Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heartbeat: use leader's ACL token when failing heartbeat #24241

Merged
merged 1 commit into from
Oct 17, 2024
Merged

heartbeat: use leader's ACL token when failing heartbeat #24241

merged 1 commit into from
Oct 17, 2024

Conversation

tgross
Copy link
Member

@tgross tgross commented Oct 17, 2024

In #23838 we updated the Node.Update RPC handler we use for heartbeats to be more strict about requiring node secrets. But when a node goes down, it's the leader that sends the request to mark the node down via Node.Update (to itself), and this request was missing the leader ACL needed to authenticate to itself.

Add the leader ACL to the request and update the RPC handler test for disconnected-clients to use ACLs, which would have detected this bug. Also added a note to the Authenticate comment about how that authentication path requires the leader ACL.

Fixes: #24231
Ref: https://hashicorp.atlassian.net/browse/NET-11384

@tgross tgross added this to the 1.9.1 milestone Oct 17, 2024
@tgross tgross added backport/1.9.x backport to 1.9.x release line theme/heartbeating type/bug labels Oct 17, 2024
@tgross tgross marked this pull request as ready for review October 17, 2024 15:57
shoenig
shoenig approved these changes Oct 17, 2024
View reviewed changes
Copy link
Member

@shoenig shoenig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@tgross
heartbeat: use leader's ACL token when failing heartbeat
df91284 
In #23838 we updated the `Node.Update` RPC handler we use for heartbeats to be
more strict about requiring node secrets. But when a node goes down, it's the
leader that sends the request to mark the node down via `Node.Update` (to
itself), and this request was missing the leader ACL needed to authenticate to
itself.

Add the leader ACL to the request and update the RPC handler test for
disconnected-clients to use ACLs, which would have detected this bug. Also added
a note to the `Authenticate` comment about how that authentication path requires
the leader ACL.

Fixes: #24231
Ref: https://hashicorp.atlassian.net/browse/NET-11384
@tgross
Copy link
Member Author

tgross commented Oct 17, 2024

Forgot changelog. Added that and will merge when CI is green.

@tgross tgross mentioned this pull request Oct 17, 2024
Closed
@tgross tgross merged commit 55fe05d into main Oct 17, 2024
26 checks passed
@tgross tgross deleted the b-heartbeat-fail-update branch October 17, 2024 17:48
@hc-github-team-nomad-core hc-github-team-nomad-core mentioned this pull request Oct 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shoenig shoenig shoenig approved these changes

@schmichael schmichael schmichael approved these changes

@gulducat gulducat Awaiting requested review from gulducat

@mismithhisler mismithhisler Awaiting requested review from mismithhisler

@jrasell jrasell Awaiting requested review from jrasell

Assignees
No one assigned
Labels
backport/1.9.x backport to 1.9.x release line theme/heartbeating type/bug
Projects
None yet
Milestone
1.9.1
Development

Successfully merging this pull request may close these issues.

(1.9.0) missed heartbeats don't mark nodes down
3 participants
@tgross @schmichael @shoenig