yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #81181
[Bug 1856881] Re: keystone-manage bootstrap fails with ambiguous role names
Reviewed: https://review.opendev.org/699743
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=25cf359e5fb914b855922121f20e23bd14626b8e
Submitter: Zuul
Branch: master
commit 25cf359e5fb914b855922121f20e23bd14626b8e
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Wed Dec 18 11:59:53 2019 -0600
Ensure bootstrap handles multiple roles with the same name
The bootstrap logic doesn't take into consideration multiple roles
with the same name. If bootstrap is unable to determine which role to
use and accidentally uses a domain-specific role with the same name
as a default role, bootstrap will fail in unexpected ways.
Closes-Bug: 1856881
Change-Id: Iddc364d8c934b6e54d1e8c75b8b159faadbf865d
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1856881
Title:
keystone-manage bootstrap fails with ambiguous role names
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
keystone-manage fails to consider multiple roles with the same name
when it bootstraps new deployments. Specifically, the logic attempts
to filter roles by name and automatically returns the first role in
the list [0]. If there are multiple roles with the same name, for
example a global role called 'admin' and a domain-specific role called
'admin, and the domain-specific role is returned instead of the global
role, bootstrap will fail.
Deployment tools often run bootstrap in an idempotent fashion. It's
possible to run bootstrap successfully, populate domain-specific
roles, then run bootstrap again on upgrade.
To recreate:
1. $ keystone-manage bootstrap --bootstrap-password $PASSWORD
2. $ openstack role create --domain foo admin # create a new domain-specific role called "admin"
3. $ keystone-manage bootstrap --bootstrap-password $PASSWORD
$ echo $?
1
If you grep through keystone's log file you'll see a validation error.
You can also verify this by the return code from keystone-manage,
which is 1 yet there wasn't any information logged to stdout about the
failure.
The failure looks like the following:
Captured traceback:
~~~~~~~~~~~~~~~~~~~
b'Traceback (most recent call last):'
b' File "/home/lbragstad/Projects/keystone/keystone/tests/unit/test_cli.py", line 340, in test_bootstrap_with_ambiguous_roles'
b' self._do_test_bootstrap(self.bootstrap)'
b' File "/home/lbragstad/Projects/keystone/keystone/tests/unit/test_cli.py", line 129, in _do_test_bootstrap'
b' bootstrap.do_bootstrap()'
b' File "/home/lbragstad/Projects/keystone/keystone/cmd/cli.py", line 180, in do_bootstrap'
b' self.bootstrapper.bootstrap()'
b' File "/home/lbragstad/Projects/keystone/keystone/cmd/bootstrap.py", line 70, in bootstrap'
b' self._bootstrap_system_role_assignment()'
b' File "/home/lbragstad/Projects/keystone/keystone/cmd/bootstrap.py", line 255, in _bootstrap_system_role_assignment'
b' self.admin_user_id, self.admin_role_id'
b' File "/home/lbragstad/Projects/keystone/keystone/common/manager.py", line 116, in wrapped'
b' __ret_val = __f(*args, **kwargs)'
b' File "/home/lbragstad/Projects/keystone/keystone/assignment/core.py", line 1140, in create_system_grant_for_user'
b" 'role_id': role_id"
b'keystone.exception.ValidationError: Role 4f86f7a9e6864eb0a6f74af7f7ef0c7c is a domain-specific role. Unable to use a domain-specific role in a system assignment.'
b''
[0] https://opendev.org/openstack/keystone/src/commit/326b014434cc760ba08763e1870ac057f7917e98/keystone/cmd/bootstrap.py#L140
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1856881/+subscriptions
References
