuanpeng added a commit to liangyuanpeng/etcd that referenced this pull request Jul 14, 2023
@liangyuanpeng
Backport etcd-io#13577
a8ba7cc 
Disable auth gracefully without impacting existing watchers.

Signed-off-by: Lan Liang <[email protected]>
liangyuanpeng added a commit to liangyuanpeng/etcd that referenced this pull request Jul 14, 2023
@liangyuanpeng
Backport etcd-io#13577
30f80eb 
Disable auth gracefully without impacting existing watchers.

Signed-off-by: Lan Liang <[email protected]>
liangyuanpeng added a commit to liangyuanpeng/etcd that referenced this pull request Jul 14, 2023
@liangyuanpeng
Backport etcd-io#13577
47cef60 
Disable auth gracefully without impacting existing watchers.

Signed-off-by: Lan Liang <[email protected]>
liangyuanpeng added a commit to liangyuanpeng/etcd that referenced this pull request Jul 14, 2023
@liangyuanpeng
Backport etcd-io#13577
960cd26 
Disable auth gracefully without impacting existing watchers.

Signed-off-by: Lan Liang <[email protected]>
This was referenced Jul 14, 2023
Merged
Merged
ahrtr added a commit that referenced this pull request Jul 14, 2023
@ahrtr
Merge pull request #16241 from liangyuanpeng/backport_13577_3.5
9ac1d73 
[3.5] Backport #13577 to 3.5
ahrtr added a commit that referenced this pull request Jul 14, 2023
@ahrtr
Merge pull request #16240 from liangyuanpeng/backport_13577_3.4
05d7c10 
[3.4] Backport #13577 to 3.4
@jmhbnz jmhbnz mentioned this pull request Aug 11, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spzala spzala spzala approved these changes

@mitake mitake mitake approved these changes

Assignees
No one assigned
Labels
backport/v3.4 backport/v3.5
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sayap @mitake @spzala @ahrtr