In distributed cloud, subcloud's user ids, project ids and role ids
are synced with System Controller. But project role assignment
functions still use names to check if master resources and subcloud
resources has the same id, and if user, project and role exist before
POST call to grant project role to user. This will cause an assignment
PUT job created and identity sync status flip from "in-sync" to
"out-of-sync" and back to "in-sync" again for every audit cycle.
A more detailed explanation, at the very first audit, roles are queued
for sync but the job doesn't run and their ids don't changed at the
subcloud yet. At the same audit dcorch finds the project role assignment
actually exist (since it check names in has_same_ids()), so it maps the
the assginment of center cloud to the assignment of the subcloud with
the current ids. Once the roles sync job queued get executed, roles ids
are changed. At this point the assignment mappings becomes invalid. The
next audit can no longer find the mapped assignment from subcloud so the
logic falls into audit_discrepancy() where the has_same_ids() return
TRUE again and a PUT job is queued for the assignment. The sync endpoint
type becomes "out-of-sync" since there is a job for it. Once the PUT
function return, its status returns to "in-sync" again.
This change updated project role assignment functions to use ids
instead of names.
Change-Id: I024f2c2f97aaf9670d7b2c5c70a2dae7d6d08d38
Closes-Bug: 1847661
Signed-off-by: Andy Ning <andy.ning@windriver.com>
This commit enhanced dcorch find_missing algorithm so that the first
audit after subcloud becomes managed won't try to create resources that
have matches in the subcloud (otherwise the creation will fail for DB
duplication error). This is neccessary for resources that are created
at deployment time and existing resources not yet tracked by dcorch.
Story: 2002842
Task: 22787
Change-Id: I60f94057caf71265942f3b37b400eeba4f368fed
Signed-off-by: Andy Ning <andy.ning@windriver.com>
This commit updates dcorch to use the newly introduced dbsync service
APIs to synchronize identity resources from central cloud to subclouds.
The following identity resources are synced:
- users (local users only)
- user passwords
- projects
- roles
- project role assignments
- token revocation events
Story: 2002842
Task: 22787
Signed-off-by: Andy Ning <andy.ning@windriver.com>
(cherry picked from commit e9096c7a23)
Depends-On: https://review.opendev.org/#/c/655921
Depends-On: https://review.opendev.org/#/c/655773
Depends-On: https://review.opendev.org/#/c/655776
Depends-On: https://review.opendev.org/#/c/655927
Change-Id: I77c2cc712a1c3dc8a228883c3fea1423e5207dea
There is a typo error in role deletion that prevents deleting the role
in subcloud during role synchronization. This update fixed this typo
error and made role synchronization work.
Closes-Bug: 1797960
Change-Id: Iff78ceffdd95b2676854d986126c6c2d001866de
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Don Penney