Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable auth gracefully without impacting existing watchers #13577

Merged
merged 1 commit into from
Jan 4, 2022

Conversation

sayap
Copy link
Contributor

@sayap sayap commented Dec 31, 2021

This attempts to fix a special case of the problem described in #12385,
where trying to do clientv3.Watch with an expired token would result
in ErrGRPCPermissionDenied, due to the failing authorization check in
isWatchPermitted. Furthermore, the client can't auto recover, since
shouldRefreshToken rightly returns false for the permission denied
error.

In this case, we would like to have a runbook to dynamically disable
auth, without causing any disruption. Doing so would immediately expire
all existing tokens, which would then cause the behavior described
above. This means existing watchers would still work for a period of
time after disabling auth, until they have to reconnect, e.g. due to a
rolling restart of server nodes.

This commit adds a client-side fix and a server-side fix, either of
which is sufficient to get the added test case to pass. Note that it is
an e2e test case instead of an integration one, as the reconnect only
happens if the server node is stopped via SIGINT or SIGTERM.

A generic fix for the problem described in #12385 would be better, as
that shall also fix this special case. However, the fix would likely be
a lot more involved, as some untangling of authn/authz is required.

This attempts to fix a special case of the problem described in etcd-io#12385,
where trying to do `clientv3.Watch` with an expired token would result
in `ErrGRPCPermissionDenied`, due to the failing authorization check in
`isWatchPermitted`. Furthermore, the client can't auto recover, since
`shouldRefreshToken` rightly returns false for the permission denied
error.

In this case, we would like to have a runbook to dynamically disable
auth, without causing any disruption. Doing so would immediately expire
all existing tokens, which would then cause the behavior described
above. This means existing watchers would still work for a period of
time after disabling auth, until they have to reconnect, e.g. due to a
rolling restart of server nodes.

This commit adds a client-side fix and a server-side fix, either of
which is sufficient to get the added test case to pass. Note that it is
an e2e test case instead of an integration one, as the reconnect only
happens if the server node is stopped via SIGINT or SIGTERM.

A generic fix for the problem described in etcd-io#12385 would be better, as
that shall also fix this special case. However, the fix would likely be
a lot more involved, as some untangling of authn/authz is required.
@mitake
Copy link
Contributor

mitake commented Jan 1, 2022

@sayap thanks for the PR, let me check.

Copy link
Contributor

@mitake mitake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks! Defer to @spzala @ptabor

Copy link
Member

@spzala spzala left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm
Thanks @sayap

@spzala spzala merged commit a96f5ee into etcd-io:main Jan 4, 2022
liangyuanpeng added a commit to liangyuanpeng/etcd that referenced this pull request Jul 14, 2023
Disable auth gracefully without impacting existing watchers.

Signed-off-by: Lan Liang <gcslyp@gmail.com>
liangyuanpeng added a commit to liangyuanpeng/etcd that referenced this pull request Jul 14, 2023
Disable auth gracefully without impacting existing watchers.

Signed-off-by: Lan Liang <gcslyp@gmail.com>
liangyuanpeng added a commit to liangyuanpeng/etcd that referenced this pull request Jul 14, 2023
Disable auth gracefully without impacting existing watchers.

Signed-off-by: Lan Liang <gcslyp@gmail.com>
liangyuanpeng added a commit to liangyuanpeng/etcd that referenced this pull request Jul 14, 2023
Disable auth gracefully without impacting existing watchers.

Signed-off-by: Lan Liang <gcslyp@gmail.com>
ahrtr added a commit that referenced this pull request Jul 14, 2023
ahrtr added a commit that referenced this pull request Jul 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

4 participants