Bug 928797

Summary: cyclic group memberships may not work depending on order of operations
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: grajaiya, jgalipea, lnovich, mkosek, nkarandi, pbrezina
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.2-109.el6 Doc Type: Bug Fix
Doc Text:
Cause: With a cyclic membership between two groups (A contains B and B contains A), there may be a race condition between creating membership links between the two. Consequence: Saving groups with cyclic membership to cache might fail. Fix: The cache save operation was made more permissive, allowing to skip errors generated by the cyclic membership. Result: Saving groups with cyclic memberships works fine now.
 Story Points: ---
Clone Of:
: 928799 (view as bug list) Environment:
Last Closed: 2013-11-21 22:16:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 928799    

Description Dmitri Pal 2013-03-28 13:21:47 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1846

Lukas found that depending on the order we save groups to cache, we might fail to save cyclic group memberships correctly. With a setup like this:

{{{
   ________
   |  CG1 |------------>sssduser1
   |______|<---+
      |        |
      |        |
      |     ________
      +---->|  CG2 |--->sssduser2
            |______|

}}}

Then depending on whether CG1 or CG2 is requested first, then only sssduser1 or only sssduser2 may be returned.

The logs would show an EEXIST situation from memberof plugin.
Comment 5 Jakub Hrozek 2013-07-17 12:58:37 UTC 
Fixed upstream:

master: aab77886be61d915805bf16500e06fab6a5a7e4f
sssd-1-10: 716705950986a3221d64aec4274b6e1e73f16121
sssd-1-9: e4c8fd085da8132db082de616675061018fdc5a2
Comment 9 Nirupama Karandikar 2013-08-21 06:59:04 UTC 
Verified with version sssd-1.9.2-122.el6.x86_64

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: BZ 928797 Cyclic group_member_list
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'groups sssduser1 | grep cg2' (Expected 0, got 0)
:: [   PASS   ] :: Running 'groups sssduser2 | grep cg1' (Expected 0, got 0)
:: [   PASS   ] :: Running 'id sssduser1 | grep cg2' (Expected 0, got 0)
:: [   PASS   ] :: Running 'id sssduser2 | grep cg1' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: BZ 928797 Cyclic group_member_list
Comment 10 errata-xmlrpc 2013-11-21 22:16:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1680.html