Race condition when rapidly deleting and creating tokens
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
token backend is SQL. PKI enabled. Multi-node setup with database on separate node from keystone server.
The symptom of this looks like this:
http://
Which occurs on random tests in Tempest's identity admin tests, but consistently, when executing the tests in a PKI environment with the database server on a separate node. This apparently does not occur when using devstack, which has a local MySQL instance (and may have some caching enabled?)
The race condition happens like so:
Thread 1:
POST /tokens with auth data, passing the token matching the PKI CMS record for a user
Hits this block of code:
https:/
The call to token_api.
# an identical token may have been created already.
# if so, return the token_data as it is also identical
now in Thread 2:
A call to DELETE /tokens (or possibly some token expiration code?) proceeds to delete the same token for the user that just resulted in the IntegrityError raised in thread 1.
back in Thread 1:
The call to token_api.
Proposed Solution:
Instead of re-raising the original exception on line 139 [3], instead drop into a simple loop with a randomized timeout that calls create_token() again with the token ID and token data from line 125.
[1] Same block in Folsom: https:/
[2] Line 445 in Folsom code.
[3] Line 452 in Folsom code.
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
How about checking if the token exist before creating the same one?
try: token_api. get_token( context= context,
token_ id=token_ id) TokenNotFound: token_api. create_ token(. ..
self.
except exception.
self.
In that case, if token exists, everything is fine (it might even get deleted just after we fetch it).