OpenStack Identity (keystone)

keystone-manage bootstrap does not work for non-SQL identity drivers

Bug #1553216 reported by Matthew Edmonds
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Kristi Nikolla
OpenStack Identity (keystone) mitaka-rc1 "RC1"

Bug Description

keystone-manage bootstrap attempts to create the specified user and then handles a Conflict error as notice that the user already exists. This works for the default SQL identity driver, but does not work for drivers that do not support creating users. In order to work for all drivers, which is necessary to support role assignment bootstrapping whenever the driver configuration is changed, it should attempt to GET the user or otherwise check in a way that will work for drivers that do not support user creation.

Revision history for this message
Dolph Mathews (dolph) wrote :

To generalize this further, it sounds like the bootstrap command should become an idempotent operation?

Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
Dolph Mathews (dolph)
tags: added: rc-potential
Steve Martinelli (stevemar)
Changed in keystone:
milestone: none → mitaka-rc1
Revision history for this message
Steve Martinelli (stevemar) wrote :

@dolph, it is idempotent now, but only for sql backends. The way we set things up is to issue a create call and catch a conflict exception. We could change this to be a get call first, and then create if it returns a notfound exception.

Kristi Nikolla (knikolla)
Changed in keystone:
assignee: nobody → Kristi Nikolla (knikolla)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/292492

Changed in keystone:
status: Triaged → In Progress
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Kristi Nikolla (knikolla) → Steve Martinelli (stevemar)
Steve Martinelli (stevemar)
Changed in keystone:
assignee: Steve Martinelli (stevemar) → Kristi Nikolla (knikolla)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/293488

Steve Martinelli (stevemar)
tags: removed: rc-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/293488
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4df45708a9f26107713dbc651caad64d0211fe2d
Submitter: Jenkins
Branch: master

commit 4df45708a9f26107713dbc651caad64d0211fe2d
Author: Kristi Nikolla <email address hidden>
Date: Wed Mar 16 11:07:18 2016 -0400

    Check for already present user without inserting in Bootstrap

    keystone-manage bootstrap check for already present info in the DB
    by trying an insert and catching a Conflict exception.
    This will not work with databases where inserting an user is not
    possible. Changed the code to try a get first, and insert when
    the user is not found.

    Change-Id: If15c284aae5d10c594688c588dde9b21675ff487
    Closes-Bug: 1553216

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/keystone 9.0.0.0rc1

This issue was fixed in the openstack/keystone 9.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Kristi Nikolla (<email address hidden>) on branch: master
Review: https://review.openstack.org/292492
Reason: Avoiding user insertion is the only one which was really needed, and was accomplished in another patch. Might be worth retrying at a later time as code cleanup.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.