← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #01726

[Bug 1131087] Re: Roles lost in Folsom to Grizzly upgrade

  Thread PreviousDate PreviousThread Next 
** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1131087

Title:
  Roles lost in Folsom to Grizzly upgrade

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  In a Folsom -> Grizzly upgrade I noticed my admin user wasn't
  authorised to admininster keystone any more. I had to hack my
  policy.json so I could interrogate keystone to find out why.

  keystone user-role-list has one entry. Giving my admin user the
  '_member_' role:

  | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
  139113774ba44497a7fe9bbe268dfdac | 8b79e14d24e645a39be0f6bf1f68208b |

  So the "Admin" role was missing. Different roles are missing from
  other users too.

  
  Original Folsom tables:

  mysql> show tables;
  +------------------------+
  | Tables_in_keystone     |
  +------------------------+
  | ec2_credential         |
  | endpoint               |
  | metadata               |
  | migrate_version        |
  | role                   |
  | service                |
  | tenant                 |
  | token                  |
  | user                   |
  | user_tenant_membership |
  +------------------------+
  10 rows in set (0.00 sec)

  
  From what I can tell, roles used to be stored in the 'metadata' table in Folsom.

  mysql> describe metadata;
  +-----------+-------------+------+-----+---------+-------+
  | Field     | Type        | Null | Key | Default | Extra |
  +-----------+-------------+------+-----+---------+-------+
  | user_id   | varchar(64) | NO   | PRI | NULL    |       |
  | tenant_id | varchar(64) | NO   | PRI | NULL    |       |
  | data      | text        | YES  |     | NULL    |       |
  +-----------+-------------+------+-----+---------+-------+
  3 rows in set (0.01 sec)

  
  Sample row:
    user_id: 671dcaba8087487c8a28afe42b6672fa
  tenant_id: e4eee8dbc16a49dcbc76edac96674e96
       data: {"roles": ["ce685d2405f14ef09568da65b102b1e9", "75fc2fd3a6004c37bbd6c518c25cdaaa"]}

  At version 7 keystone adds a new 'user_domain_metadata' table which
  seems awfully similar to the metadata table. The metadata table is
  never touched ever again after this.

      user_domain_metadata_table = sql.Table(
          'user_domain_metadata',
          meta,
          sql.Column(
              'user_id',
              sql.String(64),
              sql.ForeignKey('user.id'),
              primary_key=True),
          sql.Column(
              'domain_id',
              sql.String(64),
              sql.ForeignKey('domain.id'),
              primary_key=True),
          sql.Column('data', sql.Text()))
      user_domain_metadata_table.create(migrate_engine, checkfirst=True)

  At version 17 there's another similar-looking 'user_project_metadata'
  table created.

  If I drop the user_project_metadata table and put my metadata table in
  its place (with column tenant_id renamed to project_id) everything
  seems to just work.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1131087/+subscriptions
  Thread PreviousDate PreviousThread Next