consul icon indicating copy to clipboard operation
consul copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Immediately (mostly) useable ACL tokens: add wait and check call to allow for ACL token replication

Open skpratt opened this issue 2 years ago • 4 comments

Description

This is a borrowed workaround to allow time for ACL tokens to go through raft so that they can be immediately used after a login / creation request. See code comments for full description.

Original implementation in consul-k8s: https://github.com/hashicorp/consul-k8s/blob/dc7f08965c01d2180813d0d83539a49bcc60a7d3/control-plane/subcommand/common/common.go#L156 Once this PR is merged, a follow up PR will remove this wait from consul-k8s, since this will be moving the retry loop upstream into the consul client API itself. This should address all calls to the underlying token API, removing the need for dependent projects like consul-k8s to determine which calls should be handled with a retry loop.

Testing & Reproduction steps

Tested with removed consul k8s retry loop.

No k8s retry loop + these changes: No k8s retry loop + without these changes: No k8s retry loop + forced leader change + changes to delay raft write: VM create at follower + immediate access request + delay raft write + without these changes: VM create at follower + immediate access request + delay raft write + with these changes:

PR Checklist

  • [ ] updated test coverage
  • [ ] external facing docs updated
  • [ ] not a security concern

skpratt avatar Feb 09 '23 16:02 skpratt

@skpratt : What user-facing operations does this change apply to? Does it ensure that the token returned by consul acl token create or consul login is (usually) immediately usable? Or something else? I can't tell for sure because it seems like the change is in HTTP API endpoint files (?) rather than command files.

jkirschner-hashicorp avatar Feb 09 '23 20:02 jkirschner-hashicorp

This pull request has been automatically flagged for inactivity because it has not been acted upon in the last 60 days. It will be closed if no new activity occurs in the next 30 days. Please feel free to re-open to resurrect the change if you feel this has happened by mistake. Thank you for your contributions.

github-actions[bot] avatar May 29 '23 01:05 github-actions[bot]

Closing due to inactivity. If you feel this was a mistake or you wish to re-open at any time in the future, please leave a comment and it will be re-surfaced for the maintainers to review.

github-actions[bot] avatar Jun 28 '23 01:06 github-actions[bot]

This pull request has been automatically flagged for inactivity because it has not been acted upon in the last 60 days. It will be closed if no new activity occurs in the next 30 days. Please feel free to re-open to resurrect the change if you feel this has happened by mistake. Thank you for your contributions.

github-actions[bot] avatar Jun 03 '24 01:06 github-actions[bot]

Closing due to inactivity. If you feel this was a mistake or you wish to re-open at any time in the future, please leave a comment and it will be re-surfaced for the maintainers to review.

github-actions[bot] avatar Jul 04 '24 01:07 github-actions[bot]