Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

clientv3: do not refresh token when users use CommonName based authentication #14770

Merged
merged 3 commits into from
Nov 16, 2022
Merged

clientv3: do not refresh token when users use CommonName based authentication #14770

merged 3 commits into from
Nov 16, 2022

Conversation

ahrtr
Copy link
Member

@ahrtr ahrtr commented Nov 16, 2022

@ahrtr ahrtr marked this pull request as draft November 16, 2022 03:00
@codecov-commenter
Copy link

codecov-commenter commented Nov 16, 2022
edited
Loading

Codecov Report

Merging #14770 (aefc75b) into main (bf5c936) will decrease coverage by 0.20%.
The diff coverage is 57.14%.

@@            Coverage Diff             @@
##             main   #14770      +/-   ##
==========================================
- Coverage   75.64%   75.44%   -0.21%     
==========================================
  Files         457      457              
  Lines       37372    37375       +3     
==========================================
- Hits        28270    28197      -73     
- Misses       7336     7402      +66     
- Partials     1766     1776      +10
Flag Coverage Δ
all 75.44% <57.14%> (-0.21%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
client/v3/retry_interceptor.go 66.36% <57.14%> (+<0.01%) ⬆️
server/etcdserver/api/rafthttp/peer_status.go 87.87% <0.00%> (-12.13%) ⬇️
server/etcdserver/api/rafthttp/peer.go 87.01% <0.00%> (-9.75%) ⬇️
client/pkg/v3/testutil/leak.go 60.17% <0.00%> (-7.08%) ⬇️
client/v3/leasing/util.go 91.66% <0.00%> (-6.67%) ⬇️
server/etcdserver/api/v3rpc/util.go 74.19% <0.00%> (-6.46%) ⬇️
server/storage/mvcc/watchable_store.go 84.42% <0.00%> (-4.72%) ⬇️
server/etcdserver/txn/util.go 75.47% <0.00%> (-3.78%) ⬇️
server/etcdserver/api/rafthttp/msgappv2_codec.go 69.56% <0.00%> (-3.48%) ⬇️
client/v3/leasing/txn.go 88.09% <0.00%> (-3.18%) ⬇️
... and 15 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@ahrtr ahrtr marked this pull request as ready for review November 16, 2022 07:01
@ahrtr ahrtr changed the title clientv3: do not refresh token when authTokenBundle is nil clientv3: do not refresh token when users use CommonName based authentication Nov 16, 2022
@ahrtr
Copy link
Member Author

ahrtr commented Nov 16, 2022

When users use CommonName based authentication, then no need to fresh token at all. And actually the authTokenBundle is always nil, so the client will crash when refreshing the token.

We do not have any e2e test cases to cover the Common Name based authentication so far. So I added the first one in this PR.

@mitake Please take a look at this PR. thx. cc @ptabor @serathius @spzala

@ahrtr
Copy link
Member Author

ahrtr commented Nov 16, 2022

I just noticed that we already have 3 cases to cover the CommonName based authentication in ctl_v3_auth_no_proxy_test.go, it's good news.

serathius
serathius reviewed Nov 16, 2022
View reviewed changes
tests/e2e/ctl_v3_auth_no_proxy_test.go Outdated
Comment on lines 48 to 54
// apply the certificate which has `root` CommonName,
// and reset the setting when the test case finishes.
t.Log("Apply certificate with root CommonName")
resetCert := applyTLSWithRootCommonName()
defer resetCert()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There should be a separate cert bundle and an option in e2e tests pick certs with CommonName.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about enhancing the e2e framework, but it needs more time. I will think about it in a separate PR. Let's get 3.5.6 out firstly.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just rebased this PR, and added a TODO comment. PTAL.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good.

@ahrtr
clientv3: do not refresh token when using TLS CommonName based authen…
f32ac6e 
…tication

When users use the TLS CommonName based authentication, the
authTokenBundle is always nil. But it's possible for the clients
to get `rpctypes.ErrAuthOldRevision` response when the clients
concurrently modify auth data (e.g, addUser, deleteUser etc.).
In this case, there is no need to refresh the token; instead the
clients just need to retry the operations (e.g. Put, Delete etc).

Signed-off-by: Benjamin Wang <wachao@vmware.com>
@ahrtr
test: add certificate with root CommonName
585054e 
Signed-off-by: Benjamin Wang <wachao@vmware.com>
@ahrtr
test: add test case to cover the CommonName based authentication
0c19014 
Refer to etcd-io#14764

Signed-off-by: Benjamin Wang <wachao@vmware.com>
@ahrtr ahrtr merged commit 719a0a4 into etcd-io:main Nov 16, 2022
@serathius serathius mentioned this pull request Nov 16, 2022
Closed
22 tasks
@mitake
Copy link
Contributor

mitake commented Nov 16, 2022

@ahrtr Thanks a lot for fixing the issue, the change LGTM

@ahrtr
Copy link
Member Author

ahrtr commented Nov 16, 2022

@ahrtr Thanks a lot for fixing the issue, the change LGTM

Thanks @mitake for the confirmation.

@ahrtr ahrtr mentioned this pull request Nov 16, 2022
Merged
@ahrtr ahrtr mentioned this pull request Nov 17, 2022
Merged
@fspmarshall fspmarshall mentioned this pull request Nov 22, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@serathius serathius serathius approved these changes

Assignees
No one assigned
Labels
area/auth area/clientv3 backport/v3.4 backport/v3.5
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Manipulating Keys and Manipulating Users Concurrency Causes Segmentation Violation in Client
4 participants
@ahrtr @codecov-commenter @mitake @serathius