Reviewed: https://review.opendev.org/699743 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=25cf359e5fb914b855922121f20e23bd14626b8e Submitter: Zuul Branch: master
commit 25cf359e5fb914b855922121f20e23bd14626b8e Author: Lance Bragstad <[email protected]> Date: Wed Dec 18 11:59:53 2019 -0600 Ensure bootstrap handles multiple roles with the same name The bootstrap logic doesn't take into consideration multiple roles with the same name. If bootstrap is unable to determine which role to use and accidentally uses a domain-specific role with the same name as a default role, bootstrap will fail in unexpected ways. Closes-Bug: 1856881 Change-Id: Iddc364d8c934b6e54d1e8c75b8b159faadbf865d ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1856881 Title: keystone-manage bootstrap fails with ambiguous role names Status in OpenStack Identity (keystone): Fix Released Bug description: keystone-manage fails to consider multiple roles with the same name when it bootstraps new deployments. Specifically, the logic attempts to filter roles by name and automatically returns the first role in the list [0]. If there are multiple roles with the same name, for example a global role called 'admin' and a domain-specific role called 'admin, and the domain-specific role is returned instead of the global role, bootstrap will fail. Deployment tools often run bootstrap in an idempotent fashion. It's possible to run bootstrap successfully, populate domain-specific roles, then run bootstrap again on upgrade. To recreate: 1. $ keystone-manage bootstrap --bootstrap-password $PASSWORD 2. $ openstack role create --domain foo admin # create a new domain-specific role called "admin" 3. $ keystone-manage bootstrap --bootstrap-password $PASSWORD $ echo $? 1 If you grep through keystone's log file you'll see a validation error. You can also verify this by the return code from keystone-manage, which is 1 yet there wasn't any information logged to stdout about the failure. The failure looks like the following: Captured traceback: ~~~~~~~~~~~~~~~~~~~ b'Traceback (most recent call last):' b' File "/home/lbragstad/Projects/keystone/keystone/tests/unit/test_cli.py", line 340, in test_bootstrap_with_ambiguous_roles' b' self._do_test_bootstrap(self.bootstrap)' b' File "/home/lbragstad/Projects/keystone/keystone/tests/unit/test_cli.py", line 129, in _do_test_bootstrap' b' bootstrap.do_bootstrap()' b' File "/home/lbragstad/Projects/keystone/keystone/cmd/cli.py", line 180, in do_bootstrap' b' self.bootstrapper.bootstrap()' b' File "/home/lbragstad/Projects/keystone/keystone/cmd/bootstrap.py", line 70, in bootstrap' b' self._bootstrap_system_role_assignment()' b' File "/home/lbragstad/Projects/keystone/keystone/cmd/bootstrap.py", line 255, in _bootstrap_system_role_assignment' b' self.admin_user_id, self.admin_role_id' b' File "/home/lbragstad/Projects/keystone/keystone/common/manager.py", line 116, in wrapped' b' __ret_val = __f(*args, **kwargs)' b' File "/home/lbragstad/Projects/keystone/keystone/assignment/core.py", line 1140, in create_system_grant_for_user' b" 'role_id': role_id" b'keystone.exception.ValidationError: Role 4f86f7a9e6864eb0a6f74af7f7ef0c7c is a domain-specific role. Unable to use a domain-specific role in a system assignment.' b'' [0] https://opendev.org/openstack/keystone/src/commit/326b014434cc760ba08763e1870ac057f7917e98/keystone/cmd/bootstrap.py#L140 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1856881/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
