auth: reload LDAP permission cache on local shard only

The LDAP role manager's _cache_pruner fiber used invoke_on_all() to reload permissions on every shard. Since auth::service::start() runs on all shards in parallel via invoke_on_all(), the pruner on shard X could call reload_all_permissions() on shard Y before shard Y finished start() and set its permission loader, hitting SCYLLA_ASSERT(_permission_loader). The same cross-shard race existed during shutdown. Each shard runs its own pruner instance, so reloading locally is sufficient — all shards are still covered. This also removes redundant N-squared reload calls. Refs SCYLLADB-1679
2026-04-28 20:27:03 +00:00 · 2026-04-23 08:08:06 +02:00
parent 3df951bc9c
commit f75e5ac65b
1 changed files with 5 additions and 7 deletions
--- a/auth/ldap_role_manager.cc
+++ b/auth/ldap_role_manager.cc
@@ -258,13 +258,11 @@ future<> ldap_role_manager::start() {
            } catch (const seastar::sleep_aborted&) {
                co_return; // ignore
            }
-            co_await _cache.container().invoke_on_all([] (cache& c) -> future<> {
-                try {
-                    co_await c.reload_all_permissions();
-                } catch (...) {
-                    mylog.warn("Cache reload all permissions failed: {}", std::current_exception());
-                }
-            });
+            try {
+                co_await _cache.reload_all_permissions();
+            } catch (...) {
+                mylog.warn("Cache reload all permissions failed: {}", std::current_exception());
+            }
        }
    });
    return _std_mgr.start();