← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1803780] Re: confusing "Circular reference found role inference rules ..." error

 

Reviewed:  https://review.openstack.org/624553
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=78566e828659b201563e7d07823df30f7b00b0d4
Submitter: Zuul
Branch:    master

commit 78566e828659b201563e7d07823df30f7b00b0d4
Author: Adam Young <ayoung@xxxxxxxxxx>
Date:   Tue Dec 11 21:22:51 2018 -0500

    Remove message about circular role inferences
    
    While Cycles could be a problem, this code was detercting them even
    when there were none.  If a role gets added twice, it was reporting
    an error, but that is possible from the case where two distinct prior
    add the same implied role.  Just move on quietly.
    
    closes-bug 1803780
    
    Change-Id: I804e5084f74ff4afdd582ece02ff2c833c5f6eb1


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1803780

Title:
  confusing "Circular reference found role inference rules ..." error

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  When assigning both prior role and implied role in the implied role
  chain (that is more than two levels deep) to a given user for a given
  project, you'll see a rather confusing and misleading error in the
  Keystone log that looks like this.

  Nov 16 11:50:03 keystone devstack@keystone.service[17003]: ERROR keystone.assignment.core [None req-770cd1c8-b5bd-4b37-b2b3-1e7bc57b8093 None None] Circular reference found role inference rules - 
  c6025062f9704caba0be20ebd3f7b4f0

  First off all, this is not a fatal error as the operation will
  eventually succeed. We merely log it as *ERROR* without reraising it.
  See

  https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L673

  So it shouldn't be an error from operational standpoint. Perhaps we
  should consider downgrading it to warning instead?

  But the bigger problem is how did we even get into this situation to
  begin with. Shouldn't this situation be prevented at role assignment?
  i.e. checking for potential circular inference prior to finalizing the
  assignment.

  Steps to reproduce the problem:

  1. provision a devstack
  2. source devstack/openrc admin admin
  3. openstack role add --user admin --project admin member
  4. openstack role assignment list --user admin --project admin --effective
  5. sudo journalctl (and you'll see the 'Circular reference found role inference rules' error in the logs)

  Another alternative would be to create your own implied role chain.

  1. provision a devstack
  2. source devstack/openrc admin admin
  3. openstack role create foo
  4. openstack implied role create --implied-role reader foo
  5. openstack role create another_foo
  6. openstack implied role create --implied_role foo another_foo
  7. openstack role add --user demo --project demo foo
  8. openstack role add --user demo --project demo another_foo
  9. openstack role assignment list --user demo --project demo --effective
  10. sudo journalctl (and you'll see the 'Circular reference found role inference rules' error in the logs)

  NOTE: this happens when we an implied role chain is more than two
  levels deep. i.e.

  another_foo -> foo -> reader

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1803780/+subscriptions


References