OpenStack Identity (keystone)

Forbid invalid operations in expand, migrate, and contract repositories

Bug #1615024 reported by Dolph Mathews
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Unassigned

Bug Description

In the legacy migration repository, we've traditionally allowed any sort of database manipulation, including tables to be created, data to be migrated, columns to be dropped, etc. Recently, we introduced a constraint on those upgrades to prevent non-additive operations from occurring as a first step towards minimal downtime upgrades.

The 3 new repositories allow us to have zero downtime upgrades, but come with their own constraints that we should enforce via tests.

1. The expand repo should only be allowed to create tables, columns, indexes, and triggers. It should not be allowed to INSERT, UPDATE, or DELETE any data. It should not be allowed to drop tables, columns, indexes, or triggers.

1. The migrate repo should only be allowed to INSERT, UPDATE, and DELETE data. It should not be allowed to create or drop tables, columns, indexes, or triggers.

1. The contract repo should only be allowed to drop tables, columns, indexes, and triggers. It should not be allowed to INSERT, UPDATE, or DELETE any data. It should not be allowed to create tables, columns, indexes, or triggers.

Revision history for this message
Dolph Mathews (dolph) wrote :

Bug 1615014 and bug 1615020 also document new assertions regarding rolling upgrades.

Changed in keystone:
status: New → Triaged
Henry Nash (henry-nash)
Changed in keystone:
assignee: nobody → Henry Nash (henry-nash)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/358723

Changed in keystone:
status: Triaged → In Progress
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Henry Nash (henry-nash) → Adam Young (ayoung)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Adam Young (ayoung) → Lance Bragstad (lbragstad)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Henry Nash (henry-nash)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/358723
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=743e1102c83b41953b039ea02aa19534336797d6
Submitter: Jenkins
Branch: master

commit 743e1102c83b41953b039ea02aa19534336797d6
Author: Henry Nash <email address hidden>
Date: Sat Aug 20 11:57:30 2016 +0100

    Modify sql banned operations for each of the new repos

    This patch covers all the regular table and column operations
    across the four repos. It does not, however, check for triggers
    and indexes - which will be done in a separate patch.

    Limitations: Due to the fact that migrating versions causes an
    implicit table update (to increase the version number) we don't
    yet include checking agains inappropriate table updates of our
    own tables in the expand and data migration phases.

    Partial-Bug: #1615024
    Change-Id: Ia012c614b9a5b9af6b8bb447b39a9901caaf1fb5

Steve Martinelli (stevemar)
Changed in keystone:
milestone: none → ocata-1
Steve Martinelli (stevemar)
Changed in keystone:
milestone: ocata-1 → ocata-2
Steve Martinelli (stevemar)
Changed in keystone:
milestone: ocata-2 → none
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Unassigning due to inactivity and so that if someone has the bandwidth to propose the rest of the fix they can.

Changed in keystone:
assignee: Henry Nash (henry-nash) → nobody
Revision history for this message
David Wilde (dave-wilde) wrote :

I don't think this is relevant with the migration to alembic. Feel free to re-open if this is still an issue.

Changed in keystone:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.