Passwords created_at attribute could remain unset during rolling upgrade

Bug #1596500 reported by Henry Nash
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Ron De Rose

Bug Description

Migrate 105 (in Newton) adds the password created_at attribute, and defaults it to now(). However, this is not a server default, rather it is a "write to all existing rows" at the time the DB is migrated. The following rolling upgrade sequence will cause this to remain unset:

1) Imagine a 2 node Mitaka keystone configuration (node A and b), sharing a DB
2) A rolling upgrade is started, and node A is upgrade to Newton, which will migrate the shared DB
3) Before node B can be upgraded, a new user is created with a password via node B. Since this is not running the new Newton code, the code will not know to set the created_at attribute
4) Node B is upgraded to Newton, but this will leave the user record still with created_at as None

The preferred solution would be to have a keystone_manage "rolling upgrade completion" step, which would check the DB for any rows that did not have the correct defaults set (i.e. where added during the rolling migration).

Henry Nash (henry-nash)
Changed in keystone:
assignee: nobody → Henry Nash (henry-nash)
Revision history for this message
Dolph Mathews (dolph) wrote :

I added this to the agenda for the Keystone midcycle for Newton: https://etherpad.openstack.org/p/keystone-newton-midcycle

Changed in keystone:
importance: Undecided → High
status: New → Triaged
Changed in keystone:
milestone: none → newton-3
Changed in keystone:
assignee: Henry Nash (henry-nash) → Ron De Rose (ronald-de-rose)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Ron De Rose (<email address hidden>) on branch: master
Review: https://review.openstack.org/355490

Changed in keystone:
assignee: Ron De Rose (ronald-de-rose) → Henry Nash (henry-nash)
Changed in keystone:
assignee: Henry Nash (henry-nash) → Brant Knudson (blk-u)
Brant Knudson (blk-u)
Changed in keystone:
assignee: Brant Knudson (blk-u) → Henry Nash (henry-nash)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/357789

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/362501

Changed in keystone:
assignee: Henry Nash (henry-nash) → Ron De Rose (ronald-de-rose)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Ron De Rose (<email address hidden>) on branch: master
Review: https://review.openstack.org/362510
Reason: No longer need this patch

Changed in keystone:
assignee: Ron De Rose (ronald-de-rose) → David Stanek (dstanek)
David Stanek (dstanek)
Changed in keystone:
assignee: David Stanek (dstanek) → Ron De Rose (ronald-de-rose)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Dolph Mathews (<email address hidden>) on branch: master
Review: https://review.openstack.org/357789
Reason: Abandoning in favor of https://review.openstack.org/#/c/362501/

Revision history for this message
Steve Martinelli (stevemar) wrote :
Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/keystone 10.0.0.0b3

This issue was fixed in the openstack/keystone 10.0.0.0b3 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers