Skip to content

etcdserver: fix cannot promote member from follower when auth is enabled#21504

Closed
yashrajshuklaaa wants to merge 1 commit intoetcd-io:release-3.5from
yashrajshuklaaa:fix-promote-auth-3.5
Closed

etcdserver: fix cannot promote member from follower when auth is enabled#21504
yashrajshuklaaa wants to merge 1 commit intoetcd-io:release-3.5from
yashrajshuklaaa:fix-promote-auth-3.5

Conversation

@yashrajshuklaaa
Copy link

@yashrajshuklaaa yashrajshuklaaa commented Mar 20, 2026

Fixes #20757

What this PR does

When auth is enabled and a member promote request is submitted to a
follower node, the follower forwards the request to the leader via the
peer HTTP API. The Authorization header from the original client
request was not being propagated into the gRPC metadata context of the
forwarded call. As a result, the leader's auth middleware rejected the
request with auth: user name is empty, causing the operation to fail
and timeout.

This backports the fix from #20792 (merged to main and release-3.6
via #20874) to the release-3.5 branch.

Changes

  • Propagate Authorization header into gRPC metadata context before
    calling PromoteMember in peerMemberPromoteHandler

How to reproduce the bug

  1. Start a 2-member etcd cluster with auth enabled
  2. Add a learner member
  3. Send a member promote request to the follower endpoint
  4. Without fix: fails with auth: user name is empty
  5. With fix: promote succeeds

@yashrajshuklaaa
etcdserver: fix cannot promote member from follower when auth is enabled
1ec2129 
When auth is enabled and a promote request is sent to a follower,
the follower forwards the request to the leader via the peer HTTP
channel. However, the Authorization header from the original client
request was not being propagated into the gRPC metadata context,
causing the leader's auth check to fail with 'auth: user name is empty'.

Fix this by extracting the Authorization token from the incoming HTTP
header and injecting it into the context as gRPC metadata before
calling PromoteMember.

Fixes: etcd-io#20757
Signed-off-by: Yashraj Shukla <shuklayashraj68@gmail.com>
@k8s-ci-robot
Copy link

k8s-ci-robot commented Mar 20, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: yashrajshuklaaa
Once this PR has been reviewed and has the lgtm label, please assign ahrtr for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot
Copy link

k8s-ci-robot commented Mar 20, 2026

Hi @yashrajshuklaaa. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@yashrajshuklaaa
Copy link
Author

yashrajshuklaaa commented Mar 20, 2026

Hi @ahrtr, this is a backport of #20792 to release-3.5 to fix #20757
i noticed you requested a 3.5 backport on Oct 31, 2025. Happy to make
any changes if needed
could you please trigger the CI with /ok-to-test?

@ahrtr
Copy link
Member

ahrtr commented Mar 20, 2026

You didn't backport the test case in this PR. Another contributor already backported the whole PR in #21494

thx for your effort anyway.

@ahrtr ahrtr closed this Mar 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs-ok-to-test size/S

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yashrajshuklaaa @k8s-ci-robot @ahrtr