Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AuthStore::Recover is not invalidating caches. #13883

Closed
ptabor opened this issue Apr 5, 2022 · 4 comments
Closed

AuthStore::Recover is not invalidating caches. #13883

ptabor opened this issue Apr 5, 2022 · 4 comments
Labels
release/v3.6 stage/tracked type/bug

Comments

@ptabor
Copy link
Contributor

ptabor commented Apr 5, 2022
edited
Loading

What happened?

No repro in practice yet attempted. Adding FTR.

The method:

etcd/server/auth/store.go

Line 374 in a08d479

func (as *authStore) Recover(be AuthBackend) {

is used when a new snapshot is received over raft (e.g. server was lagging).

The method is not invalidating:

etcd/server/auth/store.go

Line 237 in a08d479

rangePermCache map[string]*unifiedRangePermissions // username -> unifiedRangePermissions

This creates risk that data server read out of the cache might be stale (e.g. permission got revoked in the 'meantime') but the cache is missing updates skipped in the WAL log application (because it loaded a fresher snapshot).

What did you expect to happen?

Reinitialize the cache.

How can we reproduce it (as minimally and precisely as possible)?

We need a test that will:

  • run 3 etcd instances
  • grant some permissions on ranges
  • diconnect a single member
  • revoke the permissions
  • commit a lot of transactions (or force the disconnected member run out of log horizont)
  • reconnect the member... the member is expected to download the snapshot...
  • check whether the member revokes the access to the given key-range.

Anything else we need to know?

No response

Etcd version (please run commands below)

Spotted in the main tree. But the logic was rather not changed recently.

Etcd configuration (command line flags or environment variables)

No response

Etcd debug information (please run commands blow, feel free to obfuscate the IP address or FQDN in the output)

No response

Relevant log output

No response
@ptabor ptabor added the type/bug label Apr 5, 2022
This was referenced Apr 5, 2022
Merged
Closed
@mitake
Copy link
Contributor

mitake commented Apr 6, 2022

@ptabor Thanks for figuring out this. I'll try to reproduce and analyze related code this weekend.

@mitake
Copy link
Contributor

mitake commented Apr 10, 2022

@ptabor I'm still trying to reproduce, but invalidating rangePermCache in authStore.Recover() is fine and good for defensive purpose. I'll open a PR for the change.

@mitake mitake mentioned this issue Apr 10, 2022
Closed
@serathius serathius mentioned this issue Jun 21, 2022
Closed
16 tasks
@stale
Copy link

stale bot commented Jul 10, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jul 10, 2022
@stale stale bot removed the stale label Sep 7, 2022
@serathius
Copy link
Member

Fixed with #14358

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
release/v3.6 stage/tracked type/bug
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

server/auth: invalidate range permission cache during recovering from… mitake/etcd
3 participants
@mitake @serathius @ptabor