0

Calling a lock on an etcd with an active lease sometimes results in a permission denied error

[HttpGet("test")]
public async Task Test()
{
    Environment.SetEnvironmentVariable("GRPC_VERBOSITY", "DEBUG");
    Environment.SetEnvironmentVariable("GRPC_TRACE", "all");

    var connectionString = "dns:///etcd-stg-3.company.net:2379";

    MethodConfig _defaultGrpcMethodConfig = new()
    {
        Names = { MethodName.Default },
        RetryPolicy = new RetryPolicy
        {
            MaxAttempts = 5,
            InitialBackoff = TimeSpan.FromSeconds(1),
            MaxBackoff = TimeSpan.FromSeconds(5),
            BackoffMultiplier = 1.5,
            RetryableStatusCodes = { Grpc.Core.StatusCode.Unavailable }
        }
    };

    RetryThrottlingPolicy _defaultRetryThrottlingPolicy = new()
    {
        MaxTokens = 10,
        TokenRatio = 0.1
    };
    var clientCert = "-----BEGIN CERTIFICATE-----\nMIIEFjCCA...2KwGbfq\n-----END CERTIFICATE-----";
    var clientKey = "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIB...Qsu22wlZ\n-----END RSA PRIVATE KEY-----";
    var clientCertificate = X509Certificate2.CreateFromPem(clientCert, clientKey);
    var caStr = "-----BEGIN CERTIFICATE-----\nMII...RCem\n-----END CERTIFICATE-----";
    var caCertificate = new X509Certificate(Encoding.UTF8.GetBytes(caStr));

    X509CertificateCollection collection = new X509Certificate2Collection();
    collection.Add(clientCertificate);
    collection.Add(caCertificate);

    var sslOptions = new SslClientAuthenticationOptions
    {
        // Leave certs unvalidated for debugging
        RemoteCertificateValidationCallback = delegate { return true; },
        ClientCertificates = collection,
    };

    var socketHandler = new SocketsHttpHandler
    {
        SslOptions = sslOptions,
    };

    var options = new GrpcChannelOptions
    {
        ServiceConfig = new ServiceConfig
        {
            MethodConfigs = { _defaultGrpcMethodConfig },
            RetryThrottling = _defaultRetryThrottlingPolicy,
            LoadBalancingConfigs = { new RoundRobinConfig() }
        },
        HttpHandler = socketHandler,
        Credentials = ChannelCredentials.SecureSsl,
        LoggerFactory = _serviceProvider.GetRequiredService<ILoggerFactory>(),

    };

    var channel = GrpcChannel.ForAddress(connectionString, options);
    var lockClient = new Lock.LockClient(channel);
    var leaseClient = new Lease.LeaseClient(channel);
    var lease = await leaseClient.LeaseGrantAsync(new LeaseGrantRequest{ ID = new Random().NextInt64(), TTL = 15 });
    var lockRes = await lockClient.LockAsync(new LockRequest
    {
        Lease = lease.ID,
        Name = ByteString.CopyFromUtf8("/ic-me-daemon-global-sync/election")
    }
        , deadline: new DateTime(DateTime.UtcNow.Ticks, DateTimeKind.Utc).AddSeconds(7)
        );
    Console.WriteLine(lockRes);
}

I never receive permission denied for LeaseGrant call, only on a lock call. I have log from etcd server, on a server error message: "error":"auth: user name is empty"

How to debug this problem? LoggerFactory not helped me.

user3555620
  • 101
  • 2
  • 6

0 Answers0