OpenStack Heat

Update won't work with a trust scoped token

Bug #1342593 reported by Steven Hardy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Heat
Fix Released
High
Steven Hardy
OpenStack Heat 2014.2 "juno"

Bug Description

Currently we create a trust both on creation of the backup stack, and in any child nested stack which may be created as a result of the update.

The solution is to create the user creds row only once, (e.g create the trust only once, in the top level parent stack), then allow that to be inherited by the child stacks.

This is also related to enabling some sort of "update owner" functionality, as you don't want the following scenario to happen:

- User A creates stack (creates a trust between User A and heat service user)
- User B updates stack, adding a nested stack (creates a trust between User B and heat service user)

In that scenario, probably neither User A or User B can completely delete the stack, unless they have admin.

Steven Hardy (shardy)
Changed in heat:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Steven Hardy (shardy)
milestone: none → juno-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/107455

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/107456

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (master)

Reviewed: https://review.openstack.org/107455
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=523e517fa7bf17d4a211413f62abbd07a594a4d7
Submitter: Jenkins
Branch: master

commit 523e517fa7bf17d4a211413f62abbd07a594a4d7
Author: Steven Hardy <email address hidden>
Date: Wed Jul 16 17:59:09 2014 +0100

    Pass user_creds_id when creating backup stack

    When creating a backup stack on update, we don't want to create a
    new user_creds record, or update won't work with a trust-scoped
    token. So instead pass the existing stack user_creds_id in to the
    constructor when creating the backup stack.

    The current behavior is actually doubly wrong, since we don't delete
    user_creds records when deleting the backup stack, so the stale
    creds records are probably left behind in the DB.

    Change-Id: I6bd0568fdf5301b876c40acddc73542bcfc224e3
    Partial-Bug: #1342593

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/107456
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=88568e64005018527c45b1e3e6286094a098c89c
Submitter: Jenkins
Branch: master

commit 88568e64005018527c45b1e3e6286094a098c89c
Author: Steven Hardy <email address hidden>
Date: Wed Jul 16 18:57:18 2014 +0100

    Pass user_creds_id into nested stacks

    To avoid creating additional user_creds entries for every nested
    stack, pass in the parent/owner stack user_creds_id. This means
    updates will work with trust-scoped tokens, and will remove the
    overhead of creating a new trust for every nested resource.

    This will also avoid the potential situation where a stack has been
    updated (adding nested stacks) by a user other than the original
    stack owner - if that happened, it would be impossible to delete
    the stacks (owner and nested) as any user other than an admin,
    due to restrictions on who can delete the trust.

    Note the delete logic is modified so nested stacks no longer delete
    the user_creds ID. If we stick with this simple logic, it will
    mean it's necessary to either delete all stacks before upgrading
    or do a manual DB query to clean up any orphaned user_creds rows
    when existing nested stacks are deleted (such a cleanup is probably
    already necessary due to the previous patch fixing user_creds
    handling for backup stacks)

    Also modifies the stub_keystoneclient test call to make stubbing
    the client in the parser test easier.

    Change-Id: Id1fb89c92af48777b0487015d5048af34b33af76
    Closes-Bug: #1342593

Changed in heat:
status: In Progress → Fix Committed
Russell Bryant (russellb)
Changed in heat:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in heat:
milestone: juno-2 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.