congress

two nodes may insert rules causing unsupported recursion

Bug #1638746 reported by Eric K
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
congress
Fix Released
High
Eric K
congress ocata-3

Bug Description

Potential fix is to keep dependency graph in central DB, and first check & modify dependency graph before inserting rule.

Problem: can we carefully craft and order operations to avoid needing to lock DB? DB locking not supported in multi-master DB clusters.

Revision history for this message
Tim Hinrichs (thinrichs) wrote :

Storing dependency graph in DB means that on every insert we'd pull the entire dep-graph table and check for acyclicity. Likely to be expensive. Wish I saw another option.

Revision history for this message
Eric K (ekcs) wrote :

There is the possibility of encoding the acyclicity condition as a natively supported database constraint on a new custom table that encodes the dependency graph. It's a little out there, and may not have a reasonable implementation at all, but if done right, it avoids both DB locking and explicitly loading dependency graph. I'd like to take a serious look at it soon.

Eric K (ekcs)
Changed in congress:
assignee: nobody → Eric K (ekcs)
Eric K (ekcs)
Changed in congress:
milestone: ocata-2 → ocata-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to congress (master)

Fix proposed to branch: master
Review: https://review.openstack.org/416777

Changed in congress:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on congress (master)

Change abandoned by Eric K (<email address hidden>) on branch: master
Review: https://review.openstack.org/416777
Reason: Approach cannot support the combination of MySQL and SQLAlchemy ORM because MySQL's requirement for explicit locking each time a table is accessed is incompatible with some of the queries constructed by SQLAlchemy ORM. "You cannot refer to a locked table multiple times in a single query using the same name. Use aliases instead, and obtain a separate lock for the table and each alias:" http://dev.mysql.com/doc/refman/5.7/en/lock-tables.html

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to congress (master)

Reviewed: https://review.openstack.org/416777
Committed: https://git.openstack.org/cgit/openstack/congress/commit/?id=52efca0ae8673b3b4fcdd38e73703977ca310b42
Submitter: Jenkins
Branch: master

commit 52efca0ae8673b3b4fcdd38e73703977ca310b42
Author: Eric K <email address hidden>
Date: Wed Jan 4 22:23:42 2017 -0800

    Lock table and sync rule before each rule insert

    In replicated PE mode, lock table and sync rule before each rule
    insert to prevent conflicting rule from being inserted from another
    policy engine.

    Supported backends are MySQL and PostgreSQL
    Manually tested with both backends.

    TODO: add tempest scenarios to test recursion blocked
    https://bugs.launchpad.net/congress/+bug/1655787

    Closes-Bug: 1638746
    Closes-Bug: 1637185

    Change-Id: I29c6f63b467905c26fe1d35348a3b7a70d8414b6

Changed in congress:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/congress 5.0.0.0rc1

This issue was fixed in the openstack/congress 5.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.