Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix concurrency issue when granting privileges on databases #224

Merged
merged 1 commit into from
Nov 17, 2022
Merged

Fix concurrency issue when granting privileges on databases #224

merged 1 commit into from
Nov 17, 2022

Conversation

timothegenzmer
Copy link
Contributor

This fixes #223

@cyrilgdn cyrilgdn self-requested a review July 20, 2022 20:06
@philip-harvey
Copy link

Any news on getting this merged?

@brokenjacobs
Copy link

@cyrilgdn any chance of this getting merged?

@BartoszGiza
Copy link

Hey, any news ? It would be nice to merge it.

@BartoszGiza
Copy link

BTW: i think i have workaround for this problem. I have added max_connections = 1 to provider block. Seems to work. Probably it will slow down plans :(

@seanamos
Copy link

BTW: i think i have workaround for this problem. I have added max_connections = 1 to provider block. Seems to work. Probably it will slow down plans :(

@BartoszGiza That does work in some cases. Unfortunately that also has another side effect that it can cause the provider to hang indefinitely.

@BartoszGiza
Copy link

BTW: i think i have workaround for this problem. I have added max_connections = 1 to provider block. Seems to work. Probably it will slow down plans :(

@BartoszGiza That does work in some cases. Unfortunately that also has another side effect that it can cause the provider to hang indefinitely.

Hi, I think i just hit that problem. I have problems with hanging during refreshing states. Also for some reason i can't delete database which provider created.

@vr
Copy link
Contributor

vr commented Nov 17, 2022

Hey @cyrilgdn any updates on this ?

cyrilgdn
cyrilgdn approved these changes Nov 17, 2022
View reviewed changes
Copy link
Owner

@cyrilgdn cyrilgdn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

Thanks for your work on that, and sorry for the delay.
I had no time to work on opensource projects these past months...

I haven't test it but code looks good so we can ship it 👍

@cyrilgdn cyrilgdn merged commit fa723cf into cyrilgdn:master Nov 17, 2022
@BartoszGiza
Copy link

@cyrilgdn thank You

@philip-harvey
Copy link

Will there be a release with this PR included? Thanks.

@timothegenzmer
Copy link
Contributor Author

Thanks for merging.
We have tested this change in production for a while and it resolved the issue for us without any side effects

@BartoszGiza
Copy link

@cyrilgdn when do You plan to release new version ?

@cyrilgdn
Copy link
Owner

This has been released in v1.18.0

@philip-harvey
Copy link

I tested 1.18 and am still getting concurrency issues on grants so unfortunately #223 is not fixed

@timothegenzmer
Copy link
Contributor Author

@philip-harvey Are you sure that you are facing the same issue?
This PR only fixes an concurrency issue if you simultaneously grant two different roles privileges on a database.
See the example code in the linked issue

@philip-harvey
Copy link

I am getting errors such as the below when updating grants if I don't have max_connections = 1

│ Error: could not get advisory lock for members of role pdr_ro_rl: pq: deadlock detected

│ with module.int_pdr.postgresql_grant.objects["b8e4ec3df0d0c7e7d493c4e904bc820e"],
│ on ../../modules/pdr-config/main.tf line 235, in resource "postgresql_grant" "objects":
│ 235: resource "postgresql_grant" "objects" {



│ Error: could not execute revoke query: pq: tuple concurrently updated

│ with module.int_pdr.postgresql_grant.objects["027c01cac83a9d668d9fe39e210a6278"],
│ on ../../modules/pdr-config/main.tf line 235, in resource "postgresql_grant" "objects":
│ 235: resource "postgresql_grant" "objects" {



│ Error: could not execute revoke query: pq: tuple concurrently updated

│ with module.int_pdr.postgresql_grant.objects["117188f8b95fd3ede43ec4bc981c8abb"],
│ on ../../modules/pdr-config/main.tf line 235, in resource "postgresql_grant" "objects":
│ 235: resource "postgresql_grant" "objects" {



│ Error: could not execute revoke query: pq: tuple concurrently updated

│ with module.int_pdr.postgresql_grant.objects["de1c9bcc954536336bb466b2a011beef"],
│ on ../../modules/pdr-config/main.tf line 235, in resource "postgresql_grant" "objects":
│ 235: resource "postgresql_grant" "objects" {

@timothegenzmer
Copy link
Contributor Author

Can you provide the relevant terraform code?
Just from the error it is hard to say that you are affected by the same issue, as all are just postgresql_grant.

Also the first error: could not get advisory lock for members of role pdr_ro_rl: pq: deadlock detected looks worrisome.
Is this a new error since you updated to 1.18?
Could you verify that the same error happened on 1.17.1?

@philip-harvey
Copy link

philip-harvey commented Nov 30, 2022
edited
Loading

This is the specific part of the code that is still failing due to concurrency issues.

# Grant each role rights to the objects in the schema
resource "postgresql_grant" "objects" {
  for_each    = local.grants_map
  role        = each.value.rolename
  database    = local.database_name
  schema      = each.value.schema
  object_type = each.value.object_type
  objects     = each.value.objects
  privileges  = each.value.privileges
  depends_on = [
    postgresql_role.roles,
    postgresql_schema.schema
  ]
}

AFAIK this issue has existed on all previous and current versions of the provider and the only known way to work around the issue currently is to set max_connections = 1

In this particular use case objects_type = table for most of the grants. Is the merged fix only valid if object_type = database? The exact same issue occurs for tables and schemas as well as databases, and any combination of object_types. e.g. #178

@timothegenzmer
Copy link
Contributor Author

This is the most generic code that you could have provided :D

Yes this PR only fixes object_type = database

If you want to know which query is actually responsible for your issues you can have a look at the postgres logs.

@philip-harvey philip-harvey mentioned this pull request Dec 22, 2022
Open
@seanamos
Copy link

seanamos commented Jan 6, 2023

I've had to downgrade as this change is causing all sorts of havoc. The biggest one is that its "leaking" advisory locks on databases. I'm often left with multiple locks that I have to manually cleanup.

This was referenced Jan 30, 2023
Open
Closed
@timothegenzmer
Copy link
Contributor Author

Hey @seanamos,
Sorry for the late response.

I have tested my code again, but I was not able to leak any locks
I have tested this via while :; do terraform apply --auto-approve && terraform destroy --auto-approve; done
and I have checked this with select relation::regclass, * from pg_locks;

from what I get pg_advisory_xact_lock should not leak any locks when the transaction is not leaked and the transaction should not be leaked as it is released via defer

Do you have an example code to reproduce the issue or could you share the leaked locks here so that I can investigate further?

@philip-harvey
Copy link

Any chance the change in #224 can be rolled back? In the past we could set max_connections = 1 and it would work, now it's just totally broken for versions > 1.1.7

@timothegenzmer
Copy link
Contributor Author

Are you able to provide a terraform configuration that has this issue?
I have tested this again and again with the config I shared in #223 that previously would throw and error and this PR fixed this configuration.

The fix that I provided might have had some side effects that I am not aware of.
I am happy to provide a fix for them if I am able to reproduce the issue

wip-sync pushed a commit to NetBSD/pkgsrc-wip that referenced this pull request Nov 28, 2023
@iamleot
terraform-provider-postgresql: Update to 1.21.0
fc0d747 
Changes:
v1.21.0
* Make function security, strictness, volatility, and parallel safety
  configurable
* Bump gocloud dependency to fix aws CA validation
* Allow for inlining client cert
* Use uint32 for OID to stop conversion errors with pguint32
* Postgresql 15 support
* Added MS Azure passwordless authentication
* Add 'Injecting credentials' section to provider docs
* fixed escaping for postgresql user info

v1.20.0
As this is my first release for this project, I am keeping the changes
to a minimum until I am more comfortable with the release process.

* Bump `go` to `1.20`
* Bump `lib/pq` to `1.10.9`
* Perform `db.Ping()` during database connection to catch issues earlier

v1.19.0
No change available.

v1.18.0
* New resource: `postgresql_server` and `postgresql_user_mapping`
* New resource: `postgresql_subscription`
* Allow to configure AWS Region with AWS IAM Auth
* Create temporary file for `GOOGLE_APPLICATION_CREDENTIALS` in
  Terraform cloud
* `postgresql_grant`: Concurrency issue on database privileges
  [#224](cyrilgdn/terraform-provider-postgresql#224)
* `postgresql_grant`: Remove `TEMP` privileges for database

v1.17.1
* Missing err check that leads to segfault

[For other releases no changes are available but mostly new resources
and data sources.]
@pagalba-com
Copy link

I have tested 1.21.1-beta.1 and concurrency issues are not fixed.

The fix provided by giner works. This one not.
Ref: https://github.com/giner/terraform-provider-postgresql/commits/fix_getting_stuck_on_refreshing_postgresql_grant

@vedata vedata mentioned this pull request Mar 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cyrilgdn cyrilgdn cyrilgdn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

tuple concurrently updated error when granting priviliges on same database for multiple users
8 participants
@timothegenzmer @philip-harvey @brokenjacobs @BartoszGiza @seanamos @vr @cyrilgdn @pagalba-com