-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
client/v3: refresh the token when ErrUserEmpty is received while retrying #13262
Conversation
This is a pretty annoying issue and we seem to run into it fairly often. Would love to see this get merged. |
Sorry I missed this PR, let me take a look later today. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks a lot @r-ashish !
@mitake This is causing issues for a lot of our users. Can the release be expedited somehow? |
hey @davissp14, not sure if you've already tried, if not, how feasible it would be for you but you can try a workaround that worked for us until this is released - Reinitialize the etcd client upon receiving this error which will re authenticate to get a new token. It was easy enough for us to do this as we have a wrapper which handles all the etcd related opts. |
@r-ashish We actually attempted to move to JWT tokens, which seemed to workaround this specific issue. However, turns out they are broken in a slightly more annoying way... #13300 We are using Etcd as the backend store for Stolon/PG clusters. That being said, it would be easier for us to just move to Consul than fork Stolon and rewire everything to accommodate this. |
@davissp14 sorry for inconvenience, let me check the other issue. BTW CN based auth is simpler and well tested. Is it possible to try that auth method? |
CN based auth isn't an option for us, sadly. |
@davissp14 hmm I see, got it. @spzala could you take a look at this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm @mitake
@r-ashish thanks, one quick review comment - can you please make sure if the changes is also needed here https://github.com/etcd-io/etcd/blob/main/client/v3/retry_interceptor.go#L250 (ref
@@ -149,6 +149,17 @@ func (c *Client) streamClientInterceptor(optFuncs ...retryOption) grpc.StreamCli | |||
} | |||
} | |||
|
|||
// shouldRefreshToken checks whether there's a need to refresh the token based on the error and callOptions, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm @mitake
@r-ashish thanks and one quick review comment - can you please make sure if we should use this new func here as well https://github.com/etcd-io/etcd/blob/main/client/v3/retry_interceptor.go#L250 (ref to same PR that you have mentioned)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@spzala thanks for checking and pointing that out. I may be wrong but I think we already have the logic to get a new token for streams call on reconnect (retry_interceptor.go#L119) but would be good to use this new func at retry_interceptor.go#L250 as well.
Anyway, I'll update it soon.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @mitake
…ying To fix a bug in the retry logic caused when the auth token is cleared after receiving `ErrInvalidAuthToken` from the server and the subsequent call to `getToken` also fails due to some reason (eg. context deadline exceeded). This leaves the client without a token and the retry will continue to fail with `ErrUserEmpty` unless the token is refreshed.
A change was made in the PR #12549 to clear the auth token before attempting to get a new one, when
ErrInvalidAuthToken
is returned by the server.However, if the
getToken
call also fails due to some reason (eg. context deadline exceeded) then it will leave the client without a token and subsequent retries will continue to fail withErrUserEmpty
unless the token is somehow refreshed.This fix will refresh the token when
ErrUserEmpty
("etcdserver: user name is empty") is returned by the server and the client has non-empty username, password.