nats-io / gnatsd

92%

master: 91%

LAST BUILD ON BRANCH fix_reload_cluster_auth

branch: fix_reload_cluster_auth

CHANGE BRANCH

x

Reset

• fix_reload_cluster_auth
• VidScale-master
• accept_error_level
• account-signingkeys
• account_map
• accounts
• accounts_reload
• add-chocolatey-badge
• add-connz-sort-uptime
• add-issue-templates
• add-roadmap-page
• add-server-id-to-routez-connz
• add_arm_build
• add_bench_for_routed_queue
• add_configure_options
• add_gosimple
• add_leafnode_test
• add_megacheck
• add_oleg_maintainer
• add_stacksz
• add_tlsconfig_server_name_test
• add_total_live_connz
• add_warning_if_cluster_insecure
• allow-conf-var-in-accounts-block
• alpine-dockerfile
• always_send_info
• auth_timeout_race
• auth_timeout_tls_fix
• authorization
• badclient
• big_payload
• branch_1_4_0
• bump_check_cluster_timeout
• bump_version
• change_test_coverage_script
• change_write_deadline_config_type
• changes_for_service_and_syslog
• check_for_any_in_returned_ips
• check_parse_returned_error
• cid
• cipher
• cleanup
• client_proto
• closed
• cluster-nkeys-tool
• cluster-readme
• cluster_opts
• cluster_reload
• cluster_tls_insecure
• cncf
• conf-check
• conf-check-line-reporting
• conf-check-unknown-options
• conf-dangling-quote
• conf_variables
• config-report-pos
• config-report-pos-always
• config-report-pos-always-all
• config-report-pos-collect-errors
• config-signing-local
• config-string-num-val
• config_reload
• config_reload_cluster_tests
• conn_reporting
• connect-pass-regex-fix-2
• connect-pass-regex-fixes
• control_overflow
• cov
• cross_compile_arm
• cross_compile_ci
• dconf
• debug_last_activity
• debug_late_replies
• debug_late_replies2
• default
• deny
• deny_perms
• disable_async_info
• dlq
• doc-route-perms
• doc-string-escape
• dont_use_relection_for_tls_config_clone
• dont_use_windows_svc_debug
• echo
• enable_config_reload
• error_logging
• event_stable
• events
• expire
• expose_monitor_handler
• fanin
• fanout
• fix-mkpasswd
• fix-monitoring-data-races
• fix-reload-open-files
• fix_632
• fix_955
• fix_account_lookup_race
• fix_account_race_on_reload
• fix_account_users
• fix_budget_flush
• fix_closed_conns_accounting_test
• fix_cluster_override
• fix_comment
• fix_concurrent_monitor_poll
• fix_config_reload_leafnode_issue
• fix_connect_urls
• fix_connect_urls_notification_with_explicit_routes
• fix_connz_tls_handshake
• fix_data_race
• fix_deadlines
• fix_duplicate_route_handling
• fix_flapper
• fix_flappers
• fix_for_windows
• fix_gosimple_error
• fix_gw_issues
• fix_gw_req_reply
• fix_http_servers_timeout
• fix_info_arg
• fix_issue_447
• fix_issue_470
• fix_issue_558
• fix_lastactivity_test
• fix_ld_mode
• fix_leafnode_tls_rootca
• fix_link_local
• fix_lock_inversion
• fix_logtime_reload
• fix_mem_usage_on_tls_failure
• fix_misleading_tls_timeout_error
• fix_monitor_routez_race
• fix_negative_offset_limit_panic
• fix_opts_copy
• fix_panic_with_leafnodes_and_gws
• fix_ping_to_tls_conn
• fix_ports_file
• fix_possible_writeloop_stall
• fix_profiler
• fix_pse_test
• fix_race_on_unsub
• fix_route_ipv6
• fix_route_permissions
• fix_script_code_cov
• fix_setlogger
• fix_some_tests
• fix_specify_http_and_https_ports
• fix_start_go_routine_calls
• fix_staticcheck_error
• fix_staticcheck_errors
• fix_staticcheck_reports
• fix_sublist_cache_flapper
• fix_sublist_insert_remove
• fix_sublist_race
• fix_symlink_garbage
• fix_test_http_host
• fix_test_logoutput
• fix_test_race
• fix_tests
• fix_tls_config_copy
• fix_tls_tests
• fix_tls_verify
• fix_trace_race
• fix_travis
• fix_unknown_cipher_name
• fix_url_comparison
• fix_win_docker
• fix_windows
• fix_writeloop_signal_for_1_4_0
• flaky
• gateway
• gateways
• gcolliso-patch-1
• global_account
• gomod
• goreleaser-config
• gw_acc_sub_unsub
• gw_add_interest_only_si_test
• gw_add_service_import_queue_test
• gw_connect_ip_tracing
• gw_debug
• gw_detect_itself
• gw_fix_address_gossip
• gw_fix_race_issue
• gw_fix_service_imports
• gw_fix_setting_default_tls_timeout
• gw_prevents_reload
• gw_req_reply_v2
• gw_send_all_subs
• gw_service_imports
• gw_updates
• ignore_custom_auth_in_relaod
• implicit_route_retries
• import_wc
• improve_code_coverage
• improve_config_reload_coverage
• improve_route_perf_big_msgs
• include
• include-win-pse-test
• increase_tls_timeout_for_arm
• init_bench_sublist_only_when_needed
• injected-version
• issue_484
• jwt
• lame_duck_mode
• last
• ldm-wait-signal
• leaf-json-tag
• leaf_limits
• leafnode_advertise
• leafnode_get_random_ip
• leafnodes
• leafupdates
• limits
• listen
• localhost
• log-warn
• log_reopen
• logging_refactor
• logtime_reload
• longer-test-client-timeout
• lproto
• make_write_deadline_configurable
• master
• max_conn
• mem
• monitor_flapper
• more_test_coverage
• move_tests_to_no_race
• move_usage
• multiuser
• new_release
• new_routes
• next_release
• nkey_update
• nkeys
• nkeys_vendor
• nocache
• notify_clients_when_routes_go_away
• office-hours
• operator
• opts_process_config_file
• parse_err
• per_user_rate_limiting
• perf_fix
• perms_cache_fix
• ping
• port-file
• pre_release_rc8
• preload
• prepare_for_new_release
• prepare_for_next_release
• prepare_for_v106
• prepare_next_release
• pse_linux
• random_port_extended
• rate_limiting
• raw
• readme-clustering
• readme-edits
• readme-updates
• reduce_gw_init_mem
• reduce_port_conflicts
• reject_client_connecting_to_route
• release_1_2_0
• release_1_4_1
• reload_mcl
• remote_monitoring_port
• remoteleaf
• remove_check_in_readloop
• remove_perms_from_gws
• remove_route_conn_from_tmp_clients
• replace_armv5_with_armv6
• restore_default_test_options_port
• revert-891-include-parsing-fixes
• route-port-display
• route_perm2
• route_permissions
• route_permissions_v2
• route_perms_reload
• route_send_local_subs
• route_send_subs_go_routine_threshold
• routes
• routes_perm_reporting
• rtt
• server_send_async_info
• server_wide_rate_limiting
• service_export_wildcards
• service_import
• shadow
• si
• slow-consumer-tls-timeout-race
• solicited_routes_reload
• sort
• speed
• start
• start_go_routine_lead_node
• staticcheck
• statsz
• stop_http_server_on_shutdown
• sublist_cache
• sublist_race
• subs
• suppress_write_deadline_parsing_warning_in_test
• sys
• sys_account_with_gateways
• sysacc
• syslimit
• syslog-tag
• system-events
• temporarily-reverted-INFO-message-format
• term-shutdown
• test
• test_for_route_send_subs
• test_rc_release
• test_travis
• test_updates
• tls
• tls-add-chacha-default
• tls-curve-pref
• tls-map-user-cn
• tls_reload
• tls_trace
• travis-go18
• travis-updates
• trust
• turnoff_signal_handler_in_some_tests
• tw4dl-master
• unlimited
• update
• update-gitignore
• update-office-hours
• update-readme-authorization
• update-roadmap
• update-vendoring
• update-win-pse
• update-winpse
• update_configure_options
• update_go_version
• update_lame_duck_mode
• update_readme_with_cluster_example
• update_route_perms
• update_staticcheck_url
• update_to_staticcheck
• update_travis
• update_travis_go_version
• update_travis_go_versions
• updates
• use_loopback
• users_reload
• v0.8.0.beta
• v0.8.0.beta2
• v0.8.1
• v0.9.2
• v0.9.4
• v0.9.6
• v1.0.0
• v1.0.2
• v1.0.4
• v1.0.6
• v1.1.0
• v1.2.0
• v1.3.0
• v1.4.0
• v1.4.1
• v2.0.0-RC8
• v2.0.0-test-RC
• varz_func
• varz_subs
• verify-and-map-routes
• wait_server_ready
• win-container-test-fixes
• win-signals
• windows-event-log

Build # 2183

Build Type

Pull #720

travis-ci

Committed by web-flow

Commit Message

[FIXED] Possible cluster `Authorization Error` during config reload

When changing something in the cluster, such as Timeout and doing
a config reload, the route could be closed with an `Authorization
Error` report. Moreover, the route would not try to reconnect,
even if specified as an explicit route.

There were 2 issues:
- When checking if a solicited route is still valid, we need to
  check the Routes' URL against the URL that we try to connect
  to but not compare the pointers, but either do a reflect
  deep equal, or compare their String representation (this is
  what I do in the PR).
- We should check route authorization only if this is an accepted
  route, not an explicit one. The reason is that we a server
  explicitly connect to another server, it does not get the remote
  server's username and password. So the check would always fail.

Note: It is possible that a config reload even without any change
in the cluster triggers the code checking if routes are properly
authorized, and that happens if there is TLS specified. When
the reload code checks if config has changed, the TLSConfig
between the old and new seem to indicate a change, eventhough there
is apparently none. Another reload does not detect a change. I
suspect some internal state in TLSConfig that causes the
reflect.DeepEqual() to report a difference.

Note2: This commit also contains fixes to regex that staticcheck
would otherwise complain about (they did not have any special
character), and I have removed printing the usage on startup when
getting an error. The usage is still correctly printed if passing
a parameter that is unknown.

Resolves #719

Signed-off-by: Ivan Kozlovic <ivan@synadia.com>

Pull Request Pull Request #720: [FIXED] Possible cluster `Authorization Error` during config reload

Run Details

8 of 8 new or added lines in 2 files covered. (100.0%)

7102 of 7694 relevant lines covered (92.31%)

78480.21 hits per line