client/v3: refresh the token when ErrUserEmpty is received while retrying

[r-ashish]

A change was made in the PR #12549 to clear the auth token before attempting to get a new one, when ErrInvalidAuthToken is returned by the server.

if callOpts.retryAuth && rpctypes.Error(lastErr) == rpctypes.ErrInvalidAuthToken {
	// clear auth token before refreshing it.
	// call c.Auth.Authenticate with an invalid token will always fail the auth check on the server-side,
	// if the server has not apply the patch of pr #12165 (https://github.com/etcd-io/etcd/pull/12165)
	// and a rpctypes.ErrInvalidAuthToken will recursively call c.getToken until system run out of resource.
	c.authTokenBundle.UpdateAuthToken("")

	gterr := c.getToken(ctx)
...

However, if the getToken call also fails due to some reason (eg. context deadline exceeded) then it will leave the client without a token and subsequent retries will continue to fail with ErrUserEmpty unless the token is somehow refreshed.

This fix will refresh the token when ErrUserEmpty ("etcdserver: user name is empty") is returned by the server and the client has non-empty username, password.

[r-ashish]

Also solves the Case 2 mentioned in: #10753, Case 1 was solved by #12549

[davissp14]

This is a pretty annoying issue and we seem to run into it fairly often. Would love to see this get merged.

[mitake]

Sorry I missed this PR, let me take a look later today.

[mitake]

LGTM, thanks a lot @r-ashish !

[davissp14]

@mitake This is causing issues for a lot of our users. Can the release be expedited somehow?

[r-ashish]

@mitake This is causing issues for a lot of our users. Can the release of this somehow?

hey @davissp14, not sure if you've already tried, if not, how feasible it would be for you but you can try a workaround that worked for us until this is released -

Reinitialize the etcd client upon receiving this error which will re authenticate to get a new token. It was easy enough for us to do this as we have a wrapper which handles all the etcd related opts.

[davissp14]

@r-ashish We actually attempted to move to JWT tokens, which seemed to workaround this specific issue. However, turns out they are broken in a slightly more annoying way... #13300

We are using Etcd as the backend store for Stolon/PG clusters. That being said, it would be easier for us to just move to Consul than fork Stolon and rewire everything to accommodate this.

[mitake]

@davissp14 sorry for inconvenience, let me check the other issue. BTW CN based auth is simpler and well tested. Is it possible to try that auth method?

[davissp14]

CN based auth isn't an option for us, sadly.

[mitake]

CN based auth isn't an option for us, sadly.

@davissp14 hmm I see, got it.

@spzala could you take a look at this?

[spzala]

lgtm @mitake
@r-ashish thanks, one quick review comment - can you please make sure if the changes is also needed here https://github.com/etcd-io/etcd/blob/main/client/v3/retry_interceptor.go#L250 (ref

[spzala]

lgtm @mitake
@r-ashish thanks and one quick review comment - can you please make sure if we should use this new func here as well https://github.com/etcd-io/etcd/blob/main/client/v3/retry_interceptor.go#L250 (ref to same PR that you have mentioned)

[r-ashish]

@spzala thanks for checking and pointing that out. I may be wrong but I think we already have the logic to get a new token for streams call on reconnect (retry_interceptor.go#L119) but would be good to use this new func at retry_interceptor.go#L250 as well.

Anyway, I'll update it soon.

[r-ashish]

Updated.

[mitake]

thanks @r-ashish @spzala !

[spzala]

Thank you @mitake