API calls need to be atomic

Bug #1173117 reported by Rohit Karajgi on 2013-04-26
This bug affects 5 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)

Bug Description

The following calls in the identity api should also be atomic:

1) User(controller.V2Controller).update_user_project
  - add_role_to_user_and_project
  - update_user

2) DomainV3(controller.V3Controller).delete_domain
  - delete_domain
  - update_user
  - delete_credential

3) ProjectV3(controller.V3Controller).delete_project
  - delete_credential
  - delete_project

4) UserV3(controller.V3Controller).delete_user
  - delete_credential
  - delete_user

Bug 1130676 was reported for Create User API call to be made atomic.

Dolph Mathews (dolph) wrote :

The difficulty here is ensuring atomicity across various backends (i.e. attempting to cross SQL + LDAP + memcache in a single "transaction"). Delete domain would be the best example of the complexity here, as it potentially touches everything except the catalog driver. If anyone wants to pursue a solution, it should be blueprinted.

Changed in keystone:
importance: Undecided → Wishlist
status: New → Confirmed
Jeffrey Zhang (jeffrey4l) wrote :

I found a new project name TaskFlow. Will it be a solution?

[1] https://wiki.openstack.org/wiki/TaskFlow

haruka tanizawa (h-tanizawa) wrote :

This is a bugreport which equivalent of blueprint, I think.
However, before filing bluprint, there is a way that can relief this problem.

For example, in case of 'Delete User', flow is here.
1. delete User from Identity
2. delete User from Assignment
3. delete User from Credential
4. delete User from Token

Even just replacing the above procedure of processing the keystone/identity/core.py,
it is possible not to occur a resource orphaned below.

tags: removed: ntt
Steve Martinelli (stevemar) wrote :

Marking bug 1438915 as a dupe of this bug, but I wanted to also include the information here:

This bug was first discussed in the Recursive Deletion spec: https://review.openstack.org/#/c/148730/

Currently, when deleting a domain, all projects inside that domain are also deleted. When we have a hierarchy of projects this may cause inconsistencies since the operations are not atomic [1] (each level of the hierarchy is deleted in a separate transaction).

Two possible solutions to explore are:
1 - Use the concept of logical deletion
2 - As a first step list all project's id to be deleted and trigger one delete transaction with all ids

[1] https://github.com/openstack/keystone/blob/master/keystone/resource/core.py#L470-L498

guoshan (guoshan) on 2016-06-20
Changed in keystone:
assignee: nobody → guoshan (guoshan)
Lance Bragstad (lbragstad) wrote :

Automatically unassigning due to inactivity.

Changed in keystone:
assignee: guoshan (guoshan) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers