Barbican

Race condition when multiple secret stores enabled

Bug #2043457 reported by Lukas Piwowarski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Barbican
In Progress
Undecided
Unassigned

Bug Description

There seems to be an issue when one wants to start Barbican with multiple secret stores enabled. When you start Barbican using Devstack which spawns 3 processes then Barbican might try to populate the SecretStores table in the database twice with the same data which leads to the failure that can be seen below.

The issue might be located here [1] as 1 process might read data from the database and see that the table is empty meanwhile there is a second process that is executing this line [2] and is about to populate the database. When process 1 reaches the same line, the table is already populated which leads to an error as it will try to populate it again.

[1] https://opendev.org/openstack/barbican/src/commit/2e89feed005437bf1bdbefb3311f7140f4010f28/barbican/plugin/util/multiple_backends.py#L145
[2] https://opendev.org/openstack/barbican/src/commit/2e89feed005437bf1bdbefb3311f7140f4010f28/barbican/plugin/util/multiple_backends.py#L192

Traceback (most recent call last):
   File "/opt/stack/data/venv/bin/barbican-wsgi-api", line 52, in <module>
     application = get_api_wsgi_script()
   File "/opt/stack/barbican/barbican/api/app.py", line 118, in get_api_wsgi_script
     application = deploy.loadapp('config:%s' % conf)
   File "/opt/stack/data/venv/lib/python3.10/site-packages/paste/deploy/loadwsgi.py", line 248, in loadapp
     return loadobj(APP, uri, name=name, **kw)
   File "/opt/stack/data/venv/lib/python3.10/site-packages/paste/deploy/loadwsgi.py", line 273, in loadobj
     return context.create()
   File "/opt/stack/data/venv/lib/python3.10/site-packages/paste/deploy/loadwsgi.py", line 741, in create
     return self.object_type.invoke(self)
   File "/opt/stack/data/venv/lib/python3.10/site-packages/paste/deploy/loadwsgi.py", line 131, in invoke
     return fix_call(
   File "/opt/stack/data/venv/lib/python3.10/site-packages/paste/deploy/util.py", line 61, in fix_call
     val = callable(*args, **kw)
   File "/opt/stack/data/venv/lib/python3.10/site-packages/paste/urlmap.py", line 31, in urlmap_factory
     app = loader.get_app(app_name, global_conf=global_conf)
   File "/opt/stack/data/venv/lib/python3.10/site-packages/paste/deploy/loadwsgi.py", line 355, in get_app
     return self.app_context(name=name, global_conf=global_conf).create()
   File "/opt/stack/data/venv/lib/python3.10/site-packages/paste/deploy/loadwsgi.py", line 741, in create
     return self.object_type.invoke(self)
   File "/opt/stack/data/venv/lib/python3.10/site-packages/paste/deploy/loadwsgi.py", line 200, in invoke
     app = context.app_context.create()
   File "/opt/stack/data/venv/lib/python3.10/site-packages/paste/deploy/loadwsgi.py", line 741, in create
     return self.object_type.invoke(self)
   File "/opt/stack/data/venv/lib/python3.10/site-packages/paste/deploy/loadwsgi.py", line 138, in invoke
     return fix_call(context.object, context.global_conf, **context.local_conf)
   File "/opt/stack/data/venv/lib/python3.10/site-packages/paste/deploy/util.py", line 61, in fix_call
     val = callable(*args, **kw)
   File "/opt/stack/barbican/barbican/api/app.py", line 85, in _wrapper
     repositories.setup_database_engine_and_factory(
   File "/opt/stack/barbican/barbican/model/repositories.py", line 116, in setup_database_engine_and_factory
     _initialize_secret_stores_data()
   File "/opt/stack/barbican/barbican/model/repositories.py", line 227, in _initialize_secret_stores_data
     secret_store.get_manager()
   File "/opt/stack/barbican/barbican/plugin/interface/secret_store.py", line 666, in get_manager
     _SECRET_STORE = SecretStorePluginManager()
   File "/opt/stack/barbican/barbican/plugin/interface/secret_store.py", line 570, in __init__
     multiple_backends.sync_secret_stores(self)
   File "/opt/stack/barbican/barbican/plugin/util/multiple_backends.py", line 194, in sync_secret_stores
     secret_stores_repo.create_from(conf_store)
   File "/opt/stack/barbican/barbican/model/repositories.py", line 425, in create_from
     raise exception.ConstraintCheck(error=error_msg)
 barbican barbican.common.exception.ConstraintCheck: A defined SQL constraint check failed: 'pymysql.err.IntegrityError 1062, "Duplicate entry \'S>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to barbican (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/barbican/+/901532

Changed in barbican:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to barbican-tempest-plugin (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/903678

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/903679

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to barbican-tempest-plugin (master)

Reviewed: https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/903678
Committed: https://opendev.org/openstack/barbican-tempest-plugin/commit/6345b34ae2f47346dd72dc196ec89a3793f57eac
Submitter: "Zuul (22348)"
Branch: master

commit 6345b34ae2f47346dd72dc196ec89a3793f57eac
Author: Lukas Piwowarski <email address hidden>
Date: Fri Dec 15 16:00:48 2023 +0100

    Pause testing of multiple secret stores

    There is an issue with multiple secret stores which is being tracked in
    this launchpad [1]. This issue is blocking patches in
    barbican-tempest-plugin. Let's remove the testing for multiple secret
    stores until the bug gets resolved.

    There was also an update of the secret:delete and secret:get policies
    [2]. This patch updates the corresponding SRBAC tests so that we test
    the policies correctly.

    [1] https://bugs.launchpad.net/barbican/+bug/2043457
    [2] https://review.opendev.org/c/openstack/barbican/+/884181

    Related-Bug: #2043457
    Change-Id: I86335a1cb54b6aa2f74e148416ef6af7c27fff61

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.