get_admin_context inadvertently elevates thread

Bug #1859433 reported by wangyu on 2020-01-13
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Karbor
Undecided
Unassigned

Bug Description

This bug report is similar to another cinder bug: https://bugs.launchpad.net/cinder/+bug/1511406

karbor.context.get_admin_context is inadvertently elevating the thread to use an admin context and essentially discards the thread's user context for the remainder of the request.

This has security implications since any calls done after karbor.context.get_admin_context that obtain and use the thread's current context will be using an admin context instead of the user's context.

This has serviceability implications because every call to get_admin_context will switch the thread's context, which changes the request ID. This makes it very difficult or impossible to use the request ID in log entries to follow a request through a flow.

The root cause is that karbor.context.RequestContext class' __init__ is not passing overwrite=overwrite to the parent class.

run karbor-operationengine.
Found this in logs:
2020-01-13 05:55:36.988 54191 DEBUG karbor.services.operationengine.engine.triggers.timetrigger.time_trigger_multi_node [req-efbbcb63-3281-49b2-b5fa-dcf08453df96 - - - - -] Time trigger not yet due _loop /usr/lib/python2.7/site-packages/karbor/services/operationengine/engine/triggers/timetrigger/time_trigger_multi_node.py:88
2020-01-13 05:55:51.991 54191 DEBUG karbor.services.operationengine.engine.triggers.timetrigger.time_trigger_multi_node [req-a259a125-82b4-49b1-b005-f6f0abe97a25 - - - - -] Time trigger not yet due _loop /usr/lib/python2.7/site-packages/karbor/services/operationengine/engine/triggers/timetrigger/time_trigger_multi_node.py:88
2020-01-13 05:56:06.994 54191 DEBUG karbor.services.operationengine.engine.triggers.timetrigger.time_trigger_multi_node [req-aad767de-2bd9-4a5d-85fd-1b54301e8089 - - - - -] Time trigger not yet due _loop /usr/lib/python2.7/site-packages/karbor/services/operationengine/engine/triggers/timetrigger/time_trigger_multi_node.py:88
2020-01-13 05:56:21.996 54191 DEBUG karbor.services.operationengine.engine.triggers.timetrigger.time_trigger_multi_node [req-1911017a-7e7b-4305-8aba-37da5e57ad6c - - - - -] Time trigger not yet due _loop /usr/lib/python2.7/site-packages/karbor/services/operationengine/engine/triggers/timetrigger/time_trigger_multi_node.py:88
2020-01-13 05:56:37.006 54191 DEBUG karbor.services.operationengine.engine.triggers.timetrigger.time_trigger_multi_node [req-c06f3900-1b10-4b28-b01b-b60f781463f5 - - - - -] Time trigger not yet due _loop /usr/lib/python2.7/site-packages/karbor/services/operationengine/engine/triggers/timetrigger/time_trigger_multi_node.py:88

it will be find that the log entries have different request IDs.

Reviewed: https://review.opendev.org/702318
Committed: https://git.openstack.org/cgit/openstack/karbor/commit/?id=435dc3c423b4159428e8d2b84ea3ee8e37277c58
Submitter: Zuul
Branch: master

commit 435dc3c423b4159428e8d2b84ea3ee8e37277c58
Author: wangyu <email address hidden>
Date: Tue Jan 14 09:05:56 2020 +0800

    Preserve request id in Karbor logs

    When the admin context is retrieved the user context and its request
    ID is lost and all subsequent log entries have different request IDs.

    The fix is to pass the overwrite parameter in Karbor's RequestContext
    __init__ method to the parent oslo class.

    Change-Id: I1091ddc8a36244132883932a3a21dea5274eb34a
    Closes-Bug: #1859433

Changed in karbor:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers