[keycloak-dev] Migration to 4.2.1 extracting RESOURCE_URIs fails with fine-grained admin permissions

Marek Posolda mposolda at redhat.com
Thu Aug 9 13:04:40 EDT 2018 

Hi Thomas,

rather a 4.3.x release with the fix.

Marek

On 09/08/18 12:42, Thomas Darimont wrote:
> Awesome thanks Hynek et al.,
>
> Are you planning a new 4.2.x or rather a 4.3.x release with the fix?
>
> Cheers,
> Thomas
>
> Hynek Mlnarik <hmlnarik at redhat.com> schrieb am Mi., 8. Aug. 2018, 11:03:
>
>> The fix has been merged to latest master.
>>
>> On Wed, Aug 8, 2018 at 9:35 AM Schuster Sebastian (INST/ESY1) <
>> Sebastian.Schuster at bosch-si.com> wrote:
>>
>>> Thanks for fixing this so fast!
>>>
>>>
>>>
>>> Best regards,
>>>
>>> Sebastian
>>>
>>>
>>>
>>> Mit freundlichen Grüßen / Best regards
>>>
>>>
>>> *Dr.-Ing. Sebastian Schuster *
>>> Engineering and Support (INST/ESY1)
>>> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
>>> GERMANY | www.bosch-si.com
>>> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
>>> Sebastian.Schuster at bosch-si.com
>>>
>>> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
>>> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung:
>>> Dr. Stefan Ferber, Michael Hahn
>>>
>>>
>>>
>>> *From:* Pedro Igor Silva <psilva at redhat.com>
>>> *Sent:* Mittwoch, 8. August 2018 00:31
>>> *To:* Hynek Mlnarik <hmlnarik at redhat.com>
>>> *Cc:* Thomas Darimont <thomas.darimont at googlemail.com>; keycloak-dev <
>>> keycloak-dev at lists.jboss.org>; Schuster Sebastian (INST/ESY1) <
>>> Sebastian.Schuster at bosch-si.com>
>>> *Subject:* Re: [keycloak-dev] Migration to 4.2.1 extracting
>>> RESOURCE_URIs fails with fine-grained admin permissions
>>>
>>>
>>>
>>> Sent a PR: https://github.com/keycloak/keycloak/pull/5446.
>>>
>>>
>>>
>>> On Tue, Aug 7, 2018 at 3:08 PM, Hynek Mlnarik <hmlnarik at redhat.com>
>>> wrote:
>>>
>>> Apologies for this oversight, this will be fixed in the next version.
>>>
>>> https://issues.jboss.org/browse/KEYCLOAK-8003
>>>
>>>
>>> On Tue, Aug 7, 2018 at 7:00 PM Thomas Darimont <
>>> thomas.darimont at googlemail.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> I was just bitten by this as well 3hours ago, but thankfully only in our
>>>> staging environment. We had only one entry
>>>> in the RESOURCE_SERVER_RESOURCE table that had a null value in the uri
>>> and
>>>> icon_uri column.
>>>> This caused the migration to fail. In our prod env I there was no entry
>>> in
>>>> that table, so the migration went through.
>>>> As a quick fix in the staging env I just changed those uris to
>>>> http://doesnotexist.local and http://doesnotexist.local/icon
>>> respectively
>>>> to see make it pass.
>>>>
>>>> It seems that I triggered the creation of those entries in the
>>>> RESOURCE_SERVER_RESOURCE table when
>>>> I activated and deactivated the authz support for a client.
>>>>
>>>> I think this should be addressed in the migrations. There should be at
>>>> least a note about that in the migration guides.
>>>> It took me a while to find the table that contained the null values that
>>>> were indirectly causing the migration to fail.
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>> On Tue, Aug 7, 2018 at 5:25 PM Schuster Sebastian (INST/ESY1) <
>>>> Sebastian.Schuster at bosch-si.com> wrote:
>>>>
>>>>> Hi everybody,
>>>>>
>>>>> I just noticed that 4.2.1 contains a migration
>>>>> (jpa-changelog-authz-4.2.0.Final.xml) that extracts the URI column
>>> from
>>>> the
>>>>> RESOURCE_SERVER_RESOURCE table and puts it into a separate table
>>>>> RESOURCE_URIS. This table has a NOT NULL constraint on the new uri
>>> column
>>>>> (called VALUE). The accompanying data migration
>>>>> AuthzResourceUseMoreURIs.java selects rows from the old table and
>>> inserts
>>>>> URIs it into the new. This fails for all resources that did not have a
>>>> URI
>>>>> before because of the NOT NULL constraint, for example for
>>>>> Keycloak-internal resources like groups that don’t have a URI.
>>>>>
>>>>> Is this intended behavior?
>>>>>
>>>>> Best regards,
>>>>> Sebastian
>>>>>
>>>>> Mit freundlichen Grüßen / Best regards
>>>>>
>>>>> Dr.-Ing. Sebastian Schuster
>>>>>
>>>>> Engineering and Support (INST/ESY1)
>>>>> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
>>>>> GERMANY | www.bosch-si.com<http://www.bosch-si.com>
>>>>> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
>>>>> Sebastian.Schuster at bosch-si.com<mailto:
>>> Sebastian.Schuster at bosch-si.com>
>>>>> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411
>>> B
>>>>> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung:
>>> Dr.
>>>>> Stefan Ferber, Michael Hahn
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list