Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AUTH error when working with Envoy proxy after upgrading from v8 to v9 #2509

Open
vandyvilla opened this issue Mar 30, 2023 · 4 comments
Open

AUTH error when working with Envoy proxy after upgrading from v8 to v9 #2509

vandyvilla opened this issue Mar 30, 2023 · 4 comments

Comments

@vandyvilla
Copy link

vandyvilla commented Mar 30, 2023
edited
Loading

Issue tracker is used for reporting bugs and discussing new features. Please use
stackoverflow for supporting issues.

The v8 client is able to talk to a Redis cluster fronted by an Envoy proxy. After upgrading to v9, it shows AUTH errors.

Expected Behavior

The client should still be able to talk to the proxy.

Current Behavior

it shows AUTH errors.
NOAUTH Authentication required.

Possible Solution

Steps to Reproduce

Code Snippet:
rOpts := &redis.Options{ Addr: proxy-addr, Username: proxy-username, Password: proxy-password }
client := redis.NewClient(rOpts)
cmdStatus := client.Set(ctx, "key", "value", 0)

Context (Environment)

Detailed Description

Possible Implementation
@vandyvilla vandyvilla changed the title Stop working with Envoy proxy after upgrading from v8 to v9 AUTH error when working with Envoy proxy after upgrading from v8 to v9 Mar 30, 2023
@monkey92t
Copy link
Collaborator

monkey92t commented Mar 30, 2023
edited
Loading

The certification process for versions 8 and 9 is as follows:

in v8, AuthACL(username+password) or Auth(only password)

if password != "" {
        if username != "" {
                client.AuthACL(ctx, username, password)
        } else {
                client.Auth(ctx, password)
        }
}

in v9, the HELLO command is used for authentication, for redis servers that do not support the hello command (<Redis 6), authentication will continue to be performed using the v8 method.

err := conn.Hello(3, username, password)
if err != nil {
        // call v8 auth
}

@monkey92t
Copy link
Collaborator

The authentication method of v9 works well with all Redis servers, but I am not sure how your proxy works. It is possible that your proxy supports the hello command but does not perform authentication.

If the hello command is successfully executed in go-redis v9, authentication using AuthACL/Auth will not be performed again.

In the redis-doc: "AUTH : directly authenticate the connection in addition to switching to the specified protocol version. This makes calling AUTH before HELLO unnecessary when setting up a new connection."

@vandyvilla
Copy link
Author

It turns out the envoy proxy returns error:
unsupported command 'hello'

while the client hardcoded the error message parsing, which doesn't match the above error:
} else if !strings.HasPrefix(err.Error(), "ERR unknown command") { return err }

Since this auth behavior change could break other redis compatible proxy cases, should we consider adding an option for disabling using hello for auth and doing auth the old way if needed?

thanks for the support!

@monkey92t
Copy link
Collaborator

There is a lack of error types in redis-server, and it only responds with human-readable error messages. When dealing with certain errors, we have to compare error strings to get a result.

@monkey92t monkey92t mentioned this issue Mar 31, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vandyvilla @monkey92t