Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Converge quorum member auth #525

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

optiz0r
Copy link

@optiz0r optiz0r commented Jun 28, 2022

Pull Request (PR) description

The current code for authenticating to quorum members runs the auth command on every puppet run. This both updates the credentials on disk, and generates a puppet change event, which are btoh undesirable.

The proposed change checks to ensure all quorum members have an auth token in the credentials file, and updates auth for all members if any one member is missing. This results in a convergent state.

There is a caveat, in that what gets stored in the credentials file is not the original password, but an auth token. There does not seem to be a pcs command to check the tokens are still valid. So this code is only checking for presenence of auth tokens, not correctness. If the authentication token is later invalided, puppet will not correct this. It would be necessary to manually run the pcs host auth or pcs cluster auth commands to fix it.

This Pull Request (PR) fixes the following issues

Fixes #500

@optiz0r optiz0r force-pushed the issue500_convergent_auth branch 2 times, most recently from d934d1f to 302162a Compare June 29, 2022 08:07
@optiz0r
Copy link
Author

optiz0r commented Jun 29, 2022

The three failing test suites don't look to be failing in relation to my changes.

@optiz0r
Copy link
Author

optiz0r commented Jun 29, 2022

This actually isn't working quite as expected, it causes failures on the first run, and then converges on the second run.
Solved by latest force push.

Old logs
Notice: /Stage[main]/Corosync/Exec[authorize_member_node1]/returns: Error: Unable to synchronize and save tokens on nodes: node2. Are they authorized?
Notice: /Stage[main]/Corosync/Exec[authorize_member_node1]/returns: node1: Authorized
Error: 'pcs cluster auth node1 -u hacluster -p PASS' returned 1 instead of one of [0]
Error: /Stage[main]/Corosync/Exec[authorize_member_node1]/returns: change from 'notrun' to ['0'] failed: 'pcs cluster auth node1 -u hacluster -p PASS' returned 1 instead of one of [0] (corrective)
Notice: /Stage[main]/Corosync/Exec[authorize_member_node2]/returns: executed successfully (corrective)
Notice: /Stage[main]/Corosync/Package[corosync-qdevice]/ensure: created
Notice: /Stage[main]/Corosync/Exec[pcs_cluster_temporary]: Dependency Exec[authorize_member_node1] has failures: true

@optiz0r optiz0r force-pushed the issue500_convergent_auth branch 2 times, most recently from fa1c724 to 12adff2 Compare June 29, 2022 10:47
The current code for authenticating to quorum members runs the auth
command on every puppet run. This both updates the credentials on
disk, and generates a puppet change event, which are btoh undesirable.

The proposed change checks to ensure all quorum members have an auth
token in the credentials file, and updates auth for all members if
any one member is missing. This results in a convergent state.

There is a caveat, in that what gets stored in the credentials file
is not the original password, but an auth token. There does not seem
to be a pcs command to check the tokens are still valid. So this code
is only checking for presenence of auth tokens, not correctness.
If the authentication token is later invalided, puppet will not correct
this. It would be necessary to manually run the `pcs host auth` or
`pcs cluster auth` commands to fix it.

Fixes voxpupuli#500
@optiz0r optiz0r force-pushed the issue500_convergent_auth branch from 12adff2 to a2ab552 Compare June 29, 2022 10:49
@optiz0r optiz0r added the enhancement New feature or request label Jul 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

When Managing PCS Auth, pcs_cluster_auth Executes Every Puppet Run
1 participant