Skip to content

Implement Aerospike client reauth and LDAP-specific failure handling#72

Open
eappere wants to merge 2 commits into
criteo:mainfrom
eappere:fix-aerospike-ldap
Open

Implement Aerospike client reauth and LDAP-specific failure handling#72
eappere wants to merge 2 commits into
criteo:mainfrom
eappere:fix-aerospike-ldap

Conversation

@eappere

@eappere eappere commented Mar 17, 2026

Copy link
Copy Markdown
Contributor

This PR adds periodic Aerospike client reauthentication, and specifically improves visibility into LDAP-specific failures.
Previously, we wouldn't detect LDAP failures our users would face as sessions are kept alive for up to 10 days (by default on Aerospike).

Changes:

  • Periodically close and recreate the Aerospike client to force reauth:
    • Added client_config.reauth_interval to Aerospike endpoint config (default: 2m)
    • Tracks the last reauth attempt, not just last successful auth time, to avoid retry floods on repeated failures
    • Note that this changes the behavior of blackbox_prober_aerospike_client_cluster_stats (as these metrics are client-side)
  • Detect LDAP-specific Aerospike result codes in the 90..99 range
    • This corresponds to LDAP-specific errors, not "invalid credential" stuff
    • Translates known codes to names when available
      - Added blackbox_prober_aerospike_ldap_specific_failures_total so that we can be paged as soon as possible (we can sum the hypothetical alert per DC to avoid alert fatigue)

Comment thread pkg/aerospike/checks.go Outdated
return hex.EncodeToString(hasher.Sum(nil))
}

func ensureAerospikeClientRefreshed(e *AerospikeEndpoint) (bool, error) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you should return only errror.

Not being connected after refresh should be considered as an errror.

It will simplify all call sites

@eappere eappere Mar 17, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not being connected after refresh should be considered as an errror.

While this is going to generate logs, ultimately this should be OK, as it will classify error as latency and availability error.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done; also the error is ignored (since the function can only do anything every auth refresh interval).

Due to previous implementation details of the probe and the alerts, this results in "data unavailable" alert (not technically incorrect), rather than "availability < 100%"

Comment thread pkg/aerospike/endpoint.go
}

func (e *AerospikeEndpoint) Connect() error {
func ldapSpecificResultCode(err error) (int, string, bool) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand interest of tracking ldap specific errors. Either connection is working or not.

@eappere eappere Mar 17, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are two reasons auth could fail:

  • client side due to us passing invalid credentials
  • server-side when Aerospike server contacts LDAPS server on our behalf

Considering the second case almost always means that other users are impacted (like last Thursday), and thus almost always causes a BES, I find it desirable to have a separate metric and a separate alert, something like:

increase(blackbox_prober_aerospike_ldap_specific_failures_total[4m]) > 0

for 10min
severity=page

I have reproduced the incident on aerospikes99 and my changes and new metric catch that cleanly

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Latest commit can be removed

@eappere eappere force-pushed the fix-aerospike-ldap branch from 351d7c6 to 258765f Compare March 17, 2026 16:43
eappere added 2 commits March 19, 2026 11:06
Set 2min threshold. While less than durability check interval (10min),
it is higher than latency check interval (500ms)
…_total

Unwrap the error code and check if it is in the 90..99 range. If that is
the case, it is a LDAP-specific failure, not just some generic "invalid
creds" error code and we can quickly raise a paging alert.
@eappere eappere force-pushed the fix-aerospike-ldap branch from 258765f to 0a7f5ee Compare March 19, 2026 10:14
Comment thread pkg/aerospike/checks.go
return fmt.Errorf("error: given endpoint is not an aerospike endpoint")
}

// Ignore the error to cause probing check failure; LDAP failures are logged anyway.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still, in case of non ldap error, it won't be logged at all, leading to not knowing why we were unable to login during checks failure.
At least log an error message and let the check fails ?

Comment thread pkg/aerospike/checks.go
}

// Ignore the error to cause probing check failure; LDAP failures are logged anyway
// We get data_unavailable when LDAP failures happen, as the gauges are set unconditionally

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same than above comment

@damsallem

Copy link
Copy Markdown
Contributor

I think it will be misleading that reconnection make Latency and Durability check fails.
It should make only availability alerts ring, and ideally not others.
If other alerts need to ring because of the current archi (without dedicated Availability Checks), then at least the Availability alerts must ring in addition to others.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants