acl: acl replication routine to report the last error message

2025-02-02 08:56:43 +00:00 · 2021-07-14 11:50:23 +02:00 · 2021-07-14 11:50:23 +02:00 · 529fe737ef
commit 529fe737ef
parent e91996f130
4 changed files with 7 additions and 3 deletions
--- a/agent/consul/acl_replication.go
+++ b/agent/consul/acl_replication.go
@ -484,11 +484,12 @@ func (s *Server) IsACLReplicationEnabled() bool {
 		s.config.ACLTokenReplication
 }

-func (s *Server) updateACLReplicationStatusError() {
+func (s *Server) updateACLReplicationStatusError(errorMsg error) {
 	s.aclReplicationStatusLock.Lock()
 	defer s.aclReplicationStatusLock.Unlock()

 	s.aclReplicationStatus.LastError = time.Now().Round(time.Second).UTC()
+	s.aclReplicationStatus.LastErrorMessage = errorMsg
 }

 func (s *Server) updateACLReplicationStatusIndex(replicationType structs.ACLReplicationType, index uint64) {
--- a/agent/consul/acl_replication_test.go
+++ b/agent/consul/acl_replication_test.go
@ -1,6 +1,7 @@
 package consul

 import (
+	"errors"
 	"fmt"
 	"os"
 	"strconv"
@ -780,6 +781,7 @@ func TestACLReplication_TokensRedacted(t *testing.T) {
 		require.True(r, status.ReplicatedTokenIndex < token2.CreateIndex, "ReplicatedTokenIndex is not less than the token2s create index")
 		// ensures that token replication is erroring
 		require.True(r, status.LastError.After(minErrorTime), "Replication LastError not after the minErrorTime")
+		require.Equal(r, status.LastErrorMessage, errors.New("failed to retrieve unredacted tokens - replication token in use does not grant acl:write"))
 	})
 }

--- a/agent/consul/leader.go
+++ b/agent/consul/leader.go
@ -810,7 +810,7 @@ func (s *Server) runLegacyACLReplication(ctx context.Context) error {
 				0,
 			)
 			lastRemoteIndex = 0
-			s.updateACLReplicationStatusError()
+			s.updateACLReplicationStatusError(err)
 			legacyACLLogger.Warn("Legacy ACL replication error (will retry if still leader)", "error", err)
 		} else {
 			metrics.SetGauge([]string{"leader", "replication", "acl-legacy", "status"},
@ -927,7 +927,7 @@ func (s *Server) runACLReplicator(
 				0,
 			)
 			lastRemoteIndex = 0
-			s.updateACLReplicationStatusError()
+			s.updateACLReplicationStatusError(err)
 			logger.Warn("ACL replication error (will retry if still leader)",
 				"error", err,
 			)
--- a/agent/structs/acl.go
+++ b/agent/structs/acl.go
@ -1269,6 +1269,7 @@ type ACLReplicationStatus struct {
 	ReplicatedTokenIndex uint64
 	LastSuccess          time.Time
 	LastError            time.Time
+	LastErrorMessage     error
 }

 // ACLTokenSetRequest is used for token creation and update operations