[openstack-dev] [Manila] Contract of ShareDriver.deny_access

Ben Swartzlander ben at swartzlander.org
Fri Aug 21 13:22:28 UTC 2015


[Resending my response as unknown forces ate my original message]

On 08/20/2015 08:30 AM, Bjorn Schuberg wrote:
> Hello everyone,
>
> this is my first thread on this mailing list, and I would like to take 
> the opportunity to say that it was great to see you all at the 
> midcycle, even if remote.
>
> Now, to my question; I've been looking into an issue that arise when 
> deleting access to a share, and then momentarily after, deleting the 
> same share. The delete fails due to a race in 
> `_remove_share_access_rules` in the `ShareManager`, which attempts to 
> delete all granted permissions on the share before removing it, but 
> one of the access permissions is concurrently deleted due to the first 
> API call, see;
> https://github.com/openstack/manila/blob/master/manila/share/manager.py#L600
>
> I think an acceptable fix to this would be to wrap the `_deny_access` 
> call with a `try`... `except` block, and log any attempts to remove 
> non-existing permissions. The problem is that there seems to be no 
> contract on the exception to throw in case you attempt to delete an 
> `access` which does not exist -- each driver behaves differently.
>
> This got my attention after running the tempest integration tests, 
> where the teardown /sometimes/ fails in 
> tempest.api.share.test_rules:ShareIpRulesForNFSTest.
>
> Any thoughts on this? Perhaps there is a smoother approach that I'm 
> not seeing.

This is a good point. I'm actually interested in purusing a deeper 
overhaul of the allow/deny access logic for Mitaka which will make 
access rules less error prone in my opinion. I'm open to short term bug 
fixes in Liberty for problems like the one you mention, but I'm already 
planning a session in Tokyo about a new share access driver interface. 
The reason it has to wait until Mitaka is that all of the drivers will 
need to change their logic to accommodate the new method.

My thinking on access rules is that the driver interface which adds and 
removes rules one at a time is too fragile, and assumes too much about 
what backends are capable of supporting. I see the following problems 
(in addition to the one you mention):
* If addition or deletion of a rules fails for any reason, the set of 
rules on the backend starts to differ from what the user intended and 
there is no way to go back and correct the problem.
* If backends aren't able to implement rules exactly as Manila expects, 
(perhaps a backend does not support nested subnets with identical rules) 
then there are situations where a certain set of user actions will be 
guaranteed to result in broken rules. Consider (1) add rw access to 
10.0.0.0/8 (2) Add rw access to 10.10.0.0/16 (3) Remove rw access to 
10.0.0.0/8 (4) Try to access share from 10.10.10.10. If step (2) fails 
because the backend ignored that rule (it was redundant at the time it 
was added) then step (4) will also fail, even though it shouldn't.
* The current mechanism doesn't allow making multiple changes atomically 
-- changes have to be sequential. This will case problems if we want to 
allow access rules to be defined externally (something which was 
discussed during Juno and is still desirable) because changes to access 
rules may come in batches.

My proposal is simple. Rather than making drivers implement 
allow_access() and deny_access(), driver should implement a single 
set_access() which gets passed a list of all the access rules. Drivers 
would be required to compare the list of rules passed in from the 
manager to the list of rules on the storage controller and make changes 
as appropriate. For some drivers this would be more work but for other 
drivers it would be less work. Overall I think it's a better design. We 
can probably implement some kind of backwards compatibility to avoid 
breaking drivers during the migration to the new interface.

It's not something I intend to push for in Liberty however.

-Ben


> Cheers,
> Björn
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150821/f021e3a4/attachment.html>


More information about the OpenStack-dev mailing list