new keystone db migrations require either SUPER or log_bin_trust_function_creators=1

Bug #1638368 reported by Matt Fischer
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Richard
puppet-keystone
Won't Fix
Undecided
Unassigned

Bug Description

Upgrade Process Docs: http://docs.openstack.org/developer/keystone/upgrading.html#upgrading-without-downtime

The new keystone upgrade features (keystone-manage db_sync --expand) require either that the keystone user has SUPER or that

set global log_bin_trust_function_creators=1; is run.

I'm not sure which is the better option but logging this anyway.

Without that you get this error:

root@dev01-keystone-001:/var/log/mysql# keystone-manage db_sync --expand
2016-11-01 19:56:17.803 1 INFO migrate.versioning.api [-] 97 -> 98...
2016-11-01 19:56:17.821 1 INFO migrate.versioning.api [-] done
2016-11-01 19:56:17.821 1 INFO migrate.versioning.api [-] 98 -> 99...
2016-11-01 19:56:17.839 1 INFO migrate.versioning.api [-] done
2016-11-01 19:56:17.839 1 INFO migrate.versioning.api [-] 99 -> 100...
2016-11-01 19:56:17.855 1 INFO migrate.versioning.api [-] done
2016-11-01 19:56:17.856 1 INFO migrate.versioning.api [-] 100 -> 101...
2016-11-01 19:56:17.897 1 INFO migrate.versioning.api [-] done
2016-11-01 19:56:17.897 1 INFO migrate.versioning.api [-] 101 -> 102...
2016-11-01 19:56:17.961 1 INFO migrate.versioning.api [-] done
2016-11-01 19:56:17.961 1 INFO migrate.versioning.api [-] 102 -> 103...
2016-11-01 19:56:18.108 1 INFO migrate.versioning.api [-] done
2016-11-01 19:56:18.109 1 INFO migrate.versioning.api [-] 103 -> 104...
2016-11-01 19:56:18.132 1 INFO migrate.versioning.api [-] done
2016-11-01 19:56:18.132 1 INFO migrate.versioning.api [-] 104 -> 105...
2016-11-01 19:56:18.454 1 INFO migrate.versioning.api [-] done
2016-11-01 19:56:18.455 1 INFO migrate.versioning.api [-] 105 -> 106...
2016-11-01 19:56:18.680 1 INFO migrate.versioning.api [-] done
2016-11-01 19:56:18.680 1 INFO migrate.versioning.api [-] 106 -> 107...
2016-11-01 19:56:18.968 1 INFO migrate.versioning.api [-] done
2016-11-01 19:56:18.968 1 INFO migrate.versioning.api [-] 107 -> 108...
2016-11-01 19:56:19.324 1 INFO migrate.versioning.api [-] done
2016-11-01 19:56:19.325 1 INFO migrate.versioning.api [-] 108 -> 109...
2016-11-01 19:56:19.477 1 INFO migrate.versioning.api [-] done
2016-11-01 19:56:19.534 1 INFO migrate.versioning.api [-] 0 -> 1...
2016-11-01 19:56:19.550 1 INFO migrate.versioning.api [-] done
2016-11-01 19:56:19.550 1 INFO migrate.versioning.api [-] 1 -> 2...
2016-11-01 19:56:19.569 1 INFO migrate.versioning.api [-] done
2016-11-01 19:56:19.569 1 INFO migrate.versioning.api [-] 2 -> 3...
2016-11-01 19:56:19.881 1 CRITICAL keystone [-] OperationalError: (_mysql_exceptions.OperationalError) (1419, 'You do not have the SUPER privilege and binary logging is enabled (you *might* want to use the less safe log_bin_trust_function_creators variable)') [SQL: "\nCREATE TRIGGER credential_insert_read_only BEFORE INSERT ON credential\nFOR EACH ROW\nBEGIN\n SIGNAL SQLSTATE '45000'\n SET MESSAGE_TEXT = 'Credential migration in progress. Cannot perform writes to credential table.';\nEND;\n"]
2016-11-01 19:56:19.881 1 ERROR keystone Traceback (most recent call last):
2016-11-01 19:56:19.881 1 ERROR keystone File "/usr/bin/keystone-manage", line 10, in <module>
2016-11-01 19:56:19.881 1 ERROR keystone sys.exit(main())
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/keystone/cmd/manage.py", line 44, in main
2016-11-01 19:56:19.881 1 ERROR keystone cli.main(argv=sys.argv, config_files=config_files)
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/keystone/cmd/cli.py", line 1254, in main
2016-11-01 19:56:19.881 1 ERROR keystone CONF.command.cmd_class.main()
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/keystone/cmd/cli.py", line 438, in main
2016-11-01 19:56:19.881 1 ERROR keystone migration_helpers.expand_schema()
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/keystone/common/sql/migration_helpers.py", line 233, in expand_schema
2016-11-01 19:56:19.881 1 ERROR keystone _sync_repo(repo_name='expand_repo')
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/keystone/common/sql/migration_helpers.py", line 144, in _sync_repo
2016-11-01 19:56:19.881 1 ERROR keystone init_version=init_version, sanity_check=False)
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/oslo_db/sqlalchemy/migration.py", line 78, in db_sync
2016-11-01 19:56:19.881 1 ERROR keystone migration = versioning_api.upgrade(engine, repository, version)
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/migrate/versioning/api.py", line 186, in upgrade
2016-11-01 19:56:19.881 1 ERROR keystone return _migrate(url, repository, version, upgrade=True, err=err, **opts)
2016-11-01 19:56:19.881 1 ERROR keystone File "<decorator-gen-15>", line 2, in _migrate
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/migrate/versioning/util/__init__.py", line 160, in with_engine
2016-11-01 19:56:19.881 1 ERROR keystone return f(*a, **kw)
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/migrate/versioning/api.py", line 366, in _migrate
2016-11-01 19:56:19.881 1 ERROR keystone schema.runchange(ver, change, changeset.step)
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/migrate/versioning/schema.py", line 93, in runchange
2016-11-01 19:56:19.881 1 ERROR keystone change.run(self.engine, step)
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/migrate/versioning/script/py.py", line 148, in run
2016-11-01 19:56:19.881 1 ERROR keystone script_func(engine)
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/keystone/common/sql/expand_repo/versions/003_add_key_hash_and_encrypted_blob_to_credential.py", line 128, in upgrade
2016-11-01 19:56:19.881 1 ERROR keystone migrate_engine.execute(credential_insert_trigger)
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 1991, in execute
2016-11-01 19:56:19.881 1 ERROR keystone return connection.execute(statement, *multiparams, **params)
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 906, in execute
2016-11-01 19:56:19.881 1 ERROR keystone return self._execute_text(object, multiparams, params)
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 1054, in _execute_text
2016-11-01 19:56:19.881 1 ERROR keystone statement, parameters
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 1146, in _execute_context
2016-11-01 19:56:19.881 1 ERROR keystone context)
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 1337, in _handle_dbapi_exception
2016-11-01 19:56:19.881 1 ERROR keystone util.raise_from_cause(newraise, exc_info)
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/sqlalchemy/util/compat.py", line 202, in raise_from_cause
2016-11-01 19:56:19.881 1 ERROR keystone reraise(type(exception), exception, tb=exc_tb, cause=cause)
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 1139, in _execute_context
2016-11-01 19:56:19.881 1 ERROR keystone context)
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/sqlalchemy/engine/default.py", line 450, in do_execute
2016-11-01 19:56:19.881 1 ERROR keystone cursor.execute(statement, parameters)
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/MySQLdb/cursors.py", line 205, in execute
2016-11-01 19:56:19.881 1 ERROR keystone self.errorhandler(self, exc, value)
2016-11-01 19:56:19.881 1 ERROR keystone File "/venv/local/lib/python2.7/site-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
2016-11-01 19:56:19.881 1 ERROR keystone raise errorclass, errorvalue
2016-11-01 19:56:19.881 1 ERROR keystone OperationalError: (_mysql_exceptions.OperationalError) (1419, 'You do not have the SUPER privilege and binary logging is enabled (you *might* want to use the less safe log_bin_trust_function_creators variable)') [SQL: "\nCREATE TRIGGER credential_insert_read_only BEFORE INSERT ON credential\nFOR EACH ROW\nBEGIN\n SIGNAL SQLSTATE '45000'\n SET MESSAGE_TEXT = 'Credential migration in progress. Cannot perform writes to credential table.';\nEND;\n"]

Matt Fischer (mfisch)
description: updated
Matt Fischer (mfisch)
tags: added: upgrades
Revision history for this message
Steve Martinelli (stevemar) wrote :

at minimum we need to update our upgrade docs

tags: added: documentation
Changed in keystone:
status: New → Confirmed
importance: Undecided → Medium
milestone: none → ocata-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/394603

Changed in keystone:
assignee: nobody → Richard (csravelar)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/394603
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=52f58eb4df23706a17ee08052360f3973a93ef69
Submitter: Jenkins
Branch: master

commit 52f58eb4df23706a17ee08052360f3973a93ef69
Author: Richard Avelar <email address hidden>
Date: Mon Nov 7 19:50:57 2016 +0000

    Doc warning for keystone db migration

    The new keystone upgrade features (keystone-manage db_sync --expand)
    requires for MySQL deployments that the keystone user is granted SUPER
    privilege or that set global log_bin_trust function_creators=1; is run.
    Adding a warning message to notify reader.

    Change-Id: I78738a335d14c6ad824c348a7385bb1ee8ad75bf
    Closes-Bug: 1638368

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 11.0.0.0b1

This issue was fixed in the openstack/keystone 11.0.0.0b1 development milestone.

Revision history for this message
Takashi Kajinami (kajinamit) wrote :

It's not clear what is the pending item on puppet-keystone, and as I no longer see the problem in recent versions, I'll mark this as won't fix from our side.

Changed in puppet-keystone:
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.