clientv3:get AuthToken gracefully without extra connection.

[cfc4n]

clientv3: get AuthToken gracefully without extra connection.

ignore AuthToken check when InternalRequest was AuthenticateRequest also etcdserverpb.Auth/Authenticate.

[xiang90]

/cc @mitake can you take a look?

[mitake]

Could you update the log of the 2nd commit to something like etcdserver: check authinfo if it is not InternalAuthenticateRequest for the style check?

The overall direction seems to be fine. I'll take a look at failed tests sometime this week. It's great if you can also take a look.

[mitake]

This is a nice idea, thanks!

[cfc4n]

tests failed in https://travis-ci.com/github/etcd-io/etcd/jobs/364568672#L2153

--- PASS: TestWatchClose (0.60s)
PASS
Too many goroutines running after all test(s).
2 instances of:
google.golang.org/grpc.(*ccBalancerWrapper).watcher(...)
	/go/pkg/mod/google.golang.org/grpc@v1.26.0/balancer_conn_wrappers.go:69 +0x1a2
created by google.golang.org/grpc.newCCBalancerWrapper
	/go/pkg/mod/google.golang.org/grpc@v1.26.0/balancer_conn_wrappers.go:60 +0x2f4
2 instances of:
google.golang.org/grpc.(*addrConn).resetTransport(...)
	/go/pkg/mod/google.golang.org/grpc@v1.26.0/clientconn.go:1134 +0x57f
created by google.golang.org/grpc.(*addrConn).connect
	/go/pkg/mod/google.golang.org/grpc@v1.26.0/clientconn.go:800 +0x104
FAIL	go.etcd.io/etcd/v3/clientv3/integration	342.755s
FAIL

I don't understand this logs . @mitake Can you tell me the reason? and I'll continue to debug it.

[cfc4n]

tests failed in https://travis-ci.com/github/etcd-io/etcd/jobs/364568672#L2153

--- PASS: TestWatchClose (0.60s)
PASS
Too many goroutines running after all test(s).
2 instances of:
google.golang.org/grpc.(*ccBalancerWrapper).watcher(...)
	/go/pkg/mod/google.golang.org/grpc@v1.26.0/balancer_conn_wrappers.go:69 +0x1a2
created by google.golang.org/grpc.newCCBalancerWrapper
	/go/pkg/mod/google.golang.org/grpc@v1.26.0/balancer_conn_wrappers.go:60 +0x2f4
2 instances of:
google.golang.org/grpc.(*addrConn).resetTransport(...)
	/go/pkg/mod/google.golang.org/grpc@v1.26.0/clientconn.go:1134 +0x57f
created by google.golang.org/grpc.(*addrConn).connect
	/go/pkg/mod/google.golang.org/grpc@v1.26.0/clientconn.go:800 +0x104
FAIL	go.etcd.io/etcd/v3/clientv3/integration	342.755s
FAIL

I don't understand this logs . @mitake Can you tell me the reason? and I'll continue to debug it.

I saw the same error in https://travis-ci.com/github/etcd-io/etcd/jobs/366031014#L2114 , is it means that i can ignore this error?
/cc @xiang90 @mitake @gyuho

[mitake]

@cfc4n the error message means the test introduced leaked goroutines even after cleaning up resources. I tried to reproduce the error on my local machine but couldn't:

PASSES=integration TESTCASE=TestWatchClose  ./test                                                                                                                                                                               00:06:15
Running with TEST_CPUS: 1,2,4
Starting 'integration' pass at 2020年  8月  3日 月曜日 00:06:26 JST
Running integration tests...
testing: warning: no tests to run
PASS
ok  	go.etcd.io/etcd/v3/integration	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	go.etcd.io/etcd/v3/client/integration	(cached) [no tests to run]
=== RUN   TestWatchClose
--- PASS: TestWatchClose (0.24s)
=== RUN   TestWatchClose
--- PASS: TestWatchClose (0.18s)
=== RUN   TestWatchClose
--- PASS: TestWatchClose (0.18s)
PASS
ok  	go.etcd.io/etcd/v3/clientv3/integration	(cached)
testing: warning: no tests to run
PASS
ok  	go.etcd.io/etcd/v3/contrib/raftexample	(cached) [no tests to run]
Finished 'integration' pass at 2020年  8月  3日 月曜日 00:06:26 JST
Success

I guess it would be non deterministic failure, but am not fully sure yet.

Also travis shows some failed test cases:

--- FAIL: TestCtlV3AuthLeaseGrantLeases (10.92s)
--- FAIL: TestCtlV3AuthLeaseGrantLeasesJWT (10.53s)
--- FAIL: TestCtlV3AuthLeaseRevoke (10.15s)
--- FAIL: TestCtlV3AuthDefrag (1.77s)
--- FAIL: TestCtlV3AuthDisable (4.18s)

I'll look at the failed test cases, but if you can help it's great.

[mitake]

Do we have a reason to hide this error code?

[cfc4n]

That means etcd cluster do not enable auth. so return nil .
ref #10428

[mitake]

If we return nil, clients continue retrying forever like this when they issue Authenticate() request:

~/g/s/g/etcd [get_authtoken_gracefully]× Â» bin/etcdctl get k1 --user u1:p                                                  -130- 18:08:51
{"level":"warn","ts":"2020-08-15T18:08:51.760+0900","caller":"clientv3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"endpoint://client-3a425fc6-a534-496d-872b-9c074bc66927/127.0.0.1:2379","attempt":0,"error":"rpc error: code = FailedPrecondition desc = etcdserver: authentication is not enabled"}
{"level":"warn","ts":"2020-08-15T18:08:51.762+0900","caller":"clientv3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"endpoint://client-3a425fc6-a534-496d-872b-9c074bc66927/127.0.0.1:2379","attempt":0,"error":"rpc error: code = Unauthenticated desc = etcdserver: invalid auth token"}
{"level":"warn","ts":"2020-08-15T18:08:51.764+0900","caller":"clientv3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"endpoint://client-3a425fc6-a534-496d-872b-9c074bc66927/127.0.0.1:2379","attempt":0,"error":"rpc error: code = FailedPrecondition desc = etcdserver: authentication is not enabled"}
...

The behavior is different from the original one. I think it would be related to the failed test cases, let me check.

[mitake]

It wasn't related to the failed test cases. I'm checking its effect.

[cfc4n]

@cfc4n the error message means the test introduced leaked goroutines even after cleaning up resources. I tried to reproduce the error on my local machine but couldn't:

PASSES=integration TESTCASE=TestWatchClose  ./test                                                                                                                                                                               00:06:15
Running with TEST_CPUS: 1,2,4
Starting 'integration' pass at 2020年  8月  3日 月曜日 00:06:26 JST
Running integration tests...
testing: warning: no tests to run
PASS
ok  	go.etcd.io/etcd/v3/integration	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	go.etcd.io/etcd/v3/client/integration	(cached) [no tests to run]
=== RUN   TestWatchClose
--- PASS: TestWatchClose (0.24s)
=== RUN   TestWatchClose
--- PASS: TestWatchClose (0.18s)
=== RUN   TestWatchClose
--- PASS: TestWatchClose (0.18s)
PASS
ok  	go.etcd.io/etcd/v3/clientv3/integration	(cached)
testing: warning: no tests to run
PASS
ok  	go.etcd.io/etcd/v3/contrib/raftexample	(cached) [no tests to run]
Finished 'integration' pass at 2020年  8月  3日 月曜日 00:06:26 JST
Success

I guess it would be non deterministic failure, but am not fully sure yet.

Also travis shows some failed test cases:

--- FAIL: TestCtlV3AuthLeaseGrantLeases (10.92s)
--- FAIL: TestCtlV3AuthLeaseGrantLeasesJWT (10.53s)
--- FAIL: TestCtlV3AuthLeaseRevoke (10.15s)
--- FAIL: TestCtlV3AuthDefrag (1.77s)
--- FAIL: TestCtlV3AuthDisable (4.18s)

I'll look at the failed test cases, but if you can help it's great.

Test passed in my cloud server with 8 Core\32G memory ,and CPU Intel(R) Xeon(R) CPU E5-26xx.
Many be the reason was small server.

[mitake]

Test passed in my cloud server with 8 Core\32G memory ,and CPU Intel(R) Xeon(R) CPU E5-26xx.
Many be the reason was small server.

I have a machine with similar resources but can reproduce the failed test cases. I couldn't allocate a time for this last week. Hopefully I can work on the issue this week. Sorry for keeping you waiting.

[cfc4n]

@gyuho @jingyih PTAL,thanks.

[mitake]

@cfc4n The direct cause of the failed test cases is that this PR changes behavior of etcd server with auth disabled. Typical failed request/response sequences would be like below:

1. clients which has username:password issue Authenticate() to server, and the server returns ErrAuthNotEnabled
2. the retry interceptor (created and configured by unaryClientInterceptor()) simply retries in the first attempt
3. after the second attempts, the interceptor supplies an empty auth token through perRPCCredential.GetRequestMetadata(). The empty token is treated as an invalid one by the server. The interceptor continues retry until exhausting retry attempts.

The older version (current master branch) doesn't use interceptor for Authenticate() because a dedicated grpc connection is used for Authenticate() request. But this PR lets the request use an usual grpc connection like other request types. So the issue happens.

I think this commit fixes the problem, could you pick the commit in your PR? mitake@747cc70

[mitake]

On my local machine TestCtlV3AuthDefrag still fails. etcdctl's Defragment() usage is a little bit different from other RPC types so something is still conflicting. Let me check.

[cfc4n]

On my local machine TestCtlV3AuthDefrag still fails. etcdctl's Defragment() usage is a little bit different from other RPC types so something is still conflicting. Let me check.

OK,I'll test this pr for all TESTS later,thank you.

[cfc4n]

@mitake thanks, I reproduced it, I will try to fix it.

[cfc4n]

That is my fault. Root cause was lose c.getToken function called in NewMaintenance.

etcd/clientv3/maintenance.go

Lines 77 to 99 in 5185706

	func NewMaintenance(c *Client) Maintenance {
	api := &maintenance{
	lg: c.lg,
	dial: func(endpoint string) (pb.MaintenanceClient, func(), error) {
	conn, err := c.Dial(endpoint)
	if err != nil {
	return nil, nil, fmt.Errorf("failed to dial endpoint %s with maintenance client: %v", endpoint, err)
	}
	//get token with established connection
	dctx := c.ctx
	cancel := func() {}
	if c.cfg.DialTimeout > 0 {
	dctx, cancel = context.WithTimeout(c.ctx, c.cfg.DialTimeout)
	}
	err = c.getToken(dctx)
	cancel()
	if err != nil {
	return nil, nil, fmt.Errorf("failed to getToken from endpoint %s with maintenance client: %v", endpoint, err)
	}
	cancel = func() { conn.Close() }
	return RetryMaintenanceClient(c, conn), cancel, nil
	},

Thanks for your help. @mitake

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

Attention: Patch coverage is 94.87179% with 2 lines in your changes missing coverage. Please review.

Project coverage is 64.00%. Comparing base (0526f46) to head (07e9eb0).

Files with missing lines	Patch %	Lines
clientv3/maintenance.go	77.77%	1 Missing and 1 partial ⚠️

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #12165      +/-   ##
==========================================
- Coverage   64.00%   64.00%   -0.01%     
==========================================
  Files         403      403              
  Lines       37427    37516      +89     
==========================================
+ Hits        23957    24012      +55     
- Misses      11955    11979      +24     
- Partials     1515     1525      +10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[cfc4n]

@gyuho Please review this PR,and merge it if passed.

[mitake]

LGTM, thanks! @gyuho could you take a look? Travis failed but it is because of goroutine leak, I'm guessing it would be a non deterministic problem. Probably running it again will be helpful.

[mitake]

I restarted the build to check the goroutine leak happens again or not.

[mitake]

It seems that the goroutine leak is a deterministic problem, let me diagnose (it might need some time though...).

[mitake]

At least TestUserErrorAuth can reproduce the leak like below:

~/g/s/g/etcd [get_authtoken_gracefully]× Â» PASSES=integration TESTCASE=TestUserErrorAuth ./test                                                                                                                                                                         -1- 00:33:08     
Running with TEST_CPUS: 1,2,4                                         
Starting 'integration' pass at Mon 31 Aug 2020 12:33:17 AM JST                                                                               
Running integration tests...                                          
testing: warning: no tests to run                                     
PASS                                                                                                                                         
ok      go.etcd.io/etcd/v3/integration  0.008s [no tests to run]      
testing: warning: no tests to run                                                                                                            
PASS                                                                  
ok      go.etcd.io/etcd/v3/client/integration   0.008s [no tests to run]                                                                     
=== RUN   TestUserErrorAuth                                           
{"level":"warn","ts":"2020-08-31T00:33:19.242+0900","caller":"clientv3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"endpoint://client-53b340df-658d-4c71-b8ef-75dfc123699d/localhost:78916154186224359510","attempt":0,"error":"rpc error: code = InvalidAr
gument desc = etcdserver: user name is empty"}                        
{"level":"warn","ts":"2020-08-31T00:33:19.244+0900","caller":"clientv3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"endpoint://client-4897f36d-c3ef-43b1-881b-33a9dfdac7cd/localhost:78916154186224359510","attempt":0,"error":"rpc error: code = InvalidAr
gument desc = etcdserver: authentication failed, invalid user ID or password"}                                                                                                                                                                                                            
{"level":"warn","ts":"2020-08-31T00:33:19.257+0900","caller":"clientv3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"endpoint://client-cdd1aa50-22ae-4616-8405-5c35d6e7a4e5/localhost:78916154186224359510","attempt":0,"error":"rpc error: code = InvalidAr
gument desc = etcdserver: authentication failed, invalid user ID or password"}                                                               
--- PASS: TestUserErrorAuth (0.28s)                                   
=== RUN   TestUserErrorAuth                                           
{"level":"warn","ts":"2020-08-31T00:33:19.450+0900","caller":"clientv3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"endpoint://client-c9535b22-9044-4faf-8b9c-02eb807fa479/localhost:26468907482359463500","attempt":0,"error":"rpc error: code = InvalidAr
gument desc = etcdserver: user name is empty"}                        
{"level":"warn","ts":"2020-08-31T00:33:19.452+0900","caller":"clientv3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"endpoint://client-3fdb10c4-ef02-4637-9107-d7cb54fe88f5/localhost:26468907482359463500","attempt":0,"error":"rpc error: code = InvalidAr
gument desc = etcdserver: authentication failed, invalid user ID or password"}                                                               
{"level":"warn","ts":"2020-08-31T00:33:19.458+0900","caller":"clientv3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"endpoint://client-dc98bd04-e874-4d35-97c9-bd9460909dc9/localhost:26468907482359463500","attempt":0,"error":"rpc error: code = InvalidAr
gument desc = etcdserver: authentication failed, invalid user ID or password"}                                                               
--- PASS: TestUserErrorAuth (0.14s)                                   
=== RUN   TestUserErrorAuth                                           
{"level":"warn","ts":"2020-08-31T00:33:19.607+0900","caller":"clientv3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"endpoint://client-009de944-9b28-454d-925d-ab0ffe9e45ac/localhost:44994960853404133160","attempt":0,"error":"rpc error: code = InvalidAr
gument desc = etcdserver: user name is empty"}                        
{"level":"warn","ts":"2020-08-31T00:33:19.610+0900","caller":"clientv3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"endpoint://client-ec8c35f6-441f-4771-9b3f-72f7f6465e9c/localhost:44994960853404133160","attempt":0,"error":"rpc error: code = InvalidAr
gument desc = etcdserver: authentication failed, invalid user ID or password"}                                                               
{"level":"warn","ts":"2020-08-31T00:33:19.615+0900","caller":"clientv3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"endpoint://client-96fc1616-8f08-4cea-957e-5d5bb8f9bc2a/localhost:44994960853404133160","attempt":0,"error":"rpc error: code = InvalidAr
gument desc = etcdserver: authentication failed, invalid user ID or password"}                                                               
--- PASS: TestUserErrorAuth (0.16s)                                   
PASS                                                                                                                                         
Unexpected goroutines running after all test(s).                      
6 instances of:                                                       
google.golang.org/grpc.(*ccBalancerWrapper).watcher(...)              
        /home/mitake/go/pkg/mod/google.golang.org/grpc@v1.26.0/balancer_conn_wrappers.go:69 +0xc2                                                                                                                                                                                         
created by google.golang.org/grpc.newCCBalancerWrapper                
        /home/mitake/go/pkg/mod/google.golang.org/grpc@v1.26.0/balancer_conn_wrappers.go:60 +0x16d                                           
6 instances of:                                                       
google.golang.org/grpc.(*addrConn).resetTransport(...)                
        /home/mitake/go/pkg/mod/google.golang.org/grpc@v1.26.0/clientconn.go:1134 +0x40d                                                     
created by google.golang.org/grpc.(*addrConn).connect                 
        /home/mitake/go/pkg/mod/google.golang.org/grpc@v1.26.0/clientconn.go:800 +0x128                                                      
FAIL    go.etcd.io/etcd/v3/clientv3/integration 0.590s                
testing: warning: no tests to run                                     
PASS                                                                  
ok      go.etcd.io/etcd/v3/contrib/raftexample  0.008s [no tests to run]                                                                     
FAIL                                                                  

[mitake]

@cfc4n I think I found the cause of the goroutine leak issue. Could you pick this commit into your branch? mitake@9f1dfa2 We need to close client object when getToken() fails. On my local env the goroutine issue is resolved and integration pass can finish successfully.

[mitake]

LGTM, thanks! Defer to @xiang90

[mitake]

Could anyone take a look? I think this PR can be merged @xiang90 @gyuho @jingyih

[cfc4n]

Could anyone take a look? I think this PR can be merged @xiang90 @gyuho @jingyih

defer to @xiang90 @gyuho @jingyih @spzala , PTAL, thanks.

[xiang90]

lgtm