Keystone with SAML federation is not working due to db migratiaon lock
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned |
Bug Description
Hi,
Initially i have reported a bug to the OpenStack Ansible team, but it appears to be a keystone bug. Therefore i will try here. (Initial bug report: https:/
The setup is the latest OpenStack Ussuri configured with Shibbolet2 (mod_shibd) and keystone-
The problem openstack ansible plays, populates the keystone db and then does:
keystone-manage db_sync --expand
keystone-manage db_sync --migrate
keystone-manage db_sync --contract
After a while, it will try to create an identity provider, but this fails due to the SQL trigger
https:/
Keystone log output: http://
To my understanding, the sql trigger should be dropped during the "keystone-manage db_sync --contract", but its not.
If you run the db_sync --contact again it will correctly drop the trigger.