[keycloak-dev] Migration to 4.2.1 extracting RESOURCE_URIs fails with fine-grained admin permissions

Thomas Darimont thomas.darimont at googlemail.com
Tue Aug 7 12:09:09 EDT 2018


Hello,

I was just bitten by this as well 3hours ago, but thankfully only in our
staging environment. We had only one entry
in the RESOURCE_SERVER_RESOURCE table that had a null value in the uri and
icon_uri column.
This caused the migration to fail. In our prod env I there was no entry in
that table, so the migration went through.
As a quick fix in the staging env I just changed those uris to
http://doesnotexist.local and http://doesnotexist.local/icon respectively
to see make it pass.

It seems that I triggered the creation of those entries in the
RESOURCE_SERVER_RESOURCE table when
I activated and deactivated the authz support for a client.

I think this should be addressed in the migrations. There should be at
least a note about that in the migration guides.
It took me a while to find the table that contained the null values that
were indirectly causing the migration to fail.

Cheers,
Thomas

On Tue, Aug 7, 2018 at 5:25 PM Schuster Sebastian (INST/ESY1) <
Sebastian.Schuster at bosch-si.com> wrote:

> Hi everybody,
>
> I just noticed that 4.2.1 contains a migration
> (jpa-changelog-authz-4.2.0.Final.xml) that extracts the URI column from the
> RESOURCE_SERVER_RESOURCE table and puts it into a separate table
> RESOURCE_URIS. This table has a NOT NULL constraint on the new uri column
> (called VALUE). The accompanying data migration
> AuthzResourceUseMoreURIs.java selects rows from the old table and inserts
> URIs it into the new. This fails for all resources that did not have a URI
> before because of the NOT NULL constraint, for example for
> Keycloak-internal resources like groups that don’t have a URI.
>
> Is this intended behavior?
>
> Best regards,
> Sebastian
>
> Mit freundlichen Grüßen / Best regards
>
> Dr.-Ing. Sebastian Schuster
>
> Engineering and Support (INST/ESY1)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY | www.bosch-si.com<http://www.bosch-si.com>
> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
> Sebastian.Schuster at bosch-si.com<mailto:Sebastian.Schuster at bosch-si.com>
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev


More information about the keycloak-dev mailing list