Skip to content

AddDataProtection().PersistKeysToFileSystem() used with pods causes race condition and two data-protection keys to be generated at the same time. #28475

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Duke4848 opened this issue Dec 7, 2020 · 6 comments
Closed

AddDataProtection().PersistKeysToFileSystem() used with pods causes race condition and two data-protection keys to be generated at the same time. #28475

Duke4848 opened this issue Dec 7, 2020 · 6 comments
Assignees
@HaoK
Labels
affected-medium This issue impacts approximately half of our customers area-dataprotection Includes: DataProtection bug This issue describes a behavior which is not expected - a bug. Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. severity-minor This label is used by an internal tool Status: No Recent Activity
Milestone
Discussions

Comments

@Duke4848
Copy link

Duke4848 commented Dec 7, 2020
edited
Loading

Describe the bug

I use

 services.AddDataProtection().PersistKeysToFileSystem(new DirectoryInfo(filesharePath);

to generate data-protection keys. This produces the issue on initial application startup and possibly the same may happen during rotation of data-protection key. What essentially happens is:

  1. 2 or more instances of app on startup detect that there is no data-protection key in the fileshare
  2. 2 or more instances generate the key thus the pods have different data-protection keys for next 24 hours unless I force pods to restart. This causes for example issues with antiforgery tokens not being accepted by instances running on other pods.

The same may probably happen when the existing data-protection key is near expiration time and 2 instances running on separate pods decide do generate the new data-protection key.

Is it possible to do something about it?

To Reproduce

Use

 services.AddDataProtection().PersistKeysToFileSystem(new DirectoryInfo(filesharePath);

and deploy your ASP.NET Core app two few pods.

Exceptions (if any)

Further technical details

  • ASP.NET Core version 3.1
@blowdart
Copy link
Contributor

blowdart commented Dec 7, 2020

You could stagger the start, but right now that's your only option I'm afraid.

@blowdart blowdart added the area-dataprotection Includes: DataProtection label Dec 7, 2020
@Duke4848
Copy link
Author

Duke4848 commented Dec 8, 2020
edited
Loading

You could stagger the start, but right now that's your only option I'm afraid.

What is correct technique to achieve that? Should it be done somehow on the application level or pod level? But still, would that happen later on, when the ASP .NET Core app creates new data-protection key because of expiration of the old key? Then I think no staggering would help as app is in running state already on all pods.

@mkArtakMSFT mkArtakMSFT added this to the Discussions milestone Dec 16, 2020
@blowdart
Copy link
Contributor

Linking to earlier #3514

@blowdart
Copy link
Contributor

Closing as dupe (well, will be fixed as part of #3514)

@blowdart
Copy link
Contributor

@Duke4848 We're discussing this in depth today, Are you actually seeing problems here using the file system? We have a mechanism in place for this, where for 5 minutes after a key is created the machine that created the key will refresh the keyring if it gets a key it doesn't understand. When the keyring is refresh the system will switch to using the earliest key possible that is still valid.

If you can turn on verbose logging you will see the keys identifiers data protection is reading, and which one is chosen. Those logs would help us track down what is happening.

@blowdart blowdart reopened this Jan 29, 2021
@HaoK HaoK added the Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. label Mar 15, 2021
@HaoK HaoK added affected-medium This issue impacts approximately half of our customers bug This issue describes a behavior which is not expected - a bug. severity-minor This label is used by an internal tool labels Mar 15, 2021 — with ASP.NET Core Issue Ranking
@ghost
Copy link

ghost commented Mar 19, 2021

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. If it is closed, feel free to comment when you are able to provide the additional information and we will re-investigate.

See our Issue Management Policies for more information.

@ghost ghost closed this as completed Mar 22, 2021
@ghost ghost locked as resolved and limited conversation to collaborators Apr 21, 2021
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@HaoK HaoK

Labels
affected-medium This issue impacts approximately half of our customers area-dataprotection Includes: DataProtection bug This issue describes a behavior which is not expected - a bug. Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. severity-minor This label is used by an internal tool Status: No Recent Activity
Projects
None yet
Milestone
Discussions
Development

No branches or pull requests
4 participants
@blowdart @HaoK @mkArtakMSFT @Duke4848