OpenStack Identity (keystone)

API calls need to be atomic

Bug #1173117 reported by Rohit Karajgi
36
This bug affects 5 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Confirmed
Wishlist
Unassigned

Bug Description

The following calls in the identity api should also be atomic:

1) User(controller.V2Controller).update_user_project
  - add_role_to_user_and_project
  - update_user

2) DomainV3(controller.V3Controller).delete_domain
  - delete_domain
  - update_user
  - delete_credential

3) ProjectV3(controller.V3Controller).delete_project
  - delete_credential
  - delete_project

4) UserV3(controller.V3Controller).delete_user
  - delete_credential
  - delete_user

Bug 1130676 was reported for Create User API call to be made atomic.

Revision history for this message
Dolph Mathews (dolph) wrote :

The difficulty here is ensuring atomicity across various backends (i.e. attempting to cross SQL + LDAP + memcache in a single "transaction"). Delete domain would be the best example of the complexity here, as it potentially touches everything except the catalog driver. If anyone wants to pursue a solution, it should be blueprinted.

Changed in keystone:
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Jeffrey Zhang (jeffrey4l) wrote :

I found a new project name TaskFlow. Will it be a solution?

[1] https://wiki.openstack.org/wiki/TaskFlow

Revision history for this message
haruka tanizawa (h-tanizawa) wrote :

This is a bugreport which equivalent of blueprint, I think.
However, before filing bluprint, there is a way that can relief this problem.

For example, in case of 'Delete User', flow is here.
1. delete User from Identity
2. delete User from Assignment
3. delete User from Credential
4. delete User from Token

Even just replacing the above procedure of processing the keystone/identity/core.py,
it is possible not to occur a resource orphaned below.

Steve Martinelli (stevemar)
tags: removed: ntt
Revision history for this message
Steve Martinelli (stevemar) wrote :

Marking bug 1438915 as a dupe of this bug, but I wanted to also include the information here:

========
This bug was first discussed in the Recursive Deletion spec: https://review.openstack.org/#/c/148730/

Currently, when deleting a domain, all projects inside that domain are also deleted. When we have a hierarchy of projects this may cause inconsistencies since the operations are not atomic [1] (each level of the hierarchy is deleted in a separate transaction).

Two possible solutions to explore are:
1 - Use the concept of logical deletion
2 - As a first step list all project's id to be deleted and trigger one delete transaction with all ids

[1] https://github.com/openstack/keystone/blob/master/keystone/resource/core.py#L470-L498
========

guoshan (guoshan)
Changed in keystone:
assignee: nobody → guoshan (guoshan)
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Automatically unassigning due to inactivity.

Changed in keystone:
assignee: guoshan (guoshan) → nobody
Douglas Mendizábal (dougmendizabal)
tags: added: reviewed-bobcat
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.