yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1903949] [NEW] Keystone with SAML federation is not working due to db migratiaon lock

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: PerToft <1903949@xxxxxxxxxxxxxxxxxx>
Date: Thu, 12 Nov 2020 06:40:29 -0000
Reply-to: Bug 1903949 <1903949@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Hi,

Initially i have reported a bug to the OpenStack Ansible team, but it
appears to be a keystone bug. Therefore i will try here. (Initial bug
report: https://bugs.launchpad.net/openstack-ansible/+bug/1900808)

The setup is the latest OpenStack Ussuri configured with Shibbolet2
(mod_shibd) and keystone-21.1.1.dev1.

The problem openstack ansible plays, populates the keystone db and then does:
keystone-manage db_sync --expand
keystone-manage db_sync --migrate
keystone-manage db_sync --contract

After a while, it will try to create an identity provider, but this fails due to the SQL trigger
https://docs.openstack.org/keystone/ussuri/_modules/keystone/common/sql/expand_repo/versions/012_expand_add_domain_id_to_idp.html

Keystone log output: http://paste.openstack.org/show/799241/

To my understanding, the sql trigger should be dropped during the
"keystone-manage db_sync --contract", but its not.

If you run the db_sync --contact again it will correctly drop the
trigger.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1903949

Title:
  Keystone with SAML federation is not working due to db migratiaon lock

Status in OpenStack Identity (keystone):
  New

Bug description:
  Hi,

  Initially i have reported a bug to the OpenStack Ansible team, but it
  appears to be a keystone bug. Therefore i will try here. (Initial bug
  report: https://bugs.launchpad.net/openstack-ansible/+bug/1900808)

  The setup is the latest OpenStack Ussuri configured with Shibbolet2
  (mod_shibd) and keystone-21.1.1.dev1.

  The problem openstack ansible plays, populates the keystone db and then does:
  keystone-manage db_sync --expand
  keystone-manage db_sync --migrate
  keystone-manage db_sync --contract

  After a while, it will try to create an identity provider, but this fails due to the SQL trigger
  https://docs.openstack.org/keystone/ussuri/_modules/keystone/common/sql/expand_repo/versions/012_expand_add_domain_id_to_idp.html

  Keystone log output: http://paste.openstack.org/show/799241/

  To my understanding, the sql trigger should be dropped during the
  "keystone-manage db_sync --contract", but its not.

  If you run the db_sync --contact again it will correctly drop the
  trigger.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1903949/+subscriptions