From 371bc98f8be801c2afb565cb86ec04ff1fb28734 Mon Sep 17 00:00:00 2001 From: Justin Bennett Date: Tue, 12 Dec 2023 14:54:11 -0500 Subject: [PATCH] Fix db deadlock caused by checking authz before silo is created --- nexus/db-queries/src/db/datastore/quota.rs | 9 ++++++--- nexus/db-queries/src/db/datastore/silo.rs | 1 - 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/nexus/db-queries/src/db/datastore/quota.rs b/nexus/db-queries/src/db/datastore/quota.rs index 573627cc67..6aba919e73 100644 --- a/nexus/db-queries/src/db/datastore/quota.rs +++ b/nexus/db-queries/src/db/datastore/quota.rs @@ -20,15 +20,18 @@ use uuid::Uuid; impl DataStore { /// Creates new quotas for a silo. This is grouped with silo creation - /// and shouldn't be called directly by the user. + /// and shouldn't be called outside of that flow. + /// + /// An authz check _cannot_ be performed here because the authz initialization + /// isn't complete and will lead to a db deadlock. + /// + /// See https://github.com/oxidecomputer/omicron/blob/07eb7dafc20e35e44edf429fcbb759cbb33edd5f/nexus/db-queries/src/db/datastore/rack.rs#L407-L410 pub async fn silo_quotas_create( &self, - opctx: &OpContext, conn: &async_bb8_diesel::Connection, authz_silo: &authz::Silo, quotas: SiloQuotas, ) -> Result<(), Error> { - opctx.authorize(authz::Action::Modify, authz_silo).await?; let silo_id = authz_silo.id(); use db::schema::silo_quotas::dsl; diff --git a/nexus/db-queries/src/db/datastore/silo.rs b/nexus/db-queries/src/db/datastore/silo.rs index a4481c39db..a483ced62e 100644 --- a/nexus/db-queries/src/db/datastore/silo.rs +++ b/nexus/db-queries/src/db/datastore/silo.rs @@ -282,7 +282,6 @@ impl DataStore { self.dns_update(nexus_opctx, &conn, dns_update).await?; self.silo_quotas_create( - opctx, &conn, &authz_silo, SiloQuotas::new(