MB-64910 MB-61292: Change behavior of bucket deks callbacks

timofey-barmin · timofey-barmin · commit fbd71be0da56 · 2025-02-26T18:00:20.000Z
Change #1: set_active_key for buckets should treat enoent and not_supported as "bucket not found". When bucket is on disk, but not in memcached (e.g. when cluster membership is inactiveAdded or inactiveFailed), we can't push keys to memcached. If we treat it as error (behavior before this this change), we won't be able to modify encryption-at-rest settings because cb_cluster_secrets update_bucket_deks status will show error (issues list will not be empty). At the same time it seems ok to treat as ok, because memcached is not encrypting any data in this bucket, so it doesn't need new keys. When bucket is activated (e.g. we add node back to the cluster), ns_memcached will push actual keys to memcached in create_bucket. Change #2: Treat not_found in set_active_key as ok, but only when ns_memcached process doesn't exist before set_active_key attempt. This is important in order to avoid races when set_active_key and create_bucket are called in parallel. Basically the following scenario: 1. (process1) ns_memcached fetches old keys 2. (process2) set_active_dek is called (and gets not_found) 3. (process1) ns_memcached creates the bucket with old keys 4. (process1) ns_memcached crashes 5. (process2) we check if ns_memcached is running and return ok 6. Bucket is created with old keys Change #3: get_dek_id_in_use should return not_found when bucket doesn't exist or when memcached returns not_supported. Reasoning is the same as in change #1. Basically when there is no bucket in memcached, we should assume that all current deks are still in use and don't drop anything. The goal of the change is to not treat it as error basically, because it leads to the situation when we can't modify encryption-at-rest settings. Change-Id: I63cc3e2d7ddbadf5f5866c662858c0dd2d81b270 Reviewed-on: https://review.couchbase.org/c/ns_server/+/223510 Tested-by: Timofey Barmin <timofey.barmin@couchbase.com> Well-Formed: Build Bot <build@couchbase.com> Reviewed-by: Navdeep S Boparai <navdeep.boparai@couchbase.com>
diff --git a/apps/ns_server/src/cb_cluster_secrets.erl b/apps/ns_server/src/cb_cluster_secrets.erl
@@ -1562,6 +1562,9 @@ garbage_collect_deks(Kind, Force, #state{deks = DeksInfo} = State) ->
                     %% The entity that uses deks does not exist.
                     %% Ignoring it here because we assume that deks will
                     %% be removed by maybe_update_deks
+                    %% It is possible that bucket exists on disk, but not in
+                    %% memcached. In this case it is important to not remove
+                    %% any deks here. It is not an error either.
                     {ok, State};
                 {succ, {error, Reason}} ->
                     {error, State, Reason};
diff --git a/apps/ns_server/src/ns_memcached.erl b/apps/ns_server/src/ns_memcached.erl
@@ -1886,7 +1886,39 @@ set_tls_config(Config) ->
 
 set_active_dek_for_bucket(Bucket, _ActiveDek) ->
     {ok, DeksSnapshot} = cb_crypto:fetch_deks_snapshot({bucketDek, Bucket}),
-    set_active_dek(Bucket, DeksSnapshot).
+    NsMemcachedExists = (whereis(server(Bucket)) =/= undefined),
+    case set_active_dek(Bucket, DeksSnapshot) of
+        ok -> ok;
+        {error, not_found} -> %% bucket does not exist
+            case NsMemcachedExists of
+                true ->
+                    %% ns_memcached is running, we should retry when bucket
+                    %% is created
+                    {error, retry};
+                false ->
+                    %% ns_memcached was not running before the call, so it is
+                    %% safe to return ok
+                    %% If bucket needs to be created, ns_memcached will create
+                    %% it and use newest keys. If bucket doesn't need to be
+                    %% created (e.g. it is failed over), there is no need to
+                    %% notify memcached at all.
+                    %% Note that it is important that we check if ns_memcached
+                    %% is running before calling set_active_dek, otherwise it is
+                    %% possible that ns_memcached creates the bucket with old
+                    %% keys:
+                    %% 1. ns_memcached fetches old keys
+                    %% 2. this process calls set_active_dek (and gets not_found)
+                    %% 3. ns_memcached creates the bucket with old keys
+                    %% 4. ns_memcached crashes
+                    %% 5. we check if ns_memcached is running and returning ok
+                    ?log_debug("Ignoring not_found when setting encryption "
+                               "keys for bucket ~p (bucket doesn't seem to "
+                               "exist in memcached)", [Bucket]),
+                    ok
+            end;
+        {error, E} ->
+            {error, E}
+    end.
 
 set_active_dek(TypeOrBucket, DeksSnapshot) ->
     ?log_debug("Setting active encryption key id for ~p: ~p...",
@@ -1905,10 +1937,24 @@ set_active_dek(TypeOrBucket, DeksSnapshot) ->
             ?log_debug("Setting encryption key for ~p succeeded",
                        [TypeOrBucket]),
             ok;
-        {error, couldnt_connect_to_memcached} -> {error, retry};
+        {error, couldnt_connect_to_memcached} ->
+            ?log_debug("Setting encryption key for ~p failed: "
+                       "couldnt_connect_to_memcached", [TypeOrBucket]),
+            {error, retry};
         %% It can happen during start, when bucket is not created yet
-        {error, {key_enoent, undefined}} -> {error, retry};
-        {error, {not_supported, undefined}} -> {error, retry};
+        {error, {key_enoent, undefined}} ->
+            ?log_debug("Setting encryption key for ~p failed: "
+                       "key_enoent", [TypeOrBucket]),
+            {error, not_found};
+        {error, {not_supported, undefined}} ->
+            ?log_debug("Setting encryption key for ~p failed: "
+                       "not_supported", [TypeOrBucket]),
+            %% memcached returns not supported for buckets
+            %% that exist on other nodes, but not on this node
+            %% (ns_server uploads terse bucket info for such
+            %% buckets), so from encryption perspective
+            %% it is the same as when bucket does not exist
+            {error, not_found};
         {error, E} ->
             ?log_error("Setting encryption key for ~p failed: ~p",
                        [TypeOrBucket, E]),
@@ -1920,27 +1966,39 @@ sanitize_in_use_keys(InUseKeys) ->
                   (K) -> K
               end, InUseKeys).
 
-get_dek_ids_in_use(BucketOrType, StatsFn) ->
+get_dek_ids_in_use(Bucket, StatsFn) ->
     RV = perform_very_long_call(
            fun (Sock) ->
                    case mc_binary:quick_stats(Sock, <<"encryption-key-ids">>,
                                               StatsFn, []) of
                        {ok, Ids} ->
                            {reply, {ok, Ids}};
+                       {memcached_error, not_supported, _} ->
+                           %% memcached returns not supported for buckets
+                           %% that exist on other nodes, but not on this node
+                           %% (ns_server uploads terse bucket info for such
+                           %% buckets), so from encryption perspective
+                           %% it is the same as when bucket does not exist
+                           ?log_debug("Get deks in use for ~p returned "
+                                      "not_supported", [Bucket]),
+                           {reply, {error, not_found}};
                        {memcached_error, Error, Msg} ->
                            ?log_error("Failed to get dek ids in use for "
-                                      "~p: ~p", [BucketOrType, {Error, Msg}]),
+                                      "~p: ~p", [Bucket, {Error, Msg}]),
                            {reply, {error, Error}}
                    end
-           end, BucketOrType),
+           end, Bucket),
 
     case RV of
         {ok, _} -> RV;
-        {error, couldnt_connect_to_memcached} -> {error, retry};
+        {error, couldnt_connect_to_memcached} ->
+            {error, retry};
         %% It can happen during start, when bucket is not created yet
         {error, {select_bucket_failed,
-                 {memcached_error, key_enoent, undefined}}} -> {error, retry};
-        {error, E} -> {error, E}
+                 {memcached_error, key_enoent, undefined}}} ->
+            {error, not_found};
+        {error, E} ->
+            {error, E}
     end.
 
 get_dek_ids_in_use(Type) when Type =:= "@audit"; Type =:= "@logs" ->
