Roles lost in Folsom to Grizzly upgrade

Bug #1131087 reported by Kieran Spear
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Adam Young

Bug Description

In a Folsom -> Grizzly upgrade I noticed my admin user wasn't authorised to admininster keystone any more. I had to hack my policy.json so I could interrogate keystone to find out why.

keystone user-role-list has one entry. Giving my admin user the '_member_' role:

| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 139113774ba44497a7fe9bbe268dfdac | 8b79e14d24e645a39be0f6bf1f68208b |

So the "Admin" role was missing. Different roles are missing from other users too.

Original Folsom tables:

mysql> show tables;
| Tables_in_keystone |
| ec2_credential |
| endpoint |
| metadata |
| migrate_version |
| role |
| service |
| tenant |
| token |
| user |
| user_tenant_membership |
10 rows in set (0.00 sec)

From what I can tell, roles used to be stored in the 'metadata' table in Folsom.

mysql> describe metadata;
| Field | Type | Null | Key | Default | Extra |
| user_id | varchar(64) | NO | PRI | NULL | |
| tenant_id | varchar(64) | NO | PRI | NULL | |
| data | text | YES | | NULL | |
3 rows in set (0.01 sec)

Sample row:
  user_id: 671dcaba8087487c8a28afe42b6672fa
tenant_id: e4eee8dbc16a49dcbc76edac96674e96
     data: {"roles": ["ce685d2405f14ef09568da65b102b1e9", "75fc2fd3a6004c37bbd6c518c25cdaaa"]}

At version 7 keystone adds a new 'user_domain_metadata' table which seems awfully similar to the metadata table. The metadata table is never touched ever again after this.

    user_domain_metadata_table = sql.Table(
        sql.Column('data', sql.Text()))
    user_domain_metadata_table.create(migrate_engine, checkfirst=True)

At version 17 there's another similar-looking 'user_project_metadata' table created.

If I drop the user_project_metadata table and put my metadata table in its place (with column tenant_id renamed to project_id) everything seems to just work.

Dolph Mathews (dolph)
Changed in keystone:
milestone: none → grizzly-rc1
Dean Troyer (dtroyer)
tags: added: upgrade
Revision history for this message
Joseph Heck (heckj) wrote :

Is this a duplicate of 1119789?

Revision history for this message
Kieran Spear (kspear) wrote :

It's not. Basically the problem is here:

and here:

The metadata table was recreated as user_project_metadata, and only implicit roles due to project membership were migrated, not explicit roles from the metadata table itself.

There's also the additional problem that existing deployments will generally already have a "Member" role, so once the above migration is done properly you will have a mess of _member_ and Member roles. Ideally I'd be able to set member_role_name and member_role_id in the conf to point to the existing member role and the migration would (1) add that role only if it didn't exist already and (2) add any missing Member role grants iff they don't already exist. Having "_member_" show up in the cli/dashboard is also really ugly...

Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → High
Revision history for this message
Dolph Mathews (dolph) wrote :

Upgrading to critical as project roles from folsom are not utilized by grizzly.

Changed in keystone:
assignee: nobody → Jason Cannavale (jcannava)
importance: High → Critical
Dolph Mathews (dolph)
Changed in keystone:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master

Changed in keystone:
assignee: Jason Cannavale (jcannava) → Dolph Mathews (dolph)
Dolph Mathews (dolph)
Changed in keystone:
assignee: Dolph Mathews (dolph) → Jason Cannavale (jcannava)
Changed in keystone:
assignee: Jason Cannavale (jcannava) → Adam Young (ayoung)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Submitter: Jenkins
Branch: master

commit e551104d7c08f35d4cbf02e0c86e15c31a25d974
Author: Jason Cannavale <email address hidden>
Date: Fri Mar 8 21:13:48 2013 -0600

    Migrate roles from metadata to user_project_metadata

    migration 017 did not migrate existing roles from the metadata table
    that was created in 001. Adding a migration (20) that compares the roles
    in the metadata table (if any) and joins them to the new
    user_project_metadata role that matches the user and tenant from the old
    table. Also adding subsequent tests to check both of the issues above.
    bug 1131087

    Change-Id: I00ea6043d949c9c358827e25f05c63515fe5dea8

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: grizzly-rc1 → 2013.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers