Merge pull request #10612 from bigmikes/acl-replication-fix

acl: acl replication routine to report the last error message
2021-08-06 18:29:51 -04:00 · 2021-08-06 18:29:51 -04:00 · 87fb26fd65
parent 07f7ff00b8 5c34a48d45
commit 87fb26fd65
6 changed files with 10 additions and 3 deletions
--- a/.changelog/10612.txt
+++ b/.changelog/10612.txt
@ -0,0 +1,3 @@
+```release-note:improvement
+acl: replication routine to report the last error message.
+```
--- a/agent/consul/acl_replication.go
+++ b/agent/consul/acl_replication.go
@ -484,11 +484,12 @@ func (s *Server) IsACLReplicationEnabled() bool {
 		s.config.ACLTokenReplication
 }

-func (s *Server) updateACLReplicationStatusError() {
+func (s *Server) updateACLReplicationStatusError(errorMsg string) {
 	s.aclReplicationStatusLock.Lock()
 	defer s.aclReplicationStatusLock.Unlock()

 	s.aclReplicationStatus.LastError = time.Now().Round(time.Second).UTC()
+	s.aclReplicationStatus.LastErrorMessage = errorMsg
 }

 func (s *Server) updateACLReplicationStatusIndex(replicationType structs.ACLReplicationType, index uint64) {
--- a/agent/consul/acl_replication_test.go
+++ b/agent/consul/acl_replication_test.go
@ -780,6 +780,7 @@ func TestACLReplication_TokensRedacted(t *testing.T) {
 		require.True(r, status.ReplicatedTokenIndex < token2.CreateIndex, "ReplicatedTokenIndex is not less than the token2s create index")
 		// ensures that token replication is erroring
 		require.True(r, status.LastError.After(minErrorTime), "Replication LastError not after the minErrorTime")
+		require.Equal(r, status.LastErrorMessage, "failed to retrieve unredacted tokens - replication token in use does not grant acl:write")
 	})
 }

--- a/agent/consul/leader.go
+++ b/agent/consul/leader.go
@ -807,7 +807,7 @@ func (s *Server) runLegacyACLReplication(ctx context.Context) error {
 				0,
 			)
 			lastRemoteIndex = 0
-			s.updateACLReplicationStatusError()
+			s.updateACLReplicationStatusError(err.Error())
 			legacyACLLogger.Warn("Legacy ACL replication error (will retry if still leader)", "error", err)
 		} else {
 			metrics.SetGauge([]string{"leader", "replication", "acl-legacy", "status"},
@ -924,7 +924,7 @@ func (s *Server) runACLReplicator(
 				0,
 			)
 			lastRemoteIndex = 0
-			s.updateACLReplicationStatusError()
+			s.updateACLReplicationStatusError(err.Error())
 			logger.Warn("ACL replication error (will retry if still leader)",
 				"error", err,
 			)
--- a/agent/structs/acl.go
+++ b/agent/structs/acl.go
@ -1273,6 +1273,7 @@ type ACLReplicationStatus struct {
 	ReplicatedTokenIndex uint64
 	LastSuccess          time.Time
 	LastError            time.Time
+	LastErrorMessage     string
 }

 // ACLTokenSetRequest is used for token creation and update operations
--- a/api/acl.go
+++ b/api/acl.go
@ -106,6 +106,7 @@ type ACLReplicationStatus struct {
 	ReplicatedTokenIndex uint64
 	LastSuccess          time.Time
 	LastError            time.Time
+	LastErrorMessage     string
 }

 // ACLServiceIdentity represents a high-level grant of all necessary privileges