slorello89
commented
1 week ago Are you putting your password in the ConfigurationOptions? because it should call the AUTH automatically.
Closed dbarbosapn closed 4 days ago
slorello89
commented
1 week ago Are you putting your password in the ConfigurationOptions? because it should call the AUTH automatically.
dbarbosapn
commented
1 week ago Yes, we are. You can even see on the logs it shows "Authenticating (password)".
This is really weird
slorello89
commented
1 week ago Maybe try giving each of your ConfigurationOptions a unique SocketManager? That is a shared resource unless you overwrite it (though I wouldn't think it would matter because presumably all of your clusters are at different endpoints).
dbarbosapn
commented
1 week ago Yes all clusters are different endpoints... Also maybe important information is that we see the AUTH call incoming on server-side, and we know it is authenticated successfully. Makes no sense how it would show NOAUTH after. But we cannot see the response the client is seeing, since it's not logged by the StackExchange.Redis SDK 😢
dbarbosapn
commented
1 week ago Using separate socket manager instance didn't fix the issue. Same exact symptoms (logs look the same as well).
mgravell
commented
1 week ago Ok, this is very weird! To confirm, there should be no ambient state in play here, so I'm very confused. I'll ping you on Teams (myself and Nick are also MSFT) - it may be easier to get to the bottom of this directly rather than on GitHub (and obviously any fixes/knowledge-gained can still work their way back here).
mgravell
commented
1 week ago Just updating the public logs; envoy proxy is in play here; by adding RESP logging, it looks like we're seeing something very odd;
outbound:
AUTH whatever
PING(where the PING is a critical tracer to check that we think the server is behaving properly)
inbound:
+OK
-NOAUTHBut with the weird timing complication; the other servers in the timing matrix are not behind envoy. Investigations continue.
dbarbosapn
commented
1 week ago Updated the title and updating here with what we think is the root cause so far. (Thanks a lot @mgravell and @NickCraver for the help building a repro!)
Even though Envoy connections are single-threaded by nature, when external authentication (new feature, more info here) is enabled, the authentication is done asynchronously.
This means that if the AUTH command is pipelined with the PING command, we will have exactly the repro we've seen.
mgravell
commented
1 week ago Emphasis: fundamentally this is an envoy bug. They must not process commands out of order (even if they buffer the response until appropriate) if the connection state is relevant, and here: the connection state is relevant. Is this logged with envoy? If not, I'm happy to log it.
dbarbosapn
commented
1 week ago mgravell
commented
4 days ago Envoy fix merged; closing - thanks for the report; between us we got to the bottom of it!
Hello,
We have a situation where our Redis client is returning NOAUTH during the connection flow, but if we manually connect to it through redis-cli and send an
AUTH <password>command, from that exact same machine, we get OK and can send other commands after.There is no place where we can see the actual result of the AUTH command sent by the SDK since, from what we've seen in code, it's a fire and forget message. Any ideas how to debug this?
Important Note We have multiple redis clusters that we're connecting to. If we put this cluster first, it works. If we put it last, it doesn't!
For example, this doesn't work:
But this does:
We're wondering if somehow the multiplexer might be using a wrong connection from a completely different instance. If there is some kind of static or thread-local state.
Some logs: