-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
etcd client v3 v3.5.0 sends invalid :authority
header field value
#13192
Comments
Any news? This issue prevents us from using a proxy between etcd client and server. |
Please fix this issue, as linkerd-proxy (using the a rust h2 lib) prevents this traffic from passing due to this invalid authority header value! |
We also hit by this issue. This prevents us to use AWS Application Load Balancers in front of our etcd clusters and that blocks upgrading. Also this breaks Kubernetes 1.22 as the apiserver couldn't connect to the etcd cluster because of this. |
Looks like an expected implementation
Line 302 in 4cbb949
There has been some kind of protocol-level change here which is perhaps breaking the etcd clients going through proxy? |
As far as I understand the |
the expected implmentation did not occur here:
someone needs to troubleshoot why that is. Perhaps an upstream library (maybe grpc) is having trouble parsing the expected value and is producing this partial value instead. This release should be considered broken until it's fixed. And since this header is so important for proxying to actually work, perhaps a test case needs to be added to ensure it has the expected value. |
Obviously sending |
@menghanl Could you, please, recommend a solution related to grpc client side load-balancing ?
Double checking it's the expected behaviour. Assuming the grpc behaviour is WAI, I see following options: A) For single-endpoint clients do not register the resolver B) Configure grpc explicitly using WithAuthority, providing the arbitrary chosen endpoint if there are multiple given by the user. |
The authority is not set to the server name. This is grpc/grpc-go#4516. Does the client use TLS or other creds? |
Hey, I can take a look into implementing the fix. I have only one question about solution proposed by @ptabor in #13192 (comment)
Is it ok to just pick first endpoint? or maybe allow users to provide their own authority |
I would pick the first endpoint and wait for use-cases that would require having an user-driven authority. |
sg, on question of tests. What is the best way to test authority value. I see two option:
Any preferences or other suggestions? |
One concern when you use wrong authority in |
Sent a draft PR, PTAL |
I had a same issus, when use istio service mesh. the etcd client can not connect etcd server because of the request [:authority] header of client is invalid, from rfc3986, the http2 authority header should be this
but now etcd clientv3 authority header like it
so istio envoy proxy can not forword request and print error:
some one has a solution about this? |
Marek keeps looking into this problems and facing different trade-offs. |
In our usecase, we specify multiple endpoints to etcd client configuration. At the same time, we have a client-facing proxy at the remote endpoint for some reason. So the load balancing is done at the client, and we use proxy at the remote. |
This means that we need to provide proper authority to each of the endpoints. Solution proposed by @ptabor would not be enough to fix this. Problem with authority was caused when switching from internal loadbalancing implementation to official grpc one. Based on grpc/grpc-go#4717 it doesn't look that current grpc implementation is not able to support what we need. This prompts me to propose revert to internal implementation. When trying to implement @ptabor I stumbled upon lot's of problems with tests. Even small changes in logic could result in code going into different URL parser branch and break some tests. I also found discrepancies between integration and e2e tests on edge cases. For example "unix://localhost:m00" address cannot be used in e2e (not correct URL due to bad port), but is used by integration tests that don't use same validation and depend on multiple edge cases that should not normally happen. Overall conclusion is that we need a set of robust e2e tests that will verify each officially supported name syntax. List of name patterns should be taken from https://github.com/grpc/grpc/blob/master/doc/naming.md. This should ensure that any fix we implement will not break any other case and confirm that revert and future reimplementation will work properly with authority header. |
I have confirmed that both etcd and grpc never supported passing correct Code on grpc side:
I have confirmed behavior on etcd v3.4.16 with simple test: Run etcd cluster with http2debug enabled (recommended to run each etcd in separate console)
Run etcdctl with multiple endpoints
Look for log
No matter which member gets requests, authority is always equal to address of first member. Based on this results I conclude that Etcd was never able to provide correct |
I think the proposed fix is good enough to resolve this issue. |
Open |
1 similar comment
Open |
Starting from etcd v3.5.0, etcd client v3 sends invalid
:authority
header field value which violates RFC.Suppose we created a client like so:
And started making a connection and tried to get some stuff from etcd server.
In the previous etcd client v3, it sends
:authority
header field value like this:But now with the v3.5.0, it sends like this:
According to the RFC7540,
:authority
header field contains the authority portion of the target URI.RFC3986 dictates that authority is:
#initially=[https://example.com:2379]
is not a valid authority.It seems to me that there might be a bug in the code that authority is not parsed or extracted correctly.
The annoying fact of this issue is that it works if server does not validate the invalid field value. But if you have a proxy between client and server which checks some non-compliant octets, then proxy refuses a request.
The text was updated successfully, but these errors were encountered: