python-etcd3 icon indicating copy to clipboard operation
python-etcd3 copied to clipboard
verified publisher icon kragniz

python-etcd3 is incompatible with grpcio versions newer than 1.44.0 (1.45+)

Open eliminyro opened this issue 3 years ago • 5 comments

What version of gRPC and what language are you using?

grpc v1.45.0

What operating system (Linux, Windows,...) and version?

Ubuntu 20.04

What runtime / compiler are you using (e.g. python version or version of gcc)

python 3.8.10

What did you do?

Update grpc from 1.44.0 to 1.45.0 and run it against etcd v3 server with authentication enabled using python-etcd3 module.

What did you expect to see?

No errors.

What did you see instead?

>>> etcd = etcd3.client(host='etcd_host', port=2379, user='user', password='password')
>>> etcd.get('key_name')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/venv-path/lib/python3.8/site-packages/etcd3/client.py", line 283, in get
    range_response = self.get_response(key, **kwargs)
  File "/venv-path/lib/python3.8/site-packages/etcd3/client.py", line 48, in handler
    _translate_exception(exc)
  File "/venv-path/lib/python3.8/site-packages/etcd3/client.py", line 46, in handler
    return f(*args, **kwargs)
  File "/venv-path/lib/python3.8/site-packages/etcd3/client.py", line 257, in get_response
    return self.kvstub.Range(
  File "/venv-path/lib/python3.8/site-packages/grpc/_channel.py", line 946, in __call__
    return _end_unary_response_blocking(state, call, False, None)
  File "/venv-path/lib/python3.8/site-packages/grpc/_channel.py", line 849, in _end_unary_response_blocking
    raise _InactiveRpcError(state)
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
        status = StatusCode.UNAUTHENTICATED
        details = "Established channel does not have a sufficient security level to transfer call credential."
        debug_error_string = "{"created":"@1652261814.087167077","description":"Error received from peer etcd_host:2379","file":"src/core/lib/surface/call.cc","file_line":952,"grpc_message":"Established channel does not have a sufficient security level to transfer call credential.","grpc_status":16}"

eliminyro avatar May 11 '22 09:05 eliminyro

same issue here

qd452 avatar May 18 '22 05:05 qd452

If I'm not mistaken, grpcio now requires that the etcd server uses TLS when you need authentication.

jkawamoto avatar May 18 '22 06:05 jkawamoto

I've checked the code of python-etcd3 library itself, and it seems that secure_channel is used for HTTPS connections only. I've tried using the library with the newest grpcio with TLS enabled on etcd server, and it seems to be working alright. I wasn't obvious that it is mandatory though.

However, if someone else stumbles upon this issue might find this useful. I'll close the issue, since it seems to be working just fine.

eliminyro avatar Jun 10 '22 13:06 eliminyro

We got the issue by trying to auth agaist a local etcd.

We fixed it by using our own Etcd3Client, with that in the __init__ function:


    def __init__(self, host='localhost', port=2379, timeout=None, user=None,
                 password=None):

        if user and password:
            credentials = grpc.local_channel_credentials()
            self.uses_secure_channel = True
        else:
            credentials = None
            self.uses_secure_channel = False

        # Step 2: create Endpoint
        ep = Endpoint(host, port, secure=self.uses_secure_channel,
                      creds=credentials)

        super(Etcd3Client, self).__init__(endpoints=[ep], timeout=timeout,
                                          user=user, password=password)

(I removed extra unused args)

Not sure how / if I can create a PR with a proper fix :)

the-glu avatar Sep 09 '22 14:09 the-glu

@the-glu could you provide the complete code you used to conenct etcd and then to get and put keys

aru88 avatar Dec 13 '23 08:12 aru88