Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

23.3 Backport of #55119 - Fix deadlock in LDAP assigned role update - take 2 #364

Merged
merged 5 commits into from
Feb 21, 2024
Merged

23.3 Backport of #55119 - Fix deadlock in LDAP assigned role update - take 2 #364

merged 5 commits into from
Feb 21, 2024

Conversation

Enmk
Copy link
Member

@Enmk Enmk commented Feb 6, 2024
edited
Loading

Changelog category (leave one):

  • Bug Fix (user-visible misbehavior in an official stable release)

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Fix deadlock in LDAP assigned role update for non-existing ClickHouse roles (ClickHouse#55119 by @jmaicher, ClickHouse#56544 by @jmaicher)

re-doing incorrectly merged #353

@altinity-robot
Copy link
Collaborator

altinity-robot commented Feb 6, 2024
edited
Loading

This is an automated comment for commit f5000c1 with description of existing statuses. It's updated for the latest CI running

❌ Click here to open a full report in a separate page

Successful checks
Check nameDescriptionStatus
ClickHouse build checkBuilds ClickHouse in various configurations for use in further steps. You have to fix the builds that fail. Build logs often has enough information to fix the error, but you might have to reproduce the failure locally. The cmake options can be found in the build log, grepping for cmake. Use these options and follow the general build process✅ success
Compatibility checkChecks that clickhouse binary runs on distributions with old libc versions. If it fails, ask a maintainer for help✅ success
Docker image for serversThe check to build and optionally push the mentioned image to docker hub✅ success
Install packagesChecks that the built packages are installable in a clear environment✅ success
Push to DockerhubThe check for building and pushing the CI related docker images to docker hub✅ success
Ready for releaseThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Stateful testsRuns stateful functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc✅ success
Check nameDescriptionStatus
CI runningA meta-check that indicates the running CI. Normally, it's in success or pending state. The failed status indicates some problems with the PR⏳ pending
Integration testsThe integration tests report. In parenthesis the package type is given, and in square brackets are the optional part/total tests❌ failure
Mergeable CheckChecks if all other necessary checks are successful❌ failure
Stateless testsRuns stateless functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc❌ failure

alexey-milovidov and others added 3 commits February 9, 2024 01:20
@alexey-milovidov @Enmk
Merge pull request ClickHouse#55119 from jmaicher/fix/54318/deadlock-…
55db377 
…ldap-role-update

Fix deadlock in LDAP assigned role update
@alexey-milovidov @Enmk
Merge pull request ClickHouse#56544 from jmaicher/fix/flaky-ldap-inte…
d537e03 
…gration-test

Fix flaky LDAP integration tests
@Enmk
Update cluster.py
2195b38 
Fixed merge conflict from rebasing
@Enmk Enmk force-pushed the backports/23.3.19/55119_fix_LDAP_deadlock_role_update branch from 2395e79 to 2195b38 Compare February 9, 2024 00:20
@Enmk
Copy link
Member Author

Enmk commented Feb 18, 2024

It looks like test_ldap_external_user_directory/test.py::test_role_mapping is actualy related to a known bug: ClickHouse#56646

From my investigations, user's groups are updated properly inside LDAPAccessStorage, but are not observed by Context. (Context gets User instance via ContextAccess instance, which seems to be not updated in time)

@Enmk
'Fix' the test with sleep(10 minutes 10 seconds)
f5000c1 
Update of assigned roles (`GrantedRoles`) on `User` instance that occurs
inside `LDAPAccessStorage` doesn't bubble up to `AccessStorate`
and not broadcasted as an event to `AccessChangesNotifier` event handlers.

Thus `AccessControl` that is held by `Context` never receives an event and
is never updated, holding old instance of `User` with previous set of roles.

`AccessControl` instances are cached for 600 seconds, so waiting for 600 + 10
seconds between sessions ensures that when user is logged in again, new
`AccessControl` instance is created, and proper (updated `User`, with
updated `GrantedRoles`) is created.

This issue seems to be already fixed in upstream/master,
but for now we are not going to backport it, just fix the test.
@Enmk Enmk force-pushed the backports/23.3.19/55119_fix_LDAP_deadlock_role_update branch from b3b191e to f5000c1 Compare February 20, 2024 21:53
@Enmk Enmk merged commit 70678f2 into customizations/23.3.19 Feb 21, 2024
131 of 141 checks passed
@Enmk Enmk mentioned this pull request Mar 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Enmk @altinity-robot @alexey-milovidov