tempest

Conflict on isolated credential setup

Bug #1419043 reported by Sean Dague on 2015-02-06

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack Identity (keystone)	Fix Released	Critical	Matthew Treinish	OpenStack Identity (keystone) 2015.1.0 "kilo"
Icehouse	Fix Released	Critical	Guang Yee	OpenStack Identity (keystone) 2014.1.4
Juno	Fix Released	Critical	Guang Yee	OpenStack Identity (keystone) 2014.2.3
tempest	Invalid	Undecided	Unassigned

Bug Description

From the following run (in progress) - http://logs.openstack.org/26/153426/2/gate/gate-tempest-dsvm-nova-v21-full/c80cf2c//console.html

2015-02-06 15:50:27.935 2015-02-06 15:50:27.935 2015-02-06 15:50:27.935 2015-02-06 15:50:27.935 |
2015-02-06 15:50:27.935 2015-02-06 15:50:27.936 2015-02-06 15:50:27.936 |
2015-02-06 15:50:27.936 2015-02-06 15:50:27.936 2015-02-06 15:50:27.936 | 2015-02-06 15:50:27.936 | 2015-02-06 15:50:27.936 | 2015-02-06 15:50:27.936 | 2015-02-06 15:50:27.936 | 2015-02-06 15:50:27.936 | 2015-02-06 15:50:27.936 | 2015-02-06 15:50:27.936 | 2015-02-06 15:50:27.937 | 2015-02-06 15:50:27.937 | 2015-02-06 15:50:27.937 | 2015-02-06 15:50:27.937 | 2015-02-06 15:50:27.937 | 2015-02-06 15:50:27.937 | 2015-02-06 15:50:27.937 | 2015-02-06 15:50:27.937 | 2015-02-06 15:50:27.937 | 2015-02-06 15:50:27.937 | 2015-02-06 15:50:27.937 | 2015-02-06 15:50:27.937 | 2015-02-06 15:50:27.938 | 2015-02-06 15:50:27.938 | 2015-02-06 15:50:27.938 | 2015-02-06 15:50:27.938 | 2015-02-06 15:50:27.938 | 2015-02-06 15:50:27.938 | 2015-02-06 15:50:27.938 | 2015-02-06 15:50:27.938 | 2015-02-06 15:50:27.938 | | ==============================
| Failed 1 tests - output below:
| ==============================
| setUpClass (tempest.api.compute.admin.test_aggregates_negative.AggregatesAdminNegativeTestJSON)
| -----------------------------------------------------------------------------------------------
| Captured traceback:
| ~~~~~~~~~~~~~~~~~~~
Traceback (most recent call last):
File "tempest/test.py", line 273, in setUpClass
cls.resource_setup()
File "tempest/api/compute/admin/test_aggregates_negative.py", line 31, in resource_setup
super(AggregatesAdminNegativeTestJSON, cls).resource_setup()
File "tempest/api/compute/base.py", line 341, in resource_setup
super(BaseComputeAdminTest, cls).resource_setup()
File "tempest/api/compute/base.py", line 44, in resource_setup
cls.os = cls.get_client_manager()
File "tempest/test.py", line 407, in get_client_manager
creds = cls.isolated_creds.get_primary_creds()
File "tempest/common/isolated_creds.py", line 273, in get_primary_creds
return self.get_credentials('primary')
File "tempest/common/isolated_creds.py", line 257, in get_credentials
credentials = self._create_creds(admin=is_admin)
File "tempest/common/isolated_creds.py", line 119, in _create_creds
tenant, email)
File "tempest/common/isolated_creds.py", line 65, in _create_user
username, password, tenant['id'], email)
File "tempest/services/identity/json/identity_client.py", line 168, in create_user
resp, body = self.post('users', post_body)
File "/opt/stack/new/tempest/.tox/full/local/lib/python2.7/site-packages/tempest_lib/common/rest_client.py", line 169, in post
return self.request('POST', url, extra_headers, headers, body)
File "tempest/common/service_client.py", line 69, in request
raise exceptions.Conflict(ex)
Conflict: An object with that identifier already exists
Details: An object with that identifier already exists
Details: {u'title': u'Conflict', u'message': u'Conflict occurred attempting to store role - Duplicate Entry', u'code': 409}

Some how isolated_credential calls are failing.

It appears that this might be racing on creating identical roles on multiple users - http://logs.openstack.org/26/153426/2/gate/gate-tempest-dsvm-nova-v21-full/c80cf2c//logs/apache/keystone.txt.gz#_2015-02-06_15_27_17_988

That's about the time of the failure.

Revision history for this message

Sean Dague (sdague) wrote on 2015-02-06:

It looks like keystone races in setting up default role when creating 2 users simultaneously.

2015-02-06 15:27:17.980468 25961 INFO keystone.assignment.core [-] Creating the default role 9fe2ff9ee4384b1894a90878d3e92bab because it does not exist.
2015-02-06 15:27:17.982766 25959 INFO keystone.assignment.core [-] Creating the default role 9fe2ff9ee4384b1894a90878d3e92bab because it does not exist.
2015-02-06 15:27:17.988287 25959 DEBUG keystone.common.sql.core [-] Conflict role: (IntegrityError) (1062, "Duplicate entry '9fe2ff9ee4384b1894a90878d3e92bab' for key 'PRIMARY'") 'INSERT INTO role (id, name, extra) VALUES (%s, %s, %s)' ('9fe2ff9ee4384b1894a90878d3e92bab', '_member_', '{}') wrapper /opt/stack/new/keystone/keystone/common/sql/core.py:399
2015-02-06 15:27:17.988978 25959 WARNING keystone.common.wsgi [-] Conflict occurred attempting to store role - Duplicate Entry

That speaks to a deep race in the keystone allocator that should be fixed.

Changed in tempest:
importance:	Undecided → High
Changed in keystone:
importance:	Undecided → Critical

Revision history for this message

Matthew Treinish (treinish) wrote on 2015-02-06:

Looking at the code in:

http://git.openstack.org/cgit/openstack/keystone/tree/keystone/assignment/core.py#n236

It looks to me like if there are 2 incoming requests for a new user requests at roughly the same time and the role hasn't been created yet the 2 requests will race to create the role. I'll push out a fix soon that'll just add a lock to make sure this doesn't happen and only one can create the role.

Changed in keystone:
assignee:	nobody → Matthew Treinish (treinish)
status:	New → Confirmed

Revision history for this message

Matthew Treinish (treinish) wrote on 2015-02-06:

Looking through the failure logs this doesn't appear to be a tempest issue. Tempest is just triggering a race in keystone.

Changed in tempest:
importance:	High → Undecided
status:	New → Invalid

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-06: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/153656

Changed in keystone:
status:	Confirmed → In Progress

Morgan Fainberg (mdrnstm) on 2015-02-06

Changed in keystone:
milestone:	none → kilo-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-06: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/153656
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0b1027886ae6bc29abd86aa8ede499be5f5fc2ae
Submitter: Jenkins
Branch: master

commit 0b1027886ae6bc29abd86aa8ede499be5f5fc2ae
Author: Matthew Treinish <email address hidden>
Date: Fri Feb 6 13:52:00 2015 -0500

Fix race on default role creation

    In add_user_to_project() it checks if the default role exists before
    trying to add the role to the user and project. If it doesn't exist it
    will attempt to create the role. However if 2 requests happen at
    roughly the same time the 2 role creations will race causing one to
    fail with a conflict error. This patch addresses this issue by catching
    the conflict exception and treating it as the create succeeded (which it
    did just elsewhere)

Change-Id: Iab95ed8b3913c020eafa919231d764ba8b780571
Closes-Bug: #1419043

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-06: Fix proposed to keystone (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/153713

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-06: Change abandoned on keystone (stable/juno)

Change abandoned by guang-yee (<email address hidden>) on branch: stable/juno
Review: https://review.openstack.org/153713
Reason: Yikes, doesn't appear to do auto member role creation in juno

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-06: Fix proposed to keystone (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/153721

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-12: Fix merged to keystone (stable/juno)

Reviewed: https://review.openstack.org/153713
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b84e22be601f9f6fc48a9e10a3fb508c576b1d93
Submitter: Jenkins
Branch: stable/juno

commit b84e22be601f9f6fc48a9e10a3fb508c576b1d93
Author: Matthew Treinish <email address hidden>
Date: Fri Feb 6 13:52:00 2015 -0500

Fix race on default role creation

Conflicts:
keystone/assignment/core.py

    Change-Id: Iab95ed8b3913c020eafa919231d764ba8b780571
    Closes-Bug: #1419043
    (cherry picked from commit 0b1027886ae6bc29abd86aa8ede499be5f5fc2ae)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-13: Fix merged to keystone (stable/icehouse)

#10

Reviewed: https://review.openstack.org/153721
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5d2e2ce698eff6a328c2cbf9ab91901f95ba8958
Submitter: Jenkins
Branch: stable/icehouse

commit 5d2e2ce698eff6a328c2cbf9ab91901f95ba8958
Author: Matthew Treinish <email address hidden>
Date: Fri Feb 6 13:52:00 2015 -0500

Fix race on default role creation

Conflicts:
keystone/assignment/core.py

    Change-Id: Iab95ed8b3913c020eafa919231d764ba8b780571
    Closes-Bug: #1419043
    (cherry picked from commit 0b1027886ae6bc29abd86aa8ede499be5f5fc2ae)

Thierry Carrez (ttx) on 2015-03-19

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-3 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.