[RBAC] Fix an issue (race) with remote to local group sync during concurrent authentication #4105
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request fixes issue described in #4103.
If a user tried to authenticate against StackStorm API concurrently in a short time frame, there was a race condition which would cause an exception to be thrown and potentially not all the remote group mappings for that user to be synchronized.
Keep in mind that this issue only affects deployments which use RBAC with remote LDAP groups to local RBAC roles synchronization feature enabled.
In addition to that, the error is not fatal (authentication would succeed, as designed), but it could potentially result in not all the mappings for a user to be synchronized (depending on when the race occurred and number of mappings defined on disk).
Since the RBAC functionality follows "whitelist" approach that behavior is fail safe and has no negative security implications - the worst case (race condition occurring) would mean not all the mappings are synchronized and user has access to less / not all the resources that are defined in the mappings.
Resolves #4103.