yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #76307
[Bug 1803780] Re: confusing "Circular reference found role inference rules ..." error
Reviewed: https://review.openstack.org/624553
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=78566e828659b201563e7d07823df30f7b00b0d4
Submitter: Zuul
Branch: master
commit 78566e828659b201563e7d07823df30f7b00b0d4
Author: Adam Young <ayoung@xxxxxxxxxx>
Date: Tue Dec 11 21:22:51 2018 -0500
Remove message about circular role inferences
While Cycles could be a problem, this code was detercting them even
when there were none. If a role gets added twice, it was reporting
an error, but that is possible from the case where two distinct prior
add the same implied role. Just move on quietly.
closes-bug 1803780
Change-Id: I804e5084f74ff4afdd582ece02ff2c833c5f6eb1
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1803780
Title:
confusing "Circular reference found role inference rules ..." error
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
When assigning both prior role and implied role in the implied role
chain (that is more than two levels deep) to a given user for a given
project, you'll see a rather confusing and misleading error in the
Keystone log that looks like this.
Nov 16 11:50:03 keystone devstack@keystone.service[17003]: ERROR keystone.assignment.core [None req-770cd1c8-b5bd-4b37-b2b3-1e7bc57b8093 None None] Circular reference found role inference rules -
c6025062f9704caba0be20ebd3f7b4f0
First off all, this is not a fatal error as the operation will
eventually succeed. We merely log it as *ERROR* without reraising it.
See
https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L673
So it shouldn't be an error from operational standpoint. Perhaps we
should consider downgrading it to warning instead?
But the bigger problem is how did we even get into this situation to
begin with. Shouldn't this situation be prevented at role assignment?
i.e. checking for potential circular inference prior to finalizing the
assignment.
Steps to reproduce the problem:
1. provision a devstack
2. source devstack/openrc admin admin
3. openstack role add --user admin --project admin member
4. openstack role assignment list --user admin --project admin --effective
5. sudo journalctl (and you'll see the 'Circular reference found role inference rules' error in the logs)
Another alternative would be to create your own implied role chain.
1. provision a devstack
2. source devstack/openrc admin admin
3. openstack role create foo
4. openstack implied role create --implied-role reader foo
5. openstack role create another_foo
6. openstack implied role create --implied_role foo another_foo
7. openstack role add --user demo --project demo foo
8. openstack role add --user demo --project demo another_foo
9. openstack role assignment list --user demo --project demo --effective
10. sudo journalctl (and you'll see the 'Circular reference found role inference rules' error in the logs)
NOTE: this happens when we an implied role chain is more than two
levels deep. i.e.
another_foo -> foo -> reader
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1803780/+subscriptions
References
