Bug 1659114
Summary: | 'pcs host auth' shows error message asking to re-authenticate the earlier authenticated node again. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | hemel <hbiswas> |
Component: | pcs | Assignee: | Tomas Jelinek <tojeline> |
Status: | CLOSED NOTABUG | QA Contact: | cluster-qe <cluster-qe> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8.0 | CC: | abeekhof, cfeist, cluster-maint, idevat, omular, tojeline |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-12 14:29:42 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
hemel
2018-12-13 15:39:17 UTC
re-assigning to pcs (it has its own component) The described behavior is expected, but it might seem as not intuitive because of the complex internals of pcs token synchronization. If a node is in a cluster, auth token synchronization across the whole cluster is always used for new tokens distribution. This synchronization mechanism uses network communication, so it needs to be able to communicate with all cluster nodes (that means including node on which ‘pcs host auth’ command was executed) using a token for the sync to be successful. So if you have a cluster of nodes A and B, and you will remove all tokens from node A (by running ‘pcs host deauth’), then node A cannot communicate with node B, neither with itself. You can see in TEST1 that if you first authenticate node A against itself, it cannot send the new token to the node B because it doesn’t have its token. Then if you try to auth node B on node A, node A is then able to send the new token to itself and also to node B. In TEST2, node A auths against node B first. A new token will be sent only to node B because token for only node B is present on node A at the moment. I will note here that pcs doesn’t know the name of the node on which authentication command was executed. Because of lack of this information, pcs is unable to detect such situation and save new token locally (not via network). After the first ‘pcs host auth’ command, node A doesn’t have tokens to any node in the cluster. Therefore auth of node A on node A will not be able to sync new token to node B. So to avoid this issue, you should either authenticate local node to itself first or authenticate nodes including the local node. Another option is to run ‘pcs cluster auth’ on a node which already has tokens of all nodes which will try to authenticate all nodes in the cluster against each other. We went through this issue again to see if there is anything to be done in pcs to improve the described situation. As Ondrej already explained, the described behavior is expected. We discussed several ideas including storing tokens locally if storing them over the network fails. We found out that such a functionality would not ensure that all nodes are authenticated. Moreover it would hide the fact they are not (see an explanation below). That would only lead for users to get errors later which is something we want to avoid. That being said the described behavior is not only expected, it is also correct. The proper way for dealing with this issue is: A) run "pcs cluster auth" which makes sure all nodes in the cluster are authenticated or B) run "pcs host auth" for the local node first or include the local node in the list of nodes to auth Explanation - why saving tokens locally would not help: 1. 2-node cluster, nodes A and B are authenticated to themselves and each other 2. "pcs host deauth" on node A 3. node B is authenticated to nodes B and A, node A is not authenticated to anything 4. "pcs host auth B" on node A - Pcs process on node A gets a token for node B stored in memory and sends it to nodes A and B. Sending to node A fails since there is no token for node A on node A. Detecting this, pcs stores the token for node B from memory to the local file on node A. 5. node B is authenticated to nodes B and A, node A is authenticated to node B only 6. "pcs cluster start --all" on node A fails since node A does not have any token for node A and therefore it cannot connect to it |