Comment 6 for bug 1847661
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to distcloud (master) | #6 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0f7b58d
(Get the code!)
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit eb572c47f808ce2
Author: Andy Ning <email address hidden>
Date: Tue Oct 22 15:49:06 2019 -0400
Check ids instead of names for DC assignment synchronization
In distributed cloud, subcloud's user ids, project ids and role ids
are synced with System Controller. But project role assignment
functions still use names to check if master resources and subcloud
resources has the same id, and if user, project and role exist before
POST call to grant project role to user. This will cause an assignment
PUT job created and identity sync status flip from "in-sync" to
"out-of-sync" and back to "in-sync" again for every audit cycle.
A more detailed explanation, at the very first audit, roles are queued
for sync but the job doesn't run and their ids don't changed at the
subcloud yet. At the same audit dcorch finds the project role assignment
actually exist (since it check names in has_same_ids()), so it maps the
the assginment of center cloud to the assignment of the subcloud with
the current ids. Once the roles sync job queued get executed, roles ids
are changed. At this point the assignment mappings becomes invalid. The
next audit can no longer find the mapped assignment from subcloud so the
logic falls into audit_discrepancy() where the has_same_ids() return
TRUE again and a PUT job is queued for the assignment. The sync endpoint
type becomes "out-of-sync" since there is a job for it. Once the PUT
function return, its status returns to "in-sync" again.
This change updated project role assignment functions to use ids
instead of names.
Change-Id: I024f2c2f97aaf9
Closes-Bug: 1847661
Signed-off-by: Andy Ning <email address hidden>