OpenStack Identity (keystone)

API-based Domain config method could temporarily show partial update

Bug #1517038 reported by Henry Nash
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Henry Nash
OpenStack Identity (keystone) newton-1 "n1"

Bug Description

When using the API-based domain config method, the options are not updated atomically. The result is that for a "cache update period", someone else reading the options (i.e. the processing of a user/group API call in another keystone process) might see a partial update.

Henry Nash (henry-nash)
Changed in keystone:
assignee: nobody → Henry Nash (henry-nash)
importance: Undecided → High
Steve Martinelli (stevemar)
Changed in keystone:
milestone: none → mitaka-2
Revision history for this message
Steve Martinelli (stevemar) wrote :

no patch yet, so i'm bumping to mitaka-3 as mitaka-2 is due tomorrow

Changed in keystone:
milestone: mitaka-2 → mitaka-3
Morgan Fainberg (mdrnstm)
Changed in keystone:
status: New → Triaged
Revision history for this message
Steve Martinelli (stevemar) wrote :

unassigning due to inactivity

Changed in keystone:
assignee: Henry Nash (henry-nash) → nobody
importance: High → Medium
status: Triaged → New
Revision history for this message
Steve Martinelli (stevemar) wrote :

removing milestone target, this is not a blocker for the release, if someone picks it up we can target that milestone

Changed in keystone:
milestone: mitaka-3 → none
Henry Nash (henry-nash)
Changed in keystone:
assignee: nobody → Henry Nash (henry-nash)
Henry Nash (henry-nash)
tags: added: rc-potential
Morgan Fainberg (mdrnstm)
Changed in keystone:
status: New → Triaged
Revision history for this message
Dolph Mathews (dolph) wrote :

So domain configuration is being cached without any cache invalidation occurring?

Revision history for this message
Henry Nash (henry-nash) wrote :

So we do invalidate the cache...the problem is we only want reads to see changes at the boundaries of the sets of "atomic" changes....and it's that bit we don't support. I'm working on making the updates atomic.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/290223

Changed in keystone:
status: Triaged → In Progress
Steve Martinelli (stevemar)
Changed in keystone:
milestone: none → mitaka-rc1
Revision history for this message
Steve Martinelli (stevemar) wrote :

removing target since it's not critical to release and not already gating

tags: removed: rc-potential
Changed in keystone:
milestone: mitaka-rc1 → none
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/290223
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8ce8c99023c797be6ea36c4d7a2889cf633bf279
Submitter: Jenkins
Branch: master

commit 8ce8c99023c797be6ea36c4d7a2889cf633bf279
Author: Henry Nash <email address hidden>
Date: Tue Mar 8 22:25:35 2016 +0000

    Make modifications to domain config atomic

    Currently, since creating or updating a domain config is
    done as a sequence of option creates/updates, it is possible
    for other keystone threads/processes to see a partial update
    if the cache timeout occurs in the middle of such an update.

    This patch makes the creation/updating of a domain config
    atomic (by doing it all within a common sql session), hence
    avoiding this issue.

    This issue has not been reported in the field - and is extremely
    difficult to test, so we are relying on code inspection to
    convince ourselves we have solved this issue.

    Since the domain config API is still marked as experimental, we
    do not gurantee backward compatability for the driver. Hence,
    although this patch modifies the driver interface, it does not
    include a new versioned driver.

    Closes-bug: 1517038
    Change-Id: I16598051ca456cf1c036c412111426b4cd9241b8

Changed in keystone:
status: In Progress → Fix Released
Steve Martinelli (stevemar)
Changed in keystone:
milestone: none → newton-1
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/keystone 10.0.0.0b1

This issue was fixed in the openstack/keystone 10.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.