10:08 a.m.
Hi everybody,
I just noticed that 4.2.1 contains a migration (jpa-changelog-authz-4.2.0.Final.xml) that
extracts the URI column from the RESOURCE_SERVER_RESOURCE table and puts it into a
separate table RESOURCE_URIS. This table has a NOT NULL constraint on the new uri column
(called VALUE). The accompanying data migration AuthzResourceUseMoreURIs.java selects rows
from the old table and inserts URIs it into the new. This fails for all resources that did
not have a URI before because of the NOT NULL constraint, for example for
Keycloak-internal resources like groups that don’t have a URI.
Is this intended behavior?
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY |
www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,
Michael Hahn
11:09 a.m.
Hello,
I was just bitten by this as well 3hours ago, but thankfully only in our
staging environment. We had only one entry
in the RESOURCE_SERVER_RESOURCE table that had a null value in the uri and
icon_uri column.
This caused the migration to fail. In our prod env I there was no entry in
that table, so the migration went through.
As a quick fix in the staging env I just changed those uris to
http://doesnotexist.local and http://doesnotexist.local/icon respectively
to see make it pass.
It seems that I triggered the creation of those entries in the
RESOURCE_SERVER_RESOURCE table when
I activated and deactivated the authz support for a client.
I think this should be addressed in the migrations. There should be at
least a note about that in the migration guides.
It took me a while to find the table that contained the null values that
were indirectly causing the migration to fail.
Cheers,
Thomas
On Tue, Aug 7, 2018 at 5:25 PM Schuster Sebastian (INST/ESY1) <
Sebastian.Schuster(a)bosch-si.com> wrote:
Hi everybody,
I just noticed that 4.2.1 contains a migration
(jpa-changelog-authz-4.2.0.Final.xml) that extracts the URI column from the
RESOURCE_SERVER_RESOURCE table and puts it into a separate table
RESOURCE_URIS. This table has a NOT NULL constraint on the new uri column
(called VALUE). The accompanying data migration
AuthzResourceUseMoreURIs.java selects rows from the old table and inserts
URIs it into the new. This fails for all resources that did not have a URI
before because of the NOT NULL constraint, for example for
Keycloak-internal resources like groups that don’t have a URI.
Is this intended behavior?
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
Stefan Ferber, Michael Hahn
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
1:06 p.m.
Will fix that. Also looking why migration test is not catching this ...
On Tue, Aug 7, 2018 at 1:09 PM, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
Hello,
I was just bitten by this as well 3hours ago, but thankfully only in our
staging environment. We had only one entry
in the RESOURCE_SERVER_RESOURCE table that had a null value in the uri and
icon_uri column.
This caused the migration to fail. In our prod env I there was no entry in
that table, so the migration went through.
As a quick fix in the staging env I just changed those uris to
http://doesnotexist.local and http://doesnotexist.local/icon respectively
to see make it pass.
It seems that I triggered the creation of those entries in the
RESOURCE_SERVER_RESOURCE table when
I activated and deactivated the authz support for a client.
I think this should be addressed in the migrations. There should be at
least a note about that in the migration guides.
It took me a while to find the table that contained the null values that
were indirectly causing the migration to fail.
Cheers,
Thomas
On Tue, Aug 7, 2018 at 5:25 PM Schuster Sebastian (INST/ESY1) <
Sebastian.Schuster(a)bosch-si.com> wrote:
> Hi everybody,
>
> I just noticed that 4.2.1 contains a migration
> (jpa-changelog-authz-4.2.0.Final.xml) that extracts the URI column from
the
> RESOURCE_SERVER_RESOURCE table and puts it into a separate table
> RESOURCE_URIS. This table has a NOT NULL constraint on the new uri column
> (called VALUE). The accompanying data migration
> AuthzResourceUseMoreURIs.java selects rows from the old table and inserts
> URIs it into the new. This fails for all resources that did not have a
URI
> before because of the NOT NULL constraint, for example for
> Keycloak-internal resources like groups that don’t have a URI.
>
> Is this intended behavior?
>
> Best regards,
> Sebastian
>
> Mit freundlichen Grüßen / Best regards
>
> Dr.-Ing. Sebastian Schuster
>
> Engineering and Support (INST/ESY1)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY | www.bosch-si.com<http://www.bosch-si.com>
> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
> Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
1:08 p.m.
Apologies for this oversight, this will be fixed in the next version.
https://issues.jboss.org/browse/KEYCLOAK-8003
On Tue, Aug 7, 2018 at 7:00 PM Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
Hello,
I was just bitten by this as well 3hours ago, but thankfully only in our
staging environment. We had only one entry
in the RESOURCE_SERVER_RESOURCE table that had a null value in the uri and
icon_uri column.
This caused the migration to fail. In our prod env I there was no entry in
that table, so the migration went through.
As a quick fix in the staging env I just changed those uris to
http://doesnotexist.local and http://doesnotexist.local/icon respectively
to see make it pass.
It seems that I triggered the creation of those entries in the
RESOURCE_SERVER_RESOURCE table when
I activated and deactivated the authz support for a client.
I think this should be addressed in the migrations. There should be at
least a note about that in the migration guides.
It took me a while to find the table that contained the null values that
were indirectly causing the migration to fail.
Cheers,
Thomas
On Tue, Aug 7, 2018 at 5:25 PM Schuster Sebastian (INST/ESY1) <
Sebastian.Schuster(a)bosch-si.com> wrote:
> Hi everybody,
>
> I just noticed that 4.2.1 contains a migration
> (jpa-changelog-authz-4.2.0.Final.xml) that extracts the URI column from
the
> RESOURCE_SERVER_RESOURCE table and puts it into a separate table
> RESOURCE_URIS. This table has a NOT NULL constraint on the new uri column
> (called VALUE). The accompanying data migration
> AuthzResourceUseMoreURIs.java selects rows from the old table and inserts
> URIs it into the new. This fails for all resources that did not have a
URI
> before because of the NOT NULL constraint, for example for
> Keycloak-internal resources like groups that don’t have a URI.
>
> Is this intended behavior?
>
> Best regards,
> Sebastian
>
> Mit freundlichen Grüßen / Best regards
>
> Dr.-Ing. Sebastian Schuster
>
> Engineering and Support (INST/ESY1)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY | www.bosch-si.com<http://www.bosch-si.com>
> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
> Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
5:31 p.m.
Sent a PR: https://github.com/keycloak/keycloak/pull/5446.
On Tue, Aug 7, 2018 at 3:08 PM, Hynek Mlnarik <hmlnarik(a)redhat.com> wrote:
Apologies for this oversight, this will be fixed in the next
version.
https://issues.jboss.org/browse/KEYCLOAK-8003
On Tue, Aug 7, 2018 at 7:00 PM Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
> Hello,
>
> I was just bitten by this as well 3hours ago, but thankfully only in our
> staging environment. We had only one entry
> in the RESOURCE_SERVER_RESOURCE table that had a null value in the uri
and
> icon_uri column.
> This caused the migration to fail. In our prod env I there was no entry
in
> that table, so the migration went through.
> As a quick fix in the staging env I just changed those uris to
> http://doesnotexist.local and http://doesnotexist.local/icon
respectively
> to see make it pass.
>
> It seems that I triggered the creation of those entries in the
> RESOURCE_SERVER_RESOURCE table when
> I activated and deactivated the authz support for a client.
>
> I think this should be addressed in the migrations. There should be at
> least a note about that in the migration guides.
> It took me a while to find the table that contained the null values that
> were indirectly causing the migration to fail.
>
> Cheers,
> Thomas
>
> On Tue, Aug 7, 2018 at 5:25 PM Schuster Sebastian (INST/ESY1) <
> Sebastian.Schuster(a)bosch-si.com> wrote:
>
> > Hi everybody,
> >
> > I just noticed that 4.2.1 contains a migration
> > (jpa-changelog-authz-4.2.0.Final.xml) that extracts the URI column
from
> the
> > RESOURCE_SERVER_RESOURCE table and puts it into a separate table
> > RESOURCE_URIS. This table has a NOT NULL constraint on the new uri
column
> > (called VALUE). The accompanying data migration
> > AuthzResourceUseMoreURIs.java selects rows from the old table and
inserts
> > URIs it into the new. This fails for all resources that did not have a
> URI
> > before because of the NOT NULL constraint, for example for
> > Keycloak-internal resources like groups that don’t have a URI.
> >
> > Is this intended behavior?
> >
> > Best regards,
> > Sebastian
> >
> > Mit freundlichen Grüßen / Best regards
> >
> > Dr.-Ing. Sebastian Schuster
> >
> > Engineering and Support (INST/ESY1)
> > Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> > GERMANY | www.bosch-si.com<http://www.bosch-si.com>
> > Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
> > Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com
>
> >
> > Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> > Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung:
Dr.
> > Stefan Ferber, Michael Hahn
> >
> >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:35 a.m.
Thanks for fixing this so fast!
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY |
www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,
Michael Hahn
From: Pedro Igor Silva <psilva(a)redhat.com>
Sent: Mittwoch, 8. August 2018 00:31
To: Hynek Mlnarik <hmlnarik(a)redhat.com>
Cc: Thomas Darimont <thomas.darimont(a)googlemail.com>; keycloak-dev
<keycloak-dev(a)lists.jboss.org>; Schuster Sebastian (INST/ESY1)
<Sebastian.Schuster(a)bosch-si.com>
Subject: Re: [keycloak-dev] Migration to 4.2.1 extracting RESOURCE_URIs fails with
fine-grained admin permissions
Sent a PR: https://github.com/keycloak/keycloak/pull/5446.
On Tue, Aug 7, 2018 at 3:08 PM, Hynek Mlnarik
<hmlnarik@redhat.com<mailto:hmlnarik@redhat.com>> wrote:
Apologies for this oversight, this will be fixed in the next version.
https://issues.jboss.org/browse/KEYCLOAK-8003
On Tue, Aug 7, 2018 at 7:00 PM Thomas Darimont <
thomas.darimont@googlemail.com<mailto:thomas.darimont@googlemail.com>> wrote:
Hello,
I was just bitten by this as well 3hours ago, but thankfully only in our
staging environment. We had only one entry
in the RESOURCE_SERVER_RESOURCE table that had a null value in the uri and
icon_uri column.
This caused the migration to fail. In our prod env I there was no entry in
that table, so the migration went through.
As a quick fix in the staging env I just changed those uris to
http://doesnotexist.local and http://doesnotexist.local/icon respectively
to see make it pass.
It seems that I triggered the creation of those entries in the
RESOURCE_SERVER_RESOURCE table when
I activated and deactivated the authz support for a client.
I think this should be addressed in the migrations. There should be at
least a note about that in the migration guides.
It took me a while to find the table that contained the null values that
were indirectly causing the migration to fail.
Cheers,
Thomas
On Tue, Aug 7, 2018 at 5:25 PM Schuster Sebastian (INST/ESY1) <
Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>>
wrote:
> Hi everybody,
>
> I just noticed that 4.2.1 contains a migration
> (jpa-changelog-authz-4.2.0.Final.xml) that extracts the URI column from
the
> RESOURCE_SERVER_RESOURCE table and puts it into a separate table
> RESOURCE_URIS. This table has a NOT NULL constraint on the new uri column
> (called VALUE). The accompanying data migration
> AuthzResourceUseMoreURIs.java selects rows from the old table and inserts
> URIs it into the new. This fails for all resources that did not have a
URI
> before because of the NOT NULL constraint, for example for
> Keycloak-internal resources like groups that don’t have a URI.
>
> Is this intended behavior?
>
> Best regards,
> Sebastian
>
> Mit freundlichen Grüßen / Best regards
>
> Dr.-Ing. Sebastian Schuster
>
> Engineering and Support (INST/ESY1)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY |
www.bosch-si.com<http://www.bosch-si.com><http://www.bosch-si.co...
> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
>
Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com><mailto:Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>>
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
4:03 a.m.
The fix has been merged to latest master.
On Wed, Aug 8, 2018 at 9:35 AM Schuster Sebastian (INST/ESY1) <
Sebastian.Schuster(a)bosch-si.com> wrote:
Thanks for fixing this so fast!
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
*Dr.-Ing. Sebastian Schuster *
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
Sebastian.Schuster(a)bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
Stefan Ferber, Michael Hahn
*From:* Pedro Igor Silva <psilva(a)redhat.com>
*Sent:* Mittwoch, 8. August 2018 00:31
*To:* Hynek Mlnarik <hmlnarik(a)redhat.com>
*Cc:* Thomas Darimont <thomas.darimont(a)googlemail.com>; keycloak-dev <
keycloak-dev(a)lists.jboss.org>; Schuster Sebastian (INST/ESY1) <
Sebastian.Schuster(a)bosch-si.com>
*Subject:* Re: [keycloak-dev] Migration to 4.2.1 extracting RESOURCE_URIs
fails with fine-grained admin permissions
Sent a PR: https://github.com/keycloak/keycloak/pull/5446.
On Tue, Aug 7, 2018 at 3:08 PM, Hynek Mlnarik <hmlnarik(a)redhat.com> wrote:
Apologies for this oversight, this will be fixed in the next version.
https://issues.jboss.org/browse/KEYCLOAK-8003
On Tue, Aug 7, 2018 at 7:00 PM Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
> Hello,
>
> I was just bitten by this as well 3hours ago, but thankfully only in our
> staging environment. We had only one entry
> in the RESOURCE_SERVER_RESOURCE table that had a null value in the uri
and
> icon_uri column.
> This caused the migration to fail. In our prod env I there was no entry
in
> that table, so the migration went through.
> As a quick fix in the staging env I just changed those uris to
> http://doesnotexist.local and http://doesnotexist.local/icon
respectively
> to see make it pass.
>
> It seems that I triggered the creation of those entries in the
> RESOURCE_SERVER_RESOURCE table when
> I activated and deactivated the authz support for a client.
>
> I think this should be addressed in the migrations. There should be at
> least a note about that in the migration guides.
> It took me a while to find the table that contained the null values that
> were indirectly causing the migration to fail.
>
> Cheers,
> Thomas
>
> On Tue, Aug 7, 2018 at 5:25 PM Schuster Sebastian (INST/ESY1) <
> Sebastian.Schuster(a)bosch-si.com> wrote:
>
> > Hi everybody,
> >
> > I just noticed that 4.2.1 contains a migration
> > (jpa-changelog-authz-4.2.0.Final.xml) that extracts the URI column from
> the
> > RESOURCE_SERVER_RESOURCE table and puts it into a separate table
> > RESOURCE_URIS. This table has a NOT NULL constraint on the new uri
column
> > (called VALUE). The accompanying data migration
> > AuthzResourceUseMoreURIs.java selects rows from the old table and
inserts
> > URIs it into the new. This fails for all resources that did not have a
> URI
> > before because of the NOT NULL constraint, for example for
> > Keycloak-internal resources like groups that don’t have a URI.
> >
> > Is this intended behavior?
> >
> > Best regards,
> > Sebastian
> >
> > Mit freundlichen Grüßen / Best regards
> >
> > Dr.-Ing. Sebastian Schuster
> >
> > Engineering and Support (INST/ESY1)
> > Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> > GERMANY | www.bosch-si.com<http://www.bosch-si.com>
> > Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
> > Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com
>
> >
> > Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> > Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung:
Dr.
> > Stefan Ferber, Michael Hahn
> >
> >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
5:42 a.m.
Awesome thanks Hynek et al.,
Are you planning a new 4.2.x or rather a 4.3.x release with the fix?
Cheers,
Thomas
Hynek Mlnarik <hmlnarik(a)redhat.com> schrieb am Mi., 8. Aug. 2018, 11:03:
The fix has been merged to latest master.
On Wed, Aug 8, 2018 at 9:35 AM Schuster Sebastian (INST/ESY1) <
Sebastian.Schuster(a)bosch-si.com> wrote:
> Thanks for fixing this so fast!
>
>
>
> Best regards,
>
> Sebastian
>
>
>
> Mit freundlichen Grüßen / Best regards
>
>
> *Dr.-Ing. Sebastian Schuster *
> Engineering and Support (INST/ESY1)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY | www.bosch-si.com
> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
> Sebastian.Schuster(a)bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung:
> Dr. Stefan Ferber, Michael Hahn
>
>
>
> *From:* Pedro Igor Silva <psilva(a)redhat.com>
> *Sent:* Mittwoch, 8. August 2018 00:31
> *To:* Hynek Mlnarik <hmlnarik(a)redhat.com>
> *Cc:* Thomas Darimont <thomas.darimont(a)googlemail.com>; keycloak-dev <
> keycloak-dev(a)lists.jboss.org>; Schuster Sebastian (INST/ESY1) <
> Sebastian.Schuster(a)bosch-si.com>
> *Subject:* Re: [keycloak-dev] Migration to 4.2.1 extracting
> RESOURCE_URIs fails with fine-grained admin permissions
>
>
>
> Sent a PR: https://github.com/keycloak/keycloak/pull/5446.
>
>
>
> On Tue, Aug 7, 2018 at 3:08 PM, Hynek Mlnarik <hmlnarik(a)redhat.com>
> wrote:
>
> Apologies for this oversight, this will be fixed in the next version.
>
> https://issues.jboss.org/browse/KEYCLOAK-8003
>
>
> On Tue, Aug 7, 2018 at 7:00 PM Thomas Darimont <
> thomas.darimont(a)googlemail.com> wrote:
>
> > Hello,
> >
> > I was just bitten by this as well 3hours ago, but thankfully only in our
> > staging environment. We had only one entry
> > in the RESOURCE_SERVER_RESOURCE table that had a null value in the uri
> and
> > icon_uri column.
> > This caused the migration to fail. In our prod env I there was no entry
> in
> > that table, so the migration went through.
> > As a quick fix in the staging env I just changed those uris to
> > http://doesnotexist.local and http://doesnotexist.local/icon
> respectively
> > to see make it pass.
> >
> > It seems that I triggered the creation of those entries in the
> > RESOURCE_SERVER_RESOURCE table when
> > I activated and deactivated the authz support for a client.
> >
> > I think this should be addressed in the migrations. There should be at
> > least a note about that in the migration guides.
> > It took me a while to find the table that contained the null values that
> > were indirectly causing the migration to fail.
> >
> > Cheers,
> > Thomas
> >
> > On Tue, Aug 7, 2018 at 5:25 PM Schuster Sebastian (INST/ESY1) <
> > Sebastian.Schuster(a)bosch-si.com> wrote:
> >
> > > Hi everybody,
> > >
> > > I just noticed that 4.2.1 contains a migration
> > > (jpa-changelog-authz-4.2.0.Final.xml) that extracts the URI column
> from
> > the
> > > RESOURCE_SERVER_RESOURCE table and puts it into a separate table
> > > RESOURCE_URIS. This table has a NOT NULL constraint on the new uri
> column
> > > (called VALUE). The accompanying data migration
> > > AuthzResourceUseMoreURIs.java selects rows from the old table and
> inserts
> > > URIs it into the new. This fails for all resources that did not have a
> > URI
> > > before because of the NOT NULL constraint, for example for
> > > Keycloak-internal resources like groups that don’t have a URI.
> > >
> > > Is this intended behavior?
> > >
> > > Best regards,
> > > Sebastian
> > >
> > > Mit freundlichen Grüßen / Best regards
> > >
> > > Dr.-Ing. Sebastian Schuster
> > >
> > > Engineering and Support (INST/ESY1)
> > > Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> > > GERMANY | www.bosch-si.com<http://www.bosch-si.com>
> > > Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
> > > Sebastian.Schuster(a)bosch-si.com<mailto:
> Sebastian.Schuster(a)bosch-si.com>
> > >
> > > Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411
> B
> > > Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung:
> Dr.
> > > Stefan Ferber, Michael Hahn
> > >
> > >
> > >
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
12:04 p.m.
Hi Thomas,
rather a 4.3.x release with the fix.
Marek
On 09/08/18 12:42, Thomas Darimont wrote:
Awesome thanks Hynek et al.,
Are you planning a new 4.2.x or rather a 4.3.x release with the fix?
Cheers,
Thomas
Hynek Mlnarik <hmlnarik(a)redhat.com> schrieb am Mi., 8. Aug. 2018, 11:03:
> The fix has been merged to latest master.
>
> On Wed, Aug 8, 2018 at 9:35 AM Schuster Sebastian (INST/ESY1) <
> Sebastian.Schuster(a)bosch-si.com> wrote:
>
>> Thanks for fixing this so fast!
>>
>>
>>
>> Best regards,
>>
>> Sebastian
>>
>>
>>
>> Mit freundlichen Grüßen / Best regards
>>
>>
>> *Dr.-Ing. Sebastian Schuster *
>> Engineering and Support (INST/ESY1)
>> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
>> GERMANY | www.bosch-si.com
>> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
>> Sebastian.Schuster(a)bosch-si.com
>>
>> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
>> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung:
>> Dr. Stefan Ferber, Michael Hahn
>>
>>
>>
>> *From:* Pedro Igor Silva <psilva(a)redhat.com>
>> *Sent:* Mittwoch, 8. August 2018 00:31
>> *To:* Hynek Mlnarik <hmlnarik(a)redhat.com>
>> *Cc:* Thomas Darimont <thomas.darimont(a)googlemail.com>; keycloak-dev <
>> keycloak-dev(a)lists.jboss.org>; Schuster Sebastian (INST/ESY1) <
>> Sebastian.Schuster(a)bosch-si.com>
>> *Subject:* Re: [keycloak-dev] Migration to 4.2.1 extracting
>> RESOURCE_URIs fails with fine-grained admin permissions
>>
>>
>>
>> Sent a PR: https://github.com/keycloak/keycloak/pull/5446.
>>
>>
>>
>> On Tue, Aug 7, 2018 at 3:08 PM, Hynek Mlnarik <hmlnarik(a)redhat.com>
>> wrote:
>>
>> Apologies for this oversight, this will be fixed in the next version.
>>
>> https://issues.jboss.org/browse/KEYCLOAK-8003
>>
>>
>> On Tue, Aug 7, 2018 at 7:00 PM Thomas Darimont <
>> thomas.darimont(a)googlemail.com> wrote:
>>
>>> Hello,
>>>
>>> I was just bitten by this as well 3hours ago, but thankfully only in our
>>> staging environment. We had only one entry
>>> in the RESOURCE_SERVER_RESOURCE table that had a null value in the uri
>> and
>>> icon_uri column.
>>> This caused the migration to fail. In our prod env I there was no entry
>> in
>>> that table, so the migration went through.
>>> As a quick fix in the staging env I just changed those uris to
>>> http://doesnotexist.local and http://doesnotexist.local/icon
>> respectively
>>> to see make it pass.
>>>
>>> It seems that I triggered the creation of those entries in the
>>> RESOURCE_SERVER_RESOURCE table when
>>> I activated and deactivated the authz support for a client.
>>>
>>> I think this should be addressed in the migrations. There should be at
>>> least a note about that in the migration guides.
>>> It took me a while to find the table that contained the null values that
>>> were indirectly causing the migration to fail.
>>>
>>> Cheers,
>>> Thomas
>>>
>>> On Tue, Aug 7, 2018 at 5:25 PM Schuster Sebastian (INST/ESY1) <
>>> Sebastian.Schuster(a)bosch-si.com> wrote:
>>>
>>>> Hi everybody,
>>>>
>>>> I just noticed that 4.2.1 contains a migration
>>>> (jpa-changelog-authz-4.2.0.Final.xml) that extracts the URI column
>> from
>>> the
>>>> RESOURCE_SERVER_RESOURCE table and puts it into a separate table
>>>> RESOURCE_URIS. This table has a NOT NULL constraint on the new uri
>> column
>>>> (called VALUE). The accompanying data migration
>>>> AuthzResourceUseMoreURIs.java selects rows from the old table and
>> inserts
>>>> URIs it into the new. This fails for all resources that did not have a
>>> URI
>>>> before because of the NOT NULL constraint, for example for
>>>> Keycloak-internal resources like groups that don’t have a URI.
>>>>
>>>> Is this intended behavior?
>>>>
>>>> Best regards,
>>>> Sebastian
>>>>
>>>> Mit freundlichen Grüßen / Best regards
>>>>
>>>> Dr.-Ing. Sebastian Schuster
>>>>
>>>> Engineering and Support (INST/ESY1)
>>>> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
>>>> GERMANY | www.bosch-si.com<http://www.bosch-si.com>
>>>> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
>>>> Sebastian.Schuster(a)bosch-si.com<mailto:
>> Sebastian.Schuster(a)bosch-si.com>
>>>> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411
>> B
>>>> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung:
>> Dr.
>>>> Stefan Ferber, Michael Hahn
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2332
days inactive
2334
days old
8 comments
5 participants
participants (5)
-
Hynek Mlnarik -
Marek Posolda -
Pedro Igor Silva -
Schuster Sebastian (INST/ESY1) -
Thomas Darimont