← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1856881] [NEW] keystone-manage bootstrap fails with ambiguous role names

 

Public bug reported:

keystone-manage fails to consider multiple roles with the same name when
it bootstraps new deployments. Specifically, the logic attempts to
filter roles by name and automatically returns the first role in the
list [0]. If there are multiple roles with the same name, for example a
global role called 'admin' and a domain-specific role called 'admin, and
the domain-specific role is returned instead of the global role,
bootstrap will fail.

Deployment tools often run bootstrap in an idempotent fashion. It's
possible to run bootstrap successfully, populate domain-specific roles,
then run bootstrap again on upgrade.

To recreate:
1. $ keystone-manage bootstrap --bootstrap-password $PASSWORD
2. $ openstack role create --domain foo admin # create a new domain-specific role called "admin"
3. $ keystone-manage bootstrap --bootstrap-password $PASSWORD
   $ echo $?
   1

If you grep through keystone's log file you'll see a validation error.
You can also verify this by the return code from keystone-manage, which
is 1 yet there wasn't any information logged to stdout about the
failure.

The failure looks like the following:


Captured traceback:                                                                                                                                                                                                                           
~~~~~~~~~~~~~~~~~~~                                                                                                                                                                                                                           
    b'Traceback (most recent call last):'                                                                                                                                                                                                     
    b'  File "/home/lbragstad/Projects/keystone/keystone/tests/unit/test_cli.py", line 340, in test_bootstrap_with_ambiguous_roles'                                                                                                           
    b'    self._do_test_bootstrap(self.bootstrap)'                                                                     
    b'  File "/home/lbragstad/Projects/keystone/keystone/tests/unit/test_cli.py", line 129, in _do_test_bootstrap'                                                                                                                            
    b'    bootstrap.do_bootstrap()'                                                                                    
    b'  File "/home/lbragstad/Projects/keystone/keystone/cmd/cli.py", line 180, in do_bootstrap'                                                                                                                                              
    b'    self.bootstrapper.bootstrap()'                                                                                                                                                                                                      
    b'  File "/home/lbragstad/Projects/keystone/keystone/cmd/bootstrap.py", line 70, in bootstrap'                                                                                                                                            
    b'    self._bootstrap_system_role_assignment()'                                                                                                                                                                                           
    b'  File "/home/lbragstad/Projects/keystone/keystone/cmd/bootstrap.py", line 255, in _bootstrap_system_role_assignment'
    b'    self.admin_user_id, self.admin_role_id'                                                                      
    b'  File "/home/lbragstad/Projects/keystone/keystone/common/manager.py", line 116, in wrapped'                                                                                                                                            
    b'    __ret_val = __f(*args, **kwargs)'                                                                            
    b'  File "/home/lbragstad/Projects/keystone/keystone/assignment/core.py", line 1140, in create_system_grant_for_user'
    b"    'role_id': role_id"                                                                                          
    b'keystone.exception.ValidationError: Role 4f86f7a9e6864eb0a6f74af7f7ef0c7c is a domain-specific role. Unable to use a domain-specific role in a system assignment.'
    b''   


[0] https://opendev.org/openstack/keystone/src/commit/326b014434cc760ba08763e1870ac057f7917e98/keystone/cmd/bootstrap.py#L140

** Affects: keystone
     Importance: Medium
     Assignee: Lance Bragstad (lbragstad)
         Status: In Progress

** Changed in: keystone
   Importance: Undecided => Medium

** Changed in: keystone
       Status: New => Triaged

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1856881

Title:
  keystone-manage bootstrap fails with ambiguous role names

Status in OpenStack Identity (keystone):
  In Progress

Bug description:
  keystone-manage fails to consider multiple roles with the same name
  when it bootstraps new deployments. Specifically, the logic attempts
  to filter roles by name and automatically returns the first role in
  the list [0]. If there are multiple roles with the same name, for
  example a global role called 'admin' and a domain-specific role called
  'admin, and the domain-specific role is returned instead of the global
  role, bootstrap will fail.

  Deployment tools often run bootstrap in an idempotent fashion. It's
  possible to run bootstrap successfully, populate domain-specific
  roles, then run bootstrap again on upgrade.

  To recreate:
  1. $ keystone-manage bootstrap --bootstrap-password $PASSWORD
  2. $ openstack role create --domain foo admin # create a new domain-specific role called "admin"
  3. $ keystone-manage bootstrap --bootstrap-password $PASSWORD
     $ echo $?
     1

  If you grep through keystone's log file you'll see a validation error.
  You can also verify this by the return code from keystone-manage,
  which is 1 yet there wasn't any information logged to stdout about the
  failure.

  The failure looks like the following:

  
  Captured traceback:                                                                                                                                                                                                                           
  ~~~~~~~~~~~~~~~~~~~                                                                                                                                                                                                                           
      b'Traceback (most recent call last):'                                                                                                                                                                                                     
      b'  File "/home/lbragstad/Projects/keystone/keystone/tests/unit/test_cli.py", line 340, in test_bootstrap_with_ambiguous_roles'                                                                                                           
      b'    self._do_test_bootstrap(self.bootstrap)'                                                                     
      b'  File "/home/lbragstad/Projects/keystone/keystone/tests/unit/test_cli.py", line 129, in _do_test_bootstrap'                                                                                                                            
      b'    bootstrap.do_bootstrap()'                                                                                    
      b'  File "/home/lbragstad/Projects/keystone/keystone/cmd/cli.py", line 180, in do_bootstrap'                                                                                                                                              
      b'    self.bootstrapper.bootstrap()'                                                                                                                                                                                                      
      b'  File "/home/lbragstad/Projects/keystone/keystone/cmd/bootstrap.py", line 70, in bootstrap'                                                                                                                                            
      b'    self._bootstrap_system_role_assignment()'                                                                                                                                                                                           
      b'  File "/home/lbragstad/Projects/keystone/keystone/cmd/bootstrap.py", line 255, in _bootstrap_system_role_assignment'
      b'    self.admin_user_id, self.admin_role_id'                                                                      
      b'  File "/home/lbragstad/Projects/keystone/keystone/common/manager.py", line 116, in wrapped'                                                                                                                                            
      b'    __ret_val = __f(*args, **kwargs)'                                                                            
      b'  File "/home/lbragstad/Projects/keystone/keystone/assignment/core.py", line 1140, in create_system_grant_for_user'
      b"    'role_id': role_id"                                                                                          
      b'keystone.exception.ValidationError: Role 4f86f7a9e6864eb0a6f74af7f7ef0c7c is a domain-specific role. Unable to use a domain-specific role in a system assignment.'
      b''   

  
  [0] https://opendev.org/openstack/keystone/src/commit/326b014434cc760ba08763e1870ac057f7917e98/keystone/cmd/bootstrap.py#L140

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1856881/+subscriptions


Follow ups