auth-token: sign-method HS256 and TTL options are not working on etcd 3.3.x

[ajithcnambiar]

What's the issue:

1. TTL option is not working when specified with --auth-token flag on version 3.3.x
2. HS256 is not working when specified as value for sign-method with --auth-token on version 3.3.x

3.3.13 Documentation mentions these options are supported.

Background
With --auth-token set to default (simple), observed that updates are not propagated to etcd watcher after etcd servers are restarted. Following 8914 and design-auth-v3, wanted to use --auth-token as jwt,sign-method=HS256,priv-key=/path/to/secret,ttl=60m. But it looks like HS256 and TTL are not supported on 3.3.x.
RS512 without TTL works well jwt,priv-key=/path/to/priv-key,pub-key=/path/to/pub-key,sign-method=RS512.

From 8302 and 9883, it looks like these support started from 3.4.x. So it is just a documentation bug on 3.3.x? Or am I missing something?

Steps to Replicate

• auth-token with HS256 and TTL

rm -rf /tmp/etcd-data.tmp && mkdir -p /tmp/etcd-data.tmp && \
docker run --rm \
-p 2379:2379 \
-p 2380:2380 \
--mount type=bind,source=/tmp/etcd-data.tmp,destination=/etcd-data \
--mount type=bind,source=/tmp/server-ecdsa.key.insecure,destination=/tmp/server-ecdsa.key.insecure \
--name etcd-gcr-v3.3.13 \
gcr.io/etcd-development/etcd:v3.3.13 \
/usr/local/bin/etcd \
--name s1 \
--data-dir /etcd-data \
--listen-client-urls http://0.0.0.0:2379 \
--advertise-client-urls http://0.0.0.0:2379 \
--listen-peer-urls http://0.0.0.0:2380 \
--initial-advertise-peer-urls http://0.0.0.0:2380 \
--initial-cluster s1=http://0.0.0.0:2380 \
--initial-cluster-token tkn \
--initial-cluster-state new \
--auth-token jwt,sign-method=HS256,priv-key=/tmp/server-ecdsa.key.insecure,ttl=60m

Error logs

2020-11-12 22:25:47.254291 E | auth: unknown token specific option: ttl
2020-11-12 22:25:47.254384 E | etcdserver: failed to create token provider: auth: invalid auth options
2020-11-12 22:25:47.255702 C | etcdmain: auth: invalid auth options

• auth-token with HS256 and without TTL

rm -rf /tmp/etcd-data.tmp && mkdir -p /tmp/etcd-data.tmp && \
docker run --rm \
-p 2379:2379 \
-p 2380:2380 \
--mount type=bind,source=/tmp/etcd-data.tmp,destination=/etcd-data \
--mount type=bind,source=/tmp/server-ecdsa.key.insecure,destination=/tmp/server-ecdsa.key.insecure \
--name etcd-gcr-v3.3.13 \
gcr.io/etcd-development/etcd:v3.3.13 \
/usr/local/bin/etcd \
--name s1 \
--data-dir /etcd-data \
--listen-client-urls http://0.0.0.0:2379 \
--advertise-client-urls http://0.0.0.0:2379 \
--listen-peer-urls http://0.0.0.0:2380 \
--initial-advertise-peer-urls http://0.0.0.0:2380 \
--initial-cluster s1=http://0.0.0.0:2380 \
--initial-cluster-token tkn \
--initial-cluster-state new \
--auth-token jwt,sign-method=HS256,priv-key=/tmp/server-ecdsa.key.insecure

Error logs

2020-11-12 22:26:15.723239 E | auth: failed to read public key () for jwt: open : no such file or directory
2020-11-12 22:26:15.723281 E | etcdserver: failed to create token provider: open : no such file or directory

[mitake]

hi @ajithcnambiar, thanks for reporting this. Probably it's a documentation problem but let me check.

[mitake]

The change was introduced in this large PR: #10692 And as @ajithcnambiar pointed out the options aren't available in 3.3. The commits in the PR are extremely large so reverting wouldn't be realistic. We need to open a new PR for fixing in release-3.3 branch.

[mitake]

The PR #10692 has many problems not limited to the problem pointed in this PR. I shared the example problems in the PR, will wait response from the author.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.