yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #81035
[Bug 1856881] [NEW] keystone-manage bootstrap fails with ambiguous role names
Public bug reported:
keystone-manage fails to consider multiple roles with the same name when
it bootstraps new deployments. Specifically, the logic attempts to
filter roles by name and automatically returns the first role in the
list [0]. If there are multiple roles with the same name, for example a
global role called 'admin' and a domain-specific role called 'admin, and
the domain-specific role is returned instead of the global role,
bootstrap will fail.
Deployment tools often run bootstrap in an idempotent fashion. It's
possible to run bootstrap successfully, populate domain-specific roles,
then run bootstrap again on upgrade.
To recreate:
1. $ keystone-manage bootstrap --bootstrap-password $PASSWORD
2. $ openstack role create --domain foo admin # create a new domain-specific role called "admin"
3. $ keystone-manage bootstrap --bootstrap-password $PASSWORD
$ echo $?
1
If you grep through keystone's log file you'll see a validation error.
You can also verify this by the return code from keystone-manage, which
is 1 yet there wasn't any information logged to stdout about the
failure.
The failure looks like the following:
Captured traceback:
~~~~~~~~~~~~~~~~~~~
b'Traceback (most recent call last):'
b' File "/home/lbragstad/Projects/keystone/keystone/tests/unit/test_cli.py", line 340, in test_bootstrap_with_ambiguous_roles'
b' self._do_test_bootstrap(self.bootstrap)'
b' File "/home/lbragstad/Projects/keystone/keystone/tests/unit/test_cli.py", line 129, in _do_test_bootstrap'
b' bootstrap.do_bootstrap()'
b' File "/home/lbragstad/Projects/keystone/keystone/cmd/cli.py", line 180, in do_bootstrap'
b' self.bootstrapper.bootstrap()'
b' File "/home/lbragstad/Projects/keystone/keystone/cmd/bootstrap.py", line 70, in bootstrap'
b' self._bootstrap_system_role_assignment()'
b' File "/home/lbragstad/Projects/keystone/keystone/cmd/bootstrap.py", line 255, in _bootstrap_system_role_assignment'
b' self.admin_user_id, self.admin_role_id'
b' File "/home/lbragstad/Projects/keystone/keystone/common/manager.py", line 116, in wrapped'
b' __ret_val = __f(*args, **kwargs)'
b' File "/home/lbragstad/Projects/keystone/keystone/assignment/core.py", line 1140, in create_system_grant_for_user'
b" 'role_id': role_id"
b'keystone.exception.ValidationError: Role 4f86f7a9e6864eb0a6f74af7f7ef0c7c is a domain-specific role. Unable to use a domain-specific role in a system assignment.'
b''
[0] https://opendev.org/openstack/keystone/src/commit/326b014434cc760ba08763e1870ac057f7917e98/keystone/cmd/bootstrap.py#L140
** Affects: keystone
Importance: Medium
Assignee: Lance Bragstad (lbragstad)
Status: In Progress
** Changed in: keystone
Importance: Undecided => Medium
** Changed in: keystone
Status: New => Triaged
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1856881
Title:
keystone-manage bootstrap fails with ambiguous role names
Status in OpenStack Identity (keystone):
In Progress
Bug description:
keystone-manage fails to consider multiple roles with the same name
when it bootstraps new deployments. Specifically, the logic attempts
to filter roles by name and automatically returns the first role in
the list [0]. If there are multiple roles with the same name, for
example a global role called 'admin' and a domain-specific role called
'admin, and the domain-specific role is returned instead of the global
role, bootstrap will fail.
Deployment tools often run bootstrap in an idempotent fashion. It's
possible to run bootstrap successfully, populate domain-specific
roles, then run bootstrap again on upgrade.
To recreate:
1. $ keystone-manage bootstrap --bootstrap-password $PASSWORD
2. $ openstack role create --domain foo admin # create a new domain-specific role called "admin"
3. $ keystone-manage bootstrap --bootstrap-password $PASSWORD
$ echo $?
1
If you grep through keystone's log file you'll see a validation error.
You can also verify this by the return code from keystone-manage,
which is 1 yet there wasn't any information logged to stdout about the
failure.
The failure looks like the following:
Captured traceback:
~~~~~~~~~~~~~~~~~~~
b'Traceback (most recent call last):'
b' File "/home/lbragstad/Projects/keystone/keystone/tests/unit/test_cli.py", line 340, in test_bootstrap_with_ambiguous_roles'
b' self._do_test_bootstrap(self.bootstrap)'
b' File "/home/lbragstad/Projects/keystone/keystone/tests/unit/test_cli.py", line 129, in _do_test_bootstrap'
b' bootstrap.do_bootstrap()'
b' File "/home/lbragstad/Projects/keystone/keystone/cmd/cli.py", line 180, in do_bootstrap'
b' self.bootstrapper.bootstrap()'
b' File "/home/lbragstad/Projects/keystone/keystone/cmd/bootstrap.py", line 70, in bootstrap'
b' self._bootstrap_system_role_assignment()'
b' File "/home/lbragstad/Projects/keystone/keystone/cmd/bootstrap.py", line 255, in _bootstrap_system_role_assignment'
b' self.admin_user_id, self.admin_role_id'
b' File "/home/lbragstad/Projects/keystone/keystone/common/manager.py", line 116, in wrapped'
b' __ret_val = __f(*args, **kwargs)'
b' File "/home/lbragstad/Projects/keystone/keystone/assignment/core.py", line 1140, in create_system_grant_for_user'
b" 'role_id': role_id"
b'keystone.exception.ValidationError: Role 4f86f7a9e6864eb0a6f74af7f7ef0c7c is a domain-specific role. Unable to use a domain-specific role in a system assignment.'
b''
[0] https://opendev.org/openstack/keystone/src/commit/326b014434cc760ba08763e1870ac057f7917e98/keystone/cmd/bootstrap.py#L140
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1856881/+subscriptions
Follow ups