races in assignment sql backend cause spurious 404s and transient errors while granting roles
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Adam Young |
Bug Description
There are numerous schedules that lead to inconsistent data in the various grant tables and role table. These races arise from a lack of synchronization during grant table modification (i.e., during grant record creation + deletion and role deletion) and deletions of records that grant records refer to (i.e., user, group, domain, and project records).
For example, consider a project and a role that are related by a UserProjectGrant, which are concurrently deleted. In the implementation of delete_role, the project ids that are enumerated in one transaction (in keystone.
Suppose two roles are being granted to the same user on the same project concurrently. Further suppose that prior to these two grants, the user didn't have any roles on that project. In Assignment.
Another example is described in https:/
Although I haven't been able to come up with an example yet, I suspect that grants or roles might become undeletable because of inconsistent data.
The races pertaining to data owned by the keystone.assignment module (i.e., tenants, roles & grants) can be fixed by judicious use of transactions in keystone.
Running multiple keystone processes, which can be done either via apache or https:/
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in keystone: | |
assignee: | nobody → Peter Feiner (pete5) |
Changed in keystone: | |
status: | Triaged → In Progress |
Changed in keystone: | |
assignee: | Peter Feiner (pete5) → Adam Young (ayoung) |
Changed in keystone: | |
milestone: | none → icehouse-1 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | icehouse-1 → 2014.1 |
Uploaded review: https:/ /review. openstack. org/#/c/ 56430/