spiffe / spire

The SPIFFE Runtime Environment
https://spiffe.io
Apache License 2.0
1.8k stars 474 forks source link

spire-server: Better status codes from BatchCreateEntry API #5444

Closed sorindumitru closed 2 weeks ago

sorindumitru commented 2 months ago

The BatchCreateEntry currently returns some status codes, InvalidArgument, InternalError (for most database issues), AlreadyExists. If I try to create an entry with some invalid parameters, e.g. entry id too long or empty list of selectors, I get back an InternalError status code. This makes it hard to differentiate between user errors (invalid entry) and database entries. I'd like to be able to differentiate between them to know if I need to retry creating a registration entry at a later time or know that it will never work.

sorindumitru commented 2 months ago

An example error message, using spire-server with the example config in the repo:

➜  spire git:(main) ✗ ./bin/spire-server entry create -entryID invalid-entry== -parentID spiffe://example.org/spire/server -spiffeID spiffe://example.org/workload -selector unix:user:root
Failed to create the following entry (code: Internal, msg: "failed to create entry: datastore-sql: invalid registration entry: entry ID contains invalid characters"):
Entry ID         : invalid-entry==
SPIFFE ID        : spiffe://example.org/workload
Parent ID        : spiffe://example.org/spire/server
Revision         : 0
X509-SVID TTL    : default
JWT-SVID TTL     : default
Selector         : unix:user:root

Error: failed to create one or more entries

I could parse the error message, but I'd like to stay away from that. Also happy to work on this if we agree this is something we want improved.