Upgrading from folsom to grizzly results in all tenants/users being disabled

Bug #1167421 reported by Matt Thompson on 2013-04-10
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Dolph Mathews
Grizzly
High
Dolph Mathews
Ubuntu Cloud Archive
Undecided
Unassigned
keystone (Ubuntu)
Undecided
Unassigned

Bug Description

Hi there,

I tested a Folsom to Grizzly upgrade using stock packages on Ubuntu 12.04 and noticed that upon completion of the upgrade that there was a new 'enabled' column in `user`/ `project` tables and that all records within these tables had enabled set to 0. This resulted in authentication failure on users which were working prior to the upgrade. Once I ran the following, users could authenticate again:

# mysql keystone -e "update user set enabled=1"
# mysql keystone -e "update project set enabled=1"

For anyone else reading this, I knew all my users/tenants were enabled so didn't have to worry about the above statements, however in some environments there are likely to be disabled users/tenants which you'd need to take note of. You can determine this by looking at the text in the `extra` column within these two tables.

-Matt

CVE References

Changed in keystone:
assignee: nobody → Dolph Mathews (dolph)
status: New → In Progress
Dolph Mathews (dolph) on 2013-04-10
Changed in keystone:
importance: Undecided → High
tags: added: grizzly-backport-potential

Reviewed: https://review.openstack.org/26627
Committed: http://github.com/openstack/keystone/commit/61629c30ae4bc5326bcf6cc6ffeb516473130097
Submitter: Jenkins
Branch: master

commit 61629c30ae4bc5326bcf6cc6ffeb516473130097
Author: Dolph Mathews <email address hidden>
Date: Wed Apr 10 10:04:16 2013 -0500

    Use is_enabled() in folsom->grizzly upgrade (bug 1167421)

    Change-Id: Iddc10167c94deacec07cab7ec9316849263fb462

Changed in keystone:
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in keystone (Ubuntu):
status: New → Confirmed

Reviewed: https://review.openstack.org/26857
Committed: http://github.com/openstack/keystone/commit/717f1aa7f6cb5f01fe16a516644c96419c6900c5
Submitter: Jenkins
Branch: stable/grizzly

commit 717f1aa7f6cb5f01fe16a516644c96419c6900c5
Author: Dolph Mathews <email address hidden>
Date: Wed Apr 10 10:04:16 2013 -0500

    Use is_enabled() in folsom->grizzly upgrade (bug 1167421)

    Change-Id: Iddc10167c94deacec07cab7ec9316849263fb462

tags: removed: grizzly-backport-potential

Hello Matt, or anyone else affected,

Accepted keystone into raring-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/keystone/1:2013.1.1-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Joe Breu (breu) wrote :

davewalker - can we get this packaged for precise as well?

Adam Gandelman (gandelman-a) wrote :

Joseph- The 2013.1.1 update has also been backported to precise via the Ubuntu Cloud Archive. It is currently sitting in the precise-grizzly/proposed pocket and will be released into the main, precise-grizzly/updates pocket when the corresponding 2013.1.1 update for Raring passes verification. Watch here or subscribe to Bug #1179626 to track progress.

Matt Thompson (mattt416) on 2013-05-22
tags: added: verification-done
removed: verification-needed
Matt Thompson (mattt416) on 2013-05-22
tags: added: verification-needed
removed: verification-done
Matt Thompson (mattt416) wrote :

Packages keystone_2013.1.1-0ubuntu1_all.deb and python-keystone_2013.1.1-0ubuntu1_all.deb worked for me when upgrading from folsom to grizzly.

On a side note, this issue reported should have only been an issue when you have data like this in the "extra" column in the keystone.user table:

{"password": null, "enabled": "true", "email": null, "tenantId": "2f216605a48148f89d4390fc63e64819"}

If your data was like this, it would have migrated correctly:

{"password": null, "enabled": true, "email": null, "tenantId": "2f216605a48148f89d4390fc63e64819"}

This tripped me up as I tried doing some vanilla upgrades from folsom to grizzly using precise-proposed/folsom and precise-proposed/grizzly (which still has 1:2013.1-0ubuntu1.1~cloud0) and was unable to replicate the issue with some newly created dummy users/tenants.

Thanks!

-Matt

tags: added: verification-done
removed: verification-needed
Thierry Carrez (ttx) on 2013-05-29
Changed in keystone:
milestone: none → havana-1
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package keystone - 1:2013.1.1-0ubuntu2

---------------
keystone (1:2013.1.1-0ubuntu2) raring-proposed; urgency=low

  * Rebase against latest security updates.
  * Dropped patches:
    - debian/patches/CVE-2013-2059.patch: [678b06a]

keystone (1:2013.1.1-0ubuntu1) raring-proposed; urgency=low

  * Resynchronize with stable/grizzly (678b06a9) (LP: #1179626):
    - [678b06a] Deleted user can still create instances LP: 1166670
    - [b874c8f] keystone ipv6 tests fail LP: 1176204
    - [3aa0f45] Set defaultbranch in .gitreview to stable/grizzly
    - [c5037dd] admin_token and LDAP password show up in log in DEBUG mode
      LP: 1172195
    - [76efb5c] residual grants after delete action LP: 1125637
    - [2b5b24e] PKI support breaks memcache token backend LP: 1119641
    - [9446a99] non-default auth plugins can't be configured LP: 1157515
    - [717f1aa] Upgrading from folsom to grizzly results in all tenants/users
      being disabled (LP: #1167421)
 -- James Page <email address hidden> Fri, 17 May 2013 10:42:16 +0100

Changed in keystone (Ubuntu):
status: Confirmed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Changed in cloud-archive:
status: New → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-1 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers