Fix db deadlock caused by checking authz before silo is created

oxidecomputer · Dec 12, 2023 · 371bc98 · 371bc98
1 parent 760675d
commit 371bc98
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/nexus/db-queries/src/db/datastore/quota.rs b/nexus/db-queries/src/db/datastore/quota.rs
@@ -20,15 +20,18 @@ use uuid::Uuid;
 
 impl DataStore {
     /// Creates new quotas for a silo. This is grouped with silo creation
-    /// and shouldn't be called directly by the user.
+    /// and shouldn't be called outside of that flow.
+    ///
+    /// An authz check _cannot_ be performed here because the authz initialization
+    /// isn't complete and will lead to a db deadlock.
+    ///
+    /// See https://github.com/oxidecomputer/omicron/blob/07eb7dafc20e35e44edf429fcbb759cbb33edd5f/nexus/db-queries/src/db/datastore/rack.rs#L407-L410
     pub async fn silo_quotas_create(
         &self,
-        opctx: &OpContext,
         conn: &async_bb8_diesel::Connection<DbConnection>,
         authz_silo: &authz::Silo,
         quotas: SiloQuotas,
     ) -> Result<(), Error> {
-        opctx.authorize(authz::Action::Modify, authz_silo).await?;
         let silo_id = authz_silo.id();
         use db::schema::silo_quotas::dsl;
 

diff --git a/nexus/db-queries/src/db/datastore/silo.rs b/nexus/db-queries/src/db/datastore/silo.rs
@@ -282,7 +282,6 @@ impl DataStore {
                 self.dns_update(nexus_opctx, &conn, dns_update).await?;
 
                 self.silo_quotas_create(
-                    opctx,
                     &conn,
                     &authz_silo,
                     SiloQuotas::new(