From 529fe737efc17d7d664b1fa8200631e31706069f Mon Sep 17 00:00:00 2001 From: Giulio Micheloni Date: Wed, 14 Jul 2021 11:50:23 +0200 Subject: [PATCH] acl: acl replication routine to report the last error message --- agent/consul/acl_replication.go | 3 ++- agent/consul/acl_replication_test.go | 2 ++ agent/consul/leader.go | 4 ++-- agent/structs/acl.go | 1 + 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/agent/consul/acl_replication.go b/agent/consul/acl_replication.go index 4035b8ec43..f76900356c 100644 --- a/agent/consul/acl_replication.go +++ b/agent/consul/acl_replication.go @@ -484,11 +484,12 @@ func (s *Server) IsACLReplicationEnabled() bool { s.config.ACLTokenReplication } -func (s *Server) updateACLReplicationStatusError() { +func (s *Server) updateACLReplicationStatusError(errorMsg error) { s.aclReplicationStatusLock.Lock() defer s.aclReplicationStatusLock.Unlock() s.aclReplicationStatus.LastError = time.Now().Round(time.Second).UTC() + s.aclReplicationStatus.LastErrorMessage = errorMsg } func (s *Server) updateACLReplicationStatusIndex(replicationType structs.ACLReplicationType, index uint64) { diff --git a/agent/consul/acl_replication_test.go b/agent/consul/acl_replication_test.go index 26726fe360..841d18020a 100644 --- a/agent/consul/acl_replication_test.go +++ b/agent/consul/acl_replication_test.go @@ -1,6 +1,7 @@ package consul import ( + "errors" "fmt" "os" "strconv" @@ -780,6 +781,7 @@ func TestACLReplication_TokensRedacted(t *testing.T) { require.True(r, status.ReplicatedTokenIndex < token2.CreateIndex, "ReplicatedTokenIndex is not less than the token2s create index") // ensures that token replication is erroring require.True(r, status.LastError.After(minErrorTime), "Replication LastError not after the minErrorTime") + require.Equal(r, status.LastErrorMessage, errors.New("failed to retrieve unredacted tokens - replication token in use does not grant acl:write")) }) } diff --git a/agent/consul/leader.go b/agent/consul/leader.go index 391b73ca76..c5c35b7905 100644 --- a/agent/consul/leader.go +++ b/agent/consul/leader.go @@ -810,7 +810,7 @@ func (s *Server) runLegacyACLReplication(ctx context.Context) error { 0, ) lastRemoteIndex = 0 - s.updateACLReplicationStatusError() + s.updateACLReplicationStatusError(err) legacyACLLogger.Warn("Legacy ACL replication error (will retry if still leader)", "error", err) } else { metrics.SetGauge([]string{"leader", "replication", "acl-legacy", "status"}, @@ -927,7 +927,7 @@ func (s *Server) runACLReplicator( 0, ) lastRemoteIndex = 0 - s.updateACLReplicationStatusError() + s.updateACLReplicationStatusError(err) logger.Warn("ACL replication error (will retry if still leader)", "error", err, ) diff --git a/agent/structs/acl.go b/agent/structs/acl.go index ed2b0791ae..1a93f88421 100644 --- a/agent/structs/acl.go +++ b/agent/structs/acl.go @@ -1269,6 +1269,7 @@ type ACLReplicationStatus struct { ReplicatedTokenIndex uint64 LastSuccess time.Time LastError time.Time + LastErrorMessage error } // ACLTokenSetRequest is used for token creation and update operations