OpenStack Identity (keystone)

keystone-manage bootstrap failed to create assignment if user/project/role exists

Bug #1534140 reported by Dave Chen on 2016-01-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Dave Chen	OpenStack Identity (keystone) mitaka-2 "m2"

Bug Description

If `keystone-manage bootstrap` fails with the role already exists (this may happen if someone use OSC CLI created a role but someone else want to boostrap a set of `user`, `project` or `role` without aware of the role has already created.), the project or user can still be created successfully.

And then if redefine the role, `keystone-manage bootstrap` will still fail since `user`, `project` have been created, but `keystone-manage bootstrap` cannot handle with this.

See the example:
dave@shldeOTCopen005:~$ keystone-manage bootstrap --bootstrap-username bootstrap_user --bootstrap-project-name bootstrap_project --bootstrap-role-name admin --bootstrap-password abc123
25784 TRACE keystone details=_('Duplicate Entry'))
25784 TRACE keystone Conflict: Conflict occurred attempting to store role - Duplicate Entry
25784 TRACE keystone

change the role to `bootstrap_role` ...

dave@shldeOTCopen005:~$ keystone-manage bootstrap --bootstrap-username bootstrap_user --bootstrap-project-name bootstrap_project --bootstrap-role-name bootstrap_role --bootstrap-password abc123
25813 TRACE keystone details=_('Duplicate Entry'))
25813 TRACE keystone Conflict: Conflict occurred attempting to store project - Duplicate Entry
25813 TRACE keystone

So, if we want to boostrap again, we need delete project, user manually, this is not friendly to end user.
`keystone-manage bootstrap` should not create any `user`, `project` if the command is not executed successfully.

According to the comments from Morgan, the `user`, `project` or `role` should be created but the real issue is that assignment cannot be created if either of them exists, see the comments #2 for the updated.

See original description

Dave Chen (wei-d-chen) on 2016-01-14

Changed in keystone:
assignee:	nobody → Dave Chen (wei-d-chen)

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-01-14:

hmm, this really should have been solved by this patch: https://review.openstack.org/#/c/256969/5/keystone/cmd/cli.py

it almost seems like you're on an old branch?

Revision history for this message

Dave Chen (wei-d-chen) wrote on 2016-01-15:

@stevemar, the bug is still valid, but the exception message is changed.

How to reproduce -

1.
$ keystone-manage bootstrap --bootstrap-username bootstrap_user --bootstrap-project-name bootstrap_project --bootstrap-role-name admin --bootstrap-password abc123

Throw the following message.

TRACE keystone raise exception.RoleNotFound(role_id=role_id)
12056 TRACE keystone RoleNotFound: Could not find role: a06c765572d84bfba4acb252ba02ccdd
12056 TRACE keystone

change the role to new `bootstrap_role`, hit the following exception.
2.
$ keystone-manage bootstrap --bootstrap-username bootstrap_user --bootstrap-project-name bootstrap_project --bootstrap-role-name bootstrap_role --bootstrap-password abc123

12128 TRACE keystone File "/opt/stack/keystone/keystone/resource/backends/sql.py", line 36, in _get_project
12128 TRACE keystone raise exception.ProjectNotFound(project_id=project_id)
12128 TRACE keystone ProjectNotFound: Could not find project: f5fac91d78a94864b6b32db83c89d309
12128 TRACE keystone

I think there is two issues here.
1. user and project is created even the bootstrap failed in the first step.
2. the error message is not accurate, or maybe it should be more helpful to identify the root cause.

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2016-01-15:

This is an easy fix, this needs to just add a .get_role if it already exists rather than only relying on self.role_id.

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2016-01-15:

The creation behavior is correct, just needs the logic to get a role/project/etc if it was already created.

Revision history for this message

Dave Chen (wei-d-chen) wrote on 2016-01-16:

@morgan, the fix should be easy as long as the creation behavior is correct, this assumes the end user should be okay when something were created subtly but what he did is failed actually.

I am going to fix it according to your suggestion since this is easiest way to make it works in the short term.

Dave Chen (wei-d-chen) on 2016-01-17

summary:

- keystone-manage bootstrap should not create user/project if it fails
+ keystone-manage bootstrap failed to create assignment if
+ user/project/role exists

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-17: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/268738

Changed in keystone:
status:	New → In Progress

Steve Martinelli (stevemar) on 2016-01-17

Changed in keystone:
milestone:	none → mitaka-2
importance:	Undecided → Medium

OpenStack Infra (hudson-openstack) on 2016-01-18

Changed in keystone:
assignee:	Dave Chen (wei-d-chen) → Steve Martinelli (stevemar)

Steve Martinelli (stevemar) on 2016-01-18

Changed in keystone:
assignee:	Steve Martinelli (stevemar) → Dave Chen (wei-d-chen)

OpenStack Infra (hudson-openstack) on 2016-01-18

Changed in keystone:
assignee:	Dave Chen (wei-d-chen) → Steve Martinelli (stevemar)

Dave Chen (wei-d-chen) on 2016-01-19

Changed in keystone:
assignee:	Steve Martinelli (stevemar) → Dave Chen (wei-d-chen)
description:	updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-19: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/268738
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cda3853c412a79e0146e248feb315686ca2c7970
Submitter: Jenkins
Branch: master

commit cda3853c412a79e0146e248feb315686ca2c7970
Author: Dave Chen <email address hidden>
Date: Sun Jan 17 15:45:30 2016 +0800

Make sure the assignment creation use the right arguments

    `keystone-manage bootstrap` will fail to create the assignment if
    project or role exists, this is because the assignment creation
    is not using the right role id or project id.

This patch will fix this issue.

    Change-Id: I7359cfe8f573ae56556654f1eafcc75079e69ccc
    Closes-Bug: #1534140
    bp: bootstrap

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

Thierry Carrez (ttx) wrote on 2016-01-21: Fix included in openstack/keystone 9.0.0.0b2

This issue was fixed in the openstack/keystone 9.0.0.0b2 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.