[VNC OpenStack] Fix concurrency project deletion

In mutli API server setup, the sync domains/projects VNC OpenStack greenthread of one of the servers can try to remove and purge resource related to a project which another server already purged. That results to not found API exceptions. That patch catches that exceptions and abandons to purge the project. That also reveals an issue in permission code that checks if the deletion is authorized which fails to read the resource as it was already deleted. Change-Id: I140cf5b7f4bd4d7798db18a7afd3b0d6168ea6b1 Closes-Bug: #1724179 Closes-Bug: #1724194
Juniper · Oct 18, 2017 · 5864ab7 · 5864ab7
1 parent 812affc
commit 5864ab7
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 6 deletions.
diff --git a/src/config/api-server/vnc_perms.py b/src/config/api-server/vnc_perms.py
@@ -239,11 +239,17 @@ def check_perms_delete(self, request, obj_type, obj_uuid, parent_uuid):
 
         if self._rbac:
             # delete only allowed for owner
-            (ok, obj_dict) = self._server_mgr._db_conn.dbe_read(obj_type,
-                             obj_uuid, obj_fields=['perms2'])
-            obj_owner=obj_dict['perms2']['owner']
+            try:
+                ok, result = self._server_mgr._db_conn.dbe_read(
+                    obj_type, obj_uuid, obj_fields=['perms2'])
+            except NoIdError as e:
+                return False, (404, str(e))
+            if not ok:
+                return False, (500, result)
+            obj_dict = result
+            obj_owner = obj_dict['perms2']['owner']
             return self.validate_perms_rbac(request, parent_uuid, PERMS_W,
-                                            obj_owner_for_delete = obj_owner)
+                                            obj_owner_for_delete=obj_owner)
         elif self._auth_needed:
             return self.validate_perms(request, parent_uuid, PERMS_W)
         else:

diff --git a/src/config/vnc_openstack/vnc_openstack/__init__.py b/src/config/vnc_openstack/vnc_openstack/__init__.py
@@ -937,11 +937,21 @@ def post_project_create(self, proj_dict):
 
     @wait_for_api_server_connection
     def pre_project_delete(self, proj_uuid):
-        proj_obj = self._vnc_lib.project_read(id=proj_uuid)
+        try:
+            proj_obj = self._vnc_lib.project_read(id=proj_uuid)
+        except vnc_exc.NoIdError:
+            # another api server has brought that project deletion
+            return
         sec_groups = proj_obj.get_security_groups()
         for group in sec_groups or []:
             if group['to'][2] == 'default':
-                self._vnc_lib.security_group_delete(id=group['uuid'])
+                try:
+                    # another api server has brought that project deletion and
+                    # its default security group
+                    self._vnc_lib.security_group_delete(id=group['uuid'])
+                except vnc_exc.NoIdError:
+                    pass
+                return
     # end pre_project_delete
 
     @wait_for_api_server_connection