Why does the etcd's `authStore` read and set revision from boltdb when handling AuthEnable requests, instead of adding revision? #15857

Phoenix500526 · 2023-05-09T09:34:44Z

Phoenix500526
May 9, 2023

Hi, everyone. I'm a newbie to etcd and have a problem with some code implemented in the etcd.

Let's look at the implementation of the AuthEnable method first (reference: AuthEnable ):

func (as *authStore) AuthEnable() error {
	as.enabledMu.Lock()
	defer as.enabledMu.Unlock()
	if as.enabled {
		as.lg.Info("authentication is already enabled; ignored auth enable request")
		return nil
	}
	tx := as.be.BatchTx()
	tx.Lock()
	defer func() {
		tx.Unlock()
		as.be.ForceCommit()
	}()

	u := tx.UnsafeGetUser(rootUser)
	if u == nil {
		return ErrRootUserNotExist
	}

	if !hasRootRole(u) {
		return ErrRootRoleNotExist
	}

	tx.UnsafeSaveAuthEnabled(true)
	as.enabled = true
	as.tokenProvider.enable()

	as.refreshRangePermCache(tx)

	as.setRevision(tx.UnsafeReadAuthRevision())

	as.lg.Info("enabled authentication")
	return nil
}

func (as *authStore) AuthDisable() {
	as.enabledMu.Lock()
	defer as.enabledMu.Unlock()
	if !as.enabled {
		return
	}
	b := as.be
	tx := b.BatchTx()
	tx.Lock()
	tx.UnsafeSaveAuthEnabled(false)
	as.commitRevision(tx)
	tx.Unlock()
	b.ForceCommit()
	as.enabled = false
	as.tokenProvider.disable()
	as.lg.Info("disabled authentication")
}

func (as *authStore) commitRevision(tx AuthBatchTx) {
	atomic.AddUint64(&as.revision, 1)
	tx.UnsafeSaveAuthRevision(as.Revision())
}

The authStore increases the revision of the authStore when handling Auth-related requests, such as AuthDisable, UserAdd, etc. However, the AuthEnable implementation in different logic, as it reads the revision value from the underlying boltdb and uses that value to override the authStore.revision, which confuses me:

Why is it designed this way? Are there any special reasons, like consistency or something like that?
Why can't AuthEnable just increment revision directly like what AuthDisable does?

Can anybody tell me why? Thanks in advance.

Phoenix500526 · 2023-05-10T09:53:51Z

Phoenix500526
May 10, 2023
Author

@ahrtr @tjungblu @serathius @jmhbnz Can anybody help? Thanks~

2 replies

Phoenix500526 May 13, 2023
Author

@mitake

ahrtr May 13, 2023
Maintainer

THE MVCC (Multi-version concurrent control) is only designed for the key space, in which the revision is strictly monotonically incremental.

All others, including auth, do not belong to the key space.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Why does the etcd's `authStore` read and set revision from boltdb when handling AuthEnable requests, instead of adding revision? #15857

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Why does the etcd's authStore read and set revision from boltdb when handling AuthEnable requests, instead of adding revision? #15857

Uh oh!

Phoenix500526 May 9, 2023

Replies: 1 comment · 2 replies

Uh oh!

Phoenix500526 May 10, 2023 Author

Uh oh!

Phoenix500526 May 13, 2023 Author

Uh oh!

ahrtr May 13, 2023 Maintainer

Why does the etcd's `authStore` read and set revision from boltdb when handling AuthEnable requests, instead of adding revision? #15857

Phoenix500526
May 9, 2023

Replies: 1 comment 2 replies

Phoenix500526
May 10, 2023
Author

Phoenix500526 May 13, 2023
Author

ahrtr May 13, 2023
Maintainer