RFC, WIP: etcdserver: let maintenance services require root role

[mitake]

This PR lets maintenance services require root role. But Snapshot() isn't protected yet because it doesn't have ctx in its parameter. I'm seeking how to obtain credential information in the function.

[heyitsanthony]

@mitake have you tried srv.Context() for getting the auth info for the snapshot stream?

[mitake]

@heyitsanthony I didn't notice the interface... I'll try it, thanks!

[mitake]

@heyitsanthony I added a protection mechanism to Snapshot() with srv.Context() based on your comment. Also e2e test cases were added for Defragment() and Snapshot(). But cases for Hash() and Status() aren't added yet because they lacks corresponding etcdctl commands. Maybe integration pkg is suitable place for the cases?

[heyitsanthony]

approach looks OK

[heyitsanthony]

maintenanceInitKeys?

[heyitsanthony]

maintenanceInitKeys?

[mitake]

ok

[heyitsanthony]

return ms.ag.AuthStore().IsAdminPermitted(authInfo)

[mitake]

I'll change it after finishing another ongoing PR: #6903

[heyitsanthony]

can there be a separate type returned by NewMaintenanceServer:

type authMaintenanceServer struct {
    ag AuthGetter
    ms *maintenanceServer
}

that does the auth checks before calling into the auth-free maintenance server? This buys type-checking that auth covers all calls for the service since if it misses a check it won't match the interface. I'd like to avoid mingling auth code with non-auth code if it's not strictly necessary...

[mitake]

ok, I'll try it

[heyitsanthony]

it seems like this belongs in the auth package if it's important enough to export? can probably pass a func f(idx uint64) <-chan to get around the etcdserver dependency in isValidToken where it waits for the revision update

[mitake]

ok, I'll try to move the function to auth pkg.

[mitake]

@heyitsanthony updated based on your comments, PTAL.

[heyitsanthony]

minor nit about warnings

[heyitsanthony]

drop the warnings? other auth failures don't warn, so it's inconsistent

[mitake]

OK, I'll remove the warnings.

[heyitsanthony]

@mitake maintenance commands with auth enabled will still work even if the cluster lost quorum, right? Otherwise, lgtm.

defer to @xiang90

[xiang90]

remove the mention of gRPC? then this interface seems more generic.

[mitake]

In AuthInfoFromCtx(), gRPC's metadata is obtained by metadata.FromContext(). So I think the context cannot be said generic.

[xiang90]

LGTM.

[xiang90]

@heyitsanthony Can you approve this pr? We can add a test for the quorum loss case. it is important to ensure that we can still get a snapshot at least to recover the cluster.

[mitake]

@heyitsanthony as @xiang90 says, I also think that quorum loss cases shouldn't prevent the maintenance RPCs and its auth. They are similar to serializable range requests.

[mitake]

@heyitsanthony @xiang90 removed the needless warnings. I kept the comment that mentions gRPC, how do you think?

[codecov-io]

Current coverage is 64.01% (diff: 36.11%)

No coverage report found for master at 118fd18.

Powered by Codecov. Last update 118fd18...1315a2b

[xiang90]

ok. lgtm. @heyitsanthony Can you approve this pr?

[heyitsanthony]

just wanted to confirm it'd work under quorum loss, sorry for the confusion!

lgtm. Thanks!