commit eb572c47f808ce2dd241f7aede44c14a550e5c96
Author: Andy Ning <email address hidden>
Date: Tue Oct 22 15:49:06 2019 -0400
Check ids instead of names for DC assignment synchronization
In distributed cloud, subcloud's user ids, project ids and role ids
are synced with System Controller. But project role assignment
functions still use names to check if master resources and subcloud
resources has the same id, and if user, project and role exist before
POST call to grant project role to user. This will cause an assignment
PUT job created and identity sync status flip from "in-sync" to
"out-of-sync" and back to "in-sync" again for every audit cycle.
A more detailed explanation, at the very first audit, roles are queued
for sync but the job doesn't run and their ids don't changed at the
subcloud yet. At the same audit dcorch finds the project role assignment
actually exist (since it check names in has_same_ids()), so it maps the
the assginment of center cloud to the assignment of the subcloud with
the current ids. Once the roles sync job queued get executed, roles ids
are changed. At this point the assignment mappings becomes invalid. The
next audit can no longer find the mapped assignment from subcloud so the
logic falls into audit_discrepancy() where the has_same_ids() return
TRUE again and a PUT job is queued for the assignment. The sync endpoint
type becomes "out-of-sync" since there is a job for it. Once the PUT
function return, its status returns to "in-sync" again.
This change updated project role assignment functions to use ids
instead of names.
Change-Id: I024f2c2f97aaf9670d7b2c5c70a2dae7d6d08d38
Closes-Bug: 1847661
Signed-off-by: Andy Ning <email address hidden>
Reviewed: https:/ /review. opendev. org/690577 /git.openstack. org/cgit/ starlingx/ distcloud/ commit/ ?id=eb572c47f80 8ce2dd241f7aede 44c14a550e5c96
Committed: https:/
Submitter: Zuul
Branch: master
commit eb572c47f808ce2 dd241f7aede44c1 4a550e5c96
Author: Andy Ning <email address hidden>
Date: Tue Oct 22 15:49:06 2019 -0400
Check ids instead of names for DC assignment synchronization
In distributed cloud, subcloud's user ids, project ids and role ids
are synced with System Controller. But project role assignment
functions still use names to check if master resources and subcloud
resources has the same id, and if user, project and role exist before
POST call to grant project role to user. This will cause an assignment
PUT job created and identity sync status flip from "in-sync" to
"out-of-sync" and back to "in-sync" again for every audit cycle.
A more detailed explanation, at the very first audit, roles are queued
for sync but the job doesn't run and their ids don't changed at the
subcloud yet. At the same audit dcorch finds the project role assignment
actually exist (since it check names in has_same_ids()), so it maps the
the assginment of center cloud to the assignment of the subcloud with
the current ids. Once the roles sync job queued get executed, roles ids
are changed. At this point the assignment mappings becomes invalid. The
next audit can no longer find the mapped assignment from subcloud so the
logic falls into audit_discrepancy() where the has_same_ids() return
TRUE again and a PUT job is queued for the assignment. The sync endpoint
type becomes "out-of-sync" since there is a job for it. Once the PUT
function return, its status returns to "in-sync" again.
This change updated project role assignment functions to use ids
instead of names.
Change-Id: I024f2c2f97aaf9 670d7b2c5c70a2d ae7d6d08d38
Closes-Bug: 1847661
Signed-off-by: Andy Ning <email address hidden>