Dummy driver breaks expected keystone functionality

Bug #1587136 reported by Boris Bobrov
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Fix Released
Critical
Unassigned
Mitaka
Fix Released
Critical
Registry Administrators
Newton
Fix Released
Critical
Unassigned

Bug Description

As part of fixing https://bugs.launchpad.net/mos/+bug/1566802, a "dummy" driver for revocations was introducted.

It should not be done. Using dummy driver is a bad approach. It removes a major part of functionality even with Fernet tokens. Here is the script for testing: http://paste.openstack.org/show/506324/ . It disables a domain, and the token with the disabled domain should be invalid. But with the dummy driver, the token is still valid.

There is another bad case i see -- token revoked by id. Or by audit_id. This is a major part of keystone functionality and it should not be cut out.

Both changes to master and stable/mitaka should be reverted. There should be another fix. Cutting out functionality from keystone is a bad solution to performance problems. Fuel should not be shipped with broken keystone.

Boris Bobrov (bbobrov)
Changed in fuel:
assignee: Fuel Library (Deprecated) (fuel-library) → MOS Puppet Team (mos-puppet)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/322933

Revision history for this message
Ivan Berezovskiy (iberezovskiy) wrote :

Keystone team, please find consensus about this and https://bugs.launchpad.net/mos/+bug/1566802/ bugs.

Changed in fuel:
assignee: MOS Puppet Team (mos-puppet) → MOS Keystone (mos-keystone)
Revision history for this message
Dina Belova (dbelova) wrote :

Setting to Incomplete until future of https://bugs.launchpad.net/mos/+bug/1566802/ will be decided

Changed in fuel:
status: New → Incomplete
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/323395

Changed in fuel:
assignee: MOS Keystone (mos-keystone) → Boris Bobrov (bbobrov)
status: Incomplete → In Progress
Revision history for this message
Boris Bobrov (bbobrov) wrote :

At the meeting with MOS-Keystone and scale team we decided that the patch to master needs to be reverted unconditionally. The patch for stable/mitaka needs to be checked on the scale lab, but without waiting for the merge process; however, it needs to be reverted too, because it breaks major functionality in keystone.

Changed in fuel:
assignee: Boris Bobrov (bbobrov) → MOS Puppet Team (mos-puppet)
Revision history for this message
Ivan Berezovskiy (iberezovskiy) wrote :

Actually, patch for master doesn't use dummy driver, we've left only a comment that it should be used later (https://review.openstack.org/#/c/321086/). We'll wait for 9.0 test result, then will propose a revert.

Revision history for this message
Alexander Makarov (amakarov) wrote :
Revision history for this message
Denis Egorenko (degorenko) wrote :

Alexander, then it was reverted here: https://review.openstack.org/#/c/322933/

Revision history for this message
Alexander Makarov (amakarov) wrote :

Not yet - it isn't merged

Revision history for this message
Sofiia Andriichenko (sandriichenko) wrote :

Blocked for 17 keystone api tempest tests

tags: added: blocker-for-qa
tags: added: tempest
Revision history for this message
Timur Nurlygayanov (tnurlygayanov) wrote :

Dev team, could you please prepare the fix for 9.0?

Revision history for this message
Ivan Berezovskiy (iberezovskiy) wrote :

As it was discussed, keystone team should provide test results with previous revoke driver (not with dummy). When it's done, patch with switching to dummy driver should be reverted. Actually, revert patch is there https://review.openstack.org/#/c/322933/. I don't understand why assignee for 9.0 is MOS-puppet.

Revision history for this message
Boris Bobrov (bbobrov) wrote :

Because the patch for 9.0 must be reverted anyway. It is a tempest blocker, please see the tags. Even if the dummy driver fixes an issue in https://bugs.launchpad.net/mos/+bug/1566802, it creates another critical issue.

https://review.openstack.org/#/q/topic:bug/1566802 -- here are all original patches and their reverts.

Revision history for this message
Ivan Berezovskiy (iberezovskiy) wrote :

MOS puppet team won't revert anything till test results are not provided by keystone team (as it was discussed).
@Boris, actually you've already prepared those reverts, so I don't understand why assignee is still MOS Puppet.

tags: added: tempest-blocker
Revision history for this message
Boris Bobrov (bbobrov) wrote :

I am not able to maintain patches in puppet since i don't know puppet. If you want, i will abandon the patches so that you could press the buttons yourself.

The patches need to be reverted regardless of the testing results.

Revision history for this message
Timur Nurlygayanov (tnurlygayanov) wrote :

Ok, QA team will test the related fix (with reverted commit) but it is important to note that we have -1 fro commit on review in 9.0 branch.

Revision history for this message
Timur Nurlygayanov (tnurlygayanov) wrote :

Here is the custom build with the fix (revert) for 9.0: https://custom-ci.infra.mirantis.net/view/9.0/job/9.0.custom.iso/197/

Revision history for this message
Timur Nurlygayanov (tnurlygayanov) wrote :

here is the fix for 9.0: https://review.openstack.org/#/c/322933/. Status changed to In Progress.

Revision history for this message
Oleksiy Butenko (obutenko) wrote :

I change in keystone.conf value driver to
"keystone.contrib.revoke.backends.sql.Revoke"

all tempest tests pass
======
Totals
======
Ran: 182 tests in 1772.0000 sec.
 - Passed: 182
 - Skipped: 0
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 463.6996 sec.

Revision history for this message
Denis Egorenko (degorenko) wrote : Re: [Bug 1587136] Re: Dummy driver breaks expected keystone functionality

The problem is not in keystone working, the problem is in unreliability on
big clusters [1].

Are we going to solve this issue or just to confirm that old driver works?

[1] https://bugs.launchpad.net/mos/+bug/1566802

2016-06-01 18:54 GMT+03:00 Oleksiy Butenko <email address hidden>:

> I change in keystone.conf value driver to
> "keystone.contrib.revoke.backends.sql.Revoke"
>
> all tempest tests pass
> ======
> Totals
> ======
> Ran: 182 tests in 1772.0000 sec.
> - Passed: 182
> - Skipped: 0
> - Expected Fail: 0
> - Unexpected Success: 0
> - Failed: 0
> Sum of execute time for each test: 463.6996 sec.
>
> --
> You received this bug notification because you are a member of MOS
> Puppet Team, which is a bug assignee.
> https://bugs.launchpad.net/bugs/1587136
>
> Title:
> Dummy driver breaks expected keystone functionality
>
> Status in Fuel for OpenStack:
> In Progress
> Status in Fuel for OpenStack mitaka series:
> In Progress
> Status in Fuel for OpenStack newton series:
> In Progress
>
> Bug description:
> As part of fixing https://bugs.launchpad.net/mos/+bug/1566802, a
> "dummy" driver for revocations was introducted.
>
> It should not be done. Using dummy driver is a bad approach. It
> removes a major part of functionality even with Fernet tokens. Here is
> the script for testing: http://paste.openstack.org/show/506324/ . It
> disables a domain, and the token with the disabled domain should be
> invalid. But with the dummy driver, the token is still valid.
>
> There is another bad case i see -- token revoked by id. Or by
> audit_id. This is a major part of keystone functionality and it should
> not be cut out.
>
> Both changes to master and stable/mitaka should be reverted. There
> should be another fix. Cutting out functionality from keystone is a
> bad solution to performance problems. Fuel should not be shipped with
> broken keystone.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/fuel/+bug/1587136/+subscriptions
>

--
Best Regards,
Egorenko Denis,
Senior Deployment Engineer
Mirantis

Revision history for this message
Dina Belova (dbelova) wrote :

Therefore we are not reverting until we'll ensure this code (reverted one) will work ok on the scale labs. Thanks Oleksiy for checking it from the tempest perspective.

Revision history for this message
Boris Bobrov (bbobrov) wrote :

OK, here is a better solution for you if you are happy with removing parts of code: remove keystone completely. Everything will work smoothly. And when neutron breaks, remove neutron and replace it with "dummy" neutron.

But you can't do it because you will leave yourself without authn and authz. Or without networking.

For exactly the same reason, both patches need to be reverted regardless of what testing shows. We cannot leave ourselves without revocations. Cutting out important functionality is not the way to go.

Revision history for this message
Timur Nurlygayanov (tnurlygayanov) wrote :

Boris, does it mean that it is not enough to just revert the commits with the issues? could you please describe the proper solution for the issue?

Thank you!

Revision history for this message
Boris Bobrov (bbobrov) wrote :

> Boris, does it mean that it is not enough to just revert the commits with the issues?

Reverting is enough.

Revision history for this message
Denis Egorenko (degorenko) wrote :

What then should we do with bad performance on big clusters?

2016-06-02 12:41 GMT+03:00 Boris Bobrov <email address hidden>:

> > Boris, does it mean that it is not enough to just revert the commits
> with the issues?
>
> Reverting is enough.
>
> --
> You received this bug notification because you are a member of MOS
> Puppet Team, which is a bug assignee.
> https://bugs.launchpad.net/bugs/1587136
>
> Title:
> Dummy driver breaks expected keystone functionality
>
> Status in Fuel for OpenStack:
> In Progress
> Status in Fuel for OpenStack mitaka series:
> In Progress
> Status in Fuel for OpenStack newton series:
> In Progress
>
> Bug description:
> As part of fixing https://bugs.launchpad.net/mos/+bug/1566802, a
> "dummy" driver for revocations was introducted.
>
> It should not be done. Using dummy driver is a bad approach. It
> removes a major part of functionality even with Fernet tokens. Here is
> the script for testing: http://paste.openstack.org/show/506324/ . It
> disables a domain, and the token with the disabled domain should be
> invalid. But with the dummy driver, the token is still valid.
>
> There is another bad case i see -- token revoked by id. Or by
> audit_id. This is a major part of keystone functionality and it should
> not be cut out.
>
> Both changes to master and stable/mitaka should be reverted. There
> should be another fix. Cutting out functionality from keystone is a
> bad solution to performance problems. Fuel should not be shipped with
> broken keystone.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/fuel/+bug/1587136/+subscriptions
>

--
Best Regards,
Egorenko Denis,
Senior Deployment Engineer
Mirantis

Revision history for this message
Timur Nurlygayanov (tnurlygayanov) wrote :

So then just let's merge the commit with revert when performance team will vote +1.

Revision history for this message
Boris Bobrov (bbobrov) wrote :

> What then should we do with bad performance on big clusters?

Get logs and investigate further.

Changed in fuel:
assignee: MOS Puppet Team (mos-puppet) → Alex Schultz (alex-schultz)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/323395
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=105dfe5ccebdf3efd99e28331a0e2bb7b616d602
Submitter: Jenkins
Branch: master

commit 105dfe5ccebdf3efd99e28331a0e2bb7b616d602
Author: Boris Bobrov <email address hidden>
Date: Tue May 31 13:58:39 2016 +0000

    Revert "Prepare changing of keystone revoke driver"

    This reverts commit 6bbaf28eb0872b8b85f82e7d610ad666453da006.
    Closes-Bug: 1587136

    Change-Id: I4dfbff2bb8d72704b6a012159107711f09ddd666

Changed in fuel:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (stable/mitaka)

Reviewed: https://review.openstack.org/322933
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=cd7898d78afce27ff15a45f1bae0f2178b97b9e2
Submitter: Jenkins
Branch: stable/mitaka

commit cd7898d78afce27ff15a45f1bae0f2178b97b9e2
Author: Boris Bobrov <email address hidden>
Date: Mon May 30 17:11:58 2016 +0000

    Revert "Change keystone revoke driver"

    This reverts commit 8a438dbf75ed97cdba91649c2a4b0e28fe0bb87a.
    The change being reverted removes major part of keystone functionality.

    Change-Id: Ib704ca197c2fa9c9ee9bd8f0b3e86e53c7803362
    Closes-Bug: 1587136

Revision history for this message
Sofiia Andriichenko (sandriichenko) wrote :

Checked on ISO 448

Revision history for this message
Sofiia Andriichenko (sandriichenko) wrote :

reproduced for 9.1 snapshot #69

Revision history for this message
Ivan Berezovskiy (iberezovskiy) wrote :

@sandriichenko, please attach diagnostic snapshot and provide env configuration

Revision history for this message
Sofiia Andriichenko (sandriichenko) wrote :

Unfortunately I can't attach diagnostic snapshot.
Tempest test test_delete_user_request_without_a_token is failed,
Trace: http://paste.openstack.org/show/545095/

Revision history for this message
Ivan Berezovskiy (iberezovskiy) wrote :

@sandriichenko, I don't understand what common has your failed tested with bug with dummy driver usage? Dummy driver isn't used, so it can't lead to any failures. I suggest you to file another bug with appropriate description.

tags: added: on-verification
Boris Bobrov (bbobrov)
Changed in fuel:
assignee: Boris Bobrov (bbobrov) → nobody
Revision history for this message
TatyanaGladysheva (tgladysheva) wrote :

Verified on 10.0 build #1558.

tags: removed: on-verification
Changed in fuel:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.