OpenStack Identity (keystone)

Keystone with SAML federation is not working due to db migratiaon lock

Bug #1903949 reported by PerToft on 2020-11-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	New	Undecided	Unassigned

Bug Description

Hi,

Initially i have reported a bug to the OpenStack Ansible team, but it appears to be a keystone bug. Therefore i will try here. (Initial bug report: https://bugs.launchpad.net/openstack-ansible/+bug/1900808)

The setup is the latest OpenStack Ussuri configured with Shibbolet2 (mod_shibd) and keystone-21.1.1.dev1.

The problem openstack ansible plays, populates the keystone db and then does:
keystone-manage db_sync --expand
keystone-manage db_sync --migrate
keystone-manage db_sync --contract

After a while, it will try to create an identity provider, but this fails due to the SQL trigger
https://docs.openstack.org/keystone/ussuri/_modules/keystone/common/sql/expand_repo/versions/012_expand_add_domain_id_to_idp.html

Keystone log output: http://paste.openstack.org/show/799241/

To my understanding, the sql trigger should be dropped during the "keystone-manage db_sync --contract", but its not.

If you run the db_sync --contact again it will correctly drop the trigger.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.