HPCC-33146 Add backoff if vault authentication fails and check other vaults

[ghalliday]

Type of change:

• This change is a bug fix (non-breaking change which fixes an issue).
• This change is a new feature (non-breaking change which adds functionality).
• This change improves the code (refactor or other change that does not change the functionality)
• This change fixes warnings (the fix does not alter the functionality or the generated code)
• This change is a breaking change (fix or feature that will cause existing behavior to change).
• This change alters the query API (existing queries will have to be recompiled)

Checklist:

• My code follows the code style of this project.
  • My code does not create any new warnings from compiler, build system, or lint.
• The commit message is properly formatted and free of typos.
  • The commit message title makes sense in a changelog, by itself.
  • The commit is signed.
• My change requires a change to the documentation.
  • I have updated the documentation accordingly, or...
  • I have created a JIRA ticket to update the documentation.
  • Any new interfaces or exported functions are appropriately commented.
• I have read the CONTRIBUTORS document.
• The change has been fully tested:
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • I have checked that this change does not introduce memory leaks.
  • I have used Valgrind or similar tools to check for potential issues.
• I have given due consideration to all of the following potential concerns:
  • Scalability
  • Performance
  • Security
  • Thread-safety
  • Cloud-compatibility
  • Premature optimization
  • Existing deployed queries will not be broken
  • This change fixes the problem, not just the symptom
  • The target branch of this pull request is appropriate for such a change.
• There are no similar instances of the same problem that should be addressed
  • I have addressed them here
  • I have raised JIRA issues to address them separately
• This is a user interface / front-end modification
  • I have tested my changes in multiple modern browsers
  • The component(s) render as expected

Smoketest:

• Send notifications about my Pull Request position in Smoketest queue.
• Test my draft Pull Request.

Testing:

[github-actions]

Jira Issue: https://hpccsystems.atlassian.net//browse/HPCC-33146

Jirabot Action Result:
Assigning user: [email protected]
Workflow Transition To: Merge Pending
Updated PR

[ghalliday]

@afishbeckln please can you check this. I have not had a chance to test it yet. Also are any of the other errors that are returned also candidates for backing off (e.g. 403?)

[ghalliday]

(Compare ignoring whitespace)

[afishbeckln]

@ghalliday the general problem with this backoff mechanism is that the failure could have been because the configured approle didn't have permission to access the specific secret for which access was being attempted. I don't think we can know whether vault access, path access, or specific secret access failed. Therefore, we could be disabling access to the particular named vault due to permissions on one particular secret.

[afishbeckln]

@ghalliday Ok, having looked closer, the way you are catching the exception does catch issues related to login (acquiring token) rather than using token, which makes this level of backoff likely to be ok.

The question about other errors is what I meant where we likely can't tell whether the problem is with the permissions over all or just with the item being requested. But to answer your question, when it gets a 403, it actually tries a re-login. If the re-login fails because access has been revoked, or some other issue, it should already trigger your backoff.

I think other errors are too vague or potentially caused by permissions on the actual secret being accessed.

[afishbeckln]

Looks good, but needs testing?

[jakesmith]

@ghalliday - I haven't spotted any issues.

[jakesmith]

@ghalliday - new commit/defaulting to backoff 0 makes sense

[github-actions]

Jirabot Action Result:
Added fix version: 9.6.74
Added fix version: 9.8.48
Workflow Transition: 'Resolve issue'