Object reference validation should occur in drivers

Bug #968519 reported by Dolph Mathews on 2012-03-29
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Ken Thomas
Folsom
Medium
Joseph Heck

Bug Description

Bug 963056 introduced object validation at the controller level for simplicity, but this would be more efficiently handled by the backends themselves.

For example, in the current implementation, "delete role" behaves as follows against all drivers:
1) Controller fetches the role from the driver
2) Driver executes a select, returning an object reference or None (1st backend operation)
3) Controller raises 404 if None is returned
4) Controller issues a delete for the role
5) Driver executes a delete (2nd backend operation)

This could be more efficiently handled in the SQL driver as follows:
1) Controller issues a delete for the the role
2) Driver executes a delete, raises 404 if no rows affected (1st backend operation)

Dolph Mathews (dolph) on 2012-03-29
Changed in keystone:
assignee: nobody → Dolph Mathews (dolph)
importance: Undecided → Medium
milestone: none → folsom-1
status: New → Confirmed
Changed in keystone:
status: Confirmed → In Progress
Dolph Mathews (dolph) on 2012-05-22
Changed in keystone:
milestone: folsom-1 → folsom-2

Reviewed: https://review.openstack.org/6875
Committed: http://github.com/openstack/keystone/commit/23ca656927947dada40591bdd1badd5a531c2983
Submitter: Jenkins
Branch: master

commit 23ca656927947dada40591bdd1badd5a531c2983
Author: Dolph Mathews <email address hidden>
Date: Wed Mar 28 10:37:16 2012 -0700

    Refactor 404's into managers & drivers (bug 968519)

    The goal is to move the responsibility of reference checks away from
    controllers and into the underlying managers & drivers, which can
    handle the task with equal or greater efficiency.

    - Tenant references from create_user/update_user are NOT tested
      due to inconsistencies between backends
    - Additional test coverage improvements

    Also fixes bug 999209, bug 999608, bug 1006029, bug 1006055, bug 1006287,
    bug 1006334, and bug 1006344.

    Change-Id: I7de592e7dd4518038436b9a9fdaab559b00a0537

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-07-04
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-09-27
Changed in keystone:
milestone: folsom-2 → 2012.2

Fix proposed to branch: master
Review: https://review.openstack.org/14565

Changed in keystone:
assignee: Dolph Mathews (dolph) → Ken Thomas (krt)
status: Fix Released → In Progress

Reviewed: https://review.openstack.org/14565
Committed: http://github.com/openstack/keystone/commit/0dc2e9ca37497597aa49439e3d3e71c22f30b515
Submitter: Jenkins
Branch: master

commit 0dc2e9ca37497597aa49439e3d3e71c22f30b515
Author: Ken Thomas <email address hidden>
Date: Fri Oct 19 14:42:55 2012 +0000

    bug 1068674

    Redo part of bp/sql-identiy-pam that was accidently undone by bug 968519.

    We encapsulated the call to utils.check_password with a local method,
    _check_password, to make it easier to subclass Identity. This allows us
    to use a different password checker without having to replace the entire
    authenticate method in our code. The fix for 968519 accidently removed
    the call to the local method. *This* fix puts that call back in.

    Updating comment because Jenkins failed due to build timeout in
    unrelated test.

    Change-Id: I69a3ba2d5a62e4c600edab7ef2cc07413c7360cc

Changed in keystone:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/14858
Committed: http://github.com/openstack/keystone/commit/bec9b68d4250936313f888d19db9d9f97e298d26
Submitter: Jenkins
Branch: stable/folsom

commit bec9b68d4250936313f888d19db9d9f97e298d26
Author: Ken Thomas <email address hidden>
Date: Fri Oct 19 14:42:55 2012 +0000

    bug 1068674

    Redo part of bp/sql-identiy-pam that was accidently undone by bug 968519.

    We encapsulated the call to utils.check_password with a local method,
    _check_password, to make it easier to subclass Identity. This allows us
    to use a different password checker without having to replace the entire
    authenticate method in our code. The fix for 968519 accidently removed
    the call to the local method. *This* fix puts that call back in.

    Updating comment because Jenkins failed due to build timeout in
    unrelated test.

    (cherry picked from commit 0dc2e9ca37497597aa49439e3d3e71c22f30b515)

    Change-Id: I69a3ba2d5a62e4c600edab7ef2cc07413c7360cc

tags: added: in-stable-folsom
Joseph Heck (heckj) on 2012-11-20
Changed in keystone:
status: Fix Committed → Fix Released
Mark McLoughlin (markmc) on 2013-01-22
tags: removed: in-stable-folsom
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers