Andrew Bogott has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/348135 )
Change subject: wmfkeystonehooks: Work around a keystone bug with role removal
......................................................................
wmfkeystonehooks: Work around a keystone bug with role removal
Keystone tells us about a role removal /before/ removing the role.
So, remove it explicitly in our internal struct before updating
the project group.
This hack can be removed in ocata.
Bug: T162615
Change-Id: Iff18831105dead5b0af247daa00506a785ed4505
---
M modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
M modules/openstack/files/mitaka/keystone/wmfkeystonehooks/wmfkeystonehooks.py
2 files changed, 54 insertions(+), 10 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/35/348135/1
diff --git
a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
b/modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
index 09cab25..f6aaa96 100644
---
a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
+++
b/modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
@@ -113,8 +113,9 @@
# and the generic 'identity.projectupdated' comes in the wrong order. So
# we're probably going to wind up getting called several times in quick
succession,
# possible in overlapping invocations. Watch out for race conditions!
- def _on_member_update(self, project_id):
- assignments = self._get_current_assignments(project_id)
+ def _on_member_update(self, project_id, assignments=None):
+ if not assignments:
+ assignments = self._get_current_assignments(project_id)
ldapgroups.sync_ldap_project_group(project_id, assignments)
def _on_project_delete(self, project_id):
@@ -247,9 +248,30 @@
if event_type == 'identity.project.created':
self._on_project_create(message['payload']['resource_info'])
- if (event_type == 'identity.role_assignment.deleted' or
- event_type == 'identity.role_assignment.created'):
- self._on_member_update(message['payload']['project'])
+ if event_type == 'identity.role_assignment.created':
+ project_id = message['payload']['project']
+ self._on_member_update(project_id)
+
+ if event_type == 'identity.role_assignment.deleted':
+ project_id = message['payload']['project']
+ # This is a weird special case... Keystone is dumb and
+ # emits the notification /before/ updating the DB, so we have
+ # to explicitly update our role list. This is fixed
+ # in release 'ocata' with https://review.openstack.org/#/c/401332/
+ assignments = self._get_current_assignments(project_id)
+ role = message['payload']['role']
+ user = message['payload']['user']
+ roledict = self._get_role_dict()
+ for name in roledict.keys():
+ if role == roledict[name]:
+ if user in assignments[name]:
+ assignments[name].remove(user)
+ LOG.warning("Keystone bug workaround: Explicitly "
+ "removing %s from role %s, project %s"
+ % (user, role, project_id))
+ break
+
+ self._on_member_update(project_id, assignments)
# HACK ALERT
diff --git
a/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/wmfkeystonehooks.py
b/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/wmfkeystonehooks.py
index 09cab25..f6aaa96 100644
---
a/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/wmfkeystonehooks.py
+++
b/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/wmfkeystonehooks.py
@@ -113,8 +113,9 @@
# and the generic 'identity.projectupdated' comes in the wrong order. So
# we're probably going to wind up getting called several times in quick
succession,
# possible in overlapping invocations. Watch out for race conditions!
- def _on_member_update(self, project_id):
- assignments = self._get_current_assignments(project_id)
+ def _on_member_update(self, project_id, assignments=None):
+ if not assignments:
+ assignments = self._get_current_assignments(project_id)
ldapgroups.sync_ldap_project_group(project_id, assignments)
def _on_project_delete(self, project_id):
@@ -247,9 +248,30 @@
if event_type == 'identity.project.created':
self._on_project_create(message['payload']['resource_info'])
- if (event_type == 'identity.role_assignment.deleted' or
- event_type == 'identity.role_assignment.created'):
- self._on_member_update(message['payload']['project'])
+ if event_type == 'identity.role_assignment.created':
+ project_id = message['payload']['project']
+ self._on_member_update(project_id)
+
+ if event_type == 'identity.role_assignment.deleted':
+ project_id = message['payload']['project']
+ # This is a weird special case... Keystone is dumb and
+ # emits the notification /before/ updating the DB, so we have
+ # to explicitly update our role list. This is fixed
+ # in release 'ocata' with https://review.openstack.org/#/c/401332/
+ assignments = self._get_current_assignments(project_id)
+ role = message['payload']['role']
+ user = message['payload']['user']
+ roledict = self._get_role_dict()
+ for name in roledict.keys():
+ if role == roledict[name]:
+ if user in assignments[name]:
+ assignments[name].remove(user)
+ LOG.warning("Keystone bug workaround: Explicitly "
+ "removing %s from role %s, project %s"
+ % (user, role, project_id))
+ break
+
+ self._on_member_update(project_id, assignments)
# HACK ALERT
--
To view, visit https://gerrit.wikimedia.org/r/348135
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Iff18831105dead5b0af247daa00506a785ed4505
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
