policy_refresher: force refresh when explicitly requested

...as when the version changes: Without this flag, we'd get into the following situation when flipping from v2 to v2.1 or vice-versa: 1. the server's state would flip (say, v2 -> v2.1) 2. the policy refresher would notice that nothing changed in the policy data 3. and hence would not update the engine store as a result, the v2.1 engine store would remain non-functional. This would lead to the `chef-automate iam upgrade-to-v2 --beta2.1` command failing to list teams, APIError: An API error occurred during execution: Failed to retrieve team "editors": Failed to retrieve admins team: rpc error: code = PermissionDenied desc = error authorizing action "iam:teams:list" on resource "iam:teams" for subjects ["tls:service:deployment-service:40adf15d875d3190de6c24d0862804cf0d656be656f60234a8714a44563d5518"]: rpc error: code = Internal desc = error in query evaluation: cannot evaluate empty query I'm not sure if this is the best way, or if the IAM version should be reflected in the last change ID... Signed-off-by: Stephan Renatus <[email protected]>
chef · Jun 3, 2019 · 25e452c · 25e452c
1 parent 84b723d
commit 25e452c
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/components/authz-service/server/v2/policy_refresher.go b/components/authz-service/server/v2/policy_refresher.go
@@ -84,7 +84,7 @@ RUNLOOP:
 		case <-refresher.changeNotifier.C():
 			refresher.log.Infof("Received policy change notification (%s)", pretty(lastVersion))
 			var err error
-			lastPolicyID, err = refresher.refresh(context.Background(), lastPolicyID, lastVersion)
+			lastPolicyID, err = refresher.refresh(context.Background(), lastPolicyID, lastVersion, true)
 			if err != nil {
 				refresher.log.WithError(err).Warnf("Failed to refresh policies (%s)", pretty(lastVersion))
 			}
@@ -95,14 +95,14 @@ RUNLOOP:
 			refresher.log.Infof("Received local policy refresh request (%s)", pretty(m.version))
 			lastVersion = m.version
 			var err error
-			lastPolicyID, err = refresher.refresh(m.ctx, lastPolicyID, lastVersion)
+			lastPolicyID, err = refresher.refresh(m.ctx, lastPolicyID, lastVersion, true)
 			m.Respond(err)
 			if !antiEntropyTimer.Stop() {
 				<-antiEntropyTimer.C
 			}
 		case <-antiEntropyTimer.C:
 			var err error
-			lastPolicyID, err = refresher.refresh(ctx, lastPolicyID, lastVersion)
+			lastPolicyID, err = refresher.refresh(ctx, lastPolicyID, lastVersion, false)
 			if err != nil {
 				refresher.log.WithError(err).Warnf("Anti-entropy refresh failed (%s)", pretty(lastVersion))
 			}
@@ -114,17 +114,18 @@ RUNLOOP:
 	close(refresher.refreshRequests)
 }
 
-func (refresher *policyRefresher) refresh(ctx context.Context, lastPolicyID string, vsn api.Version) (string, error) {
+func (refresher *policyRefresher) refresh(ctx context.Context, lastPolicyID string, vsn api.Version, forceUpdate bool) (string, error) {
 	curPolicyID, err := refresher.store.GetPolicyChangeID(ctx)
 	if err != nil {
 		refresher.log.WithError(err).Warn("Failed to get current policy change ID")
 		return lastPolicyID, err
 	}
-	if curPolicyID != lastPolicyID {
+	if curPolicyID != lastPolicyID || forceUpdate {
 		refresher.log.WithFields(logrus.Fields{
 			"lastPolicyID": lastPolicyID,
 			"curPolicyID":  curPolicyID,
 			"version":      vsn,
+			"forceUpdate":  forceUpdate,
 		}).Debug("Refreshing engine store")
 
 		if err := refresher.updateEngineStore(ctx, vsn); err != nil {