[keycloak-dev] Migration to 4.2.1 extracting RESOURCE_URIs fails with fine-grained admin permissions

Pedro Igor Silva psilva at redhat.com
Tue Aug 7 14:06:03 EDT 2018


Will fix that. Also looking why migration test is not catching this ...

On Tue, Aug 7, 2018 at 1:09 PM, Thomas Darimont <
thomas.darimont at googlemail.com> wrote:

> Hello,
>
> I was just bitten by this as well 3hours ago, but thankfully only in our
> staging environment. We had only one entry
> in the RESOURCE_SERVER_RESOURCE table that had a null value in the uri and
> icon_uri column.
> This caused the migration to fail. In our prod env I there was no entry in
> that table, so the migration went through.
> As a quick fix in the staging env I just changed those uris to
> http://doesnotexist.local and http://doesnotexist.local/icon respectively
> to see make it pass.
>
> It seems that I triggered the creation of those entries in the
> RESOURCE_SERVER_RESOURCE table when
> I activated and deactivated the authz support for a client.
>
> I think this should be addressed in the migrations. There should be at
> least a note about that in the migration guides.
> It took me a while to find the table that contained the null values that
> were indirectly causing the migration to fail.
>
> Cheers,
> Thomas
>
> On Tue, Aug 7, 2018 at 5:25 PM Schuster Sebastian (INST/ESY1) <
> Sebastian.Schuster at bosch-si.com> wrote:
>
> > Hi everybody,
> >
> > I just noticed that 4.2.1 contains a migration
> > (jpa-changelog-authz-4.2.0.Final.xml) that extracts the URI column from
> the
> > RESOURCE_SERVER_RESOURCE table and puts it into a separate table
> > RESOURCE_URIS. This table has a NOT NULL constraint on the new uri column
> > (called VALUE). The accompanying data migration
> > AuthzResourceUseMoreURIs.java selects rows from the old table and inserts
> > URIs it into the new. This fails for all resources that did not have a
> URI
> > before because of the NOT NULL constraint, for example for
> > Keycloak-internal resources like groups that don’t have a URI.
> >
> > Is this intended behavior?
> >
> > Best regards,
> > Sebastian
> >
> > Mit freundlichen Grüßen / Best regards
> >
> > Dr.-Ing. Sebastian Schuster
> >
> > Engineering and Support (INST/ESY1)
> > Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> > GERMANY | www.bosch-si.com<http://www.bosch-si.com>
> > Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
> > Sebastian.Schuster at bosch-si.com<mailto:Sebastian.Schuster at bosch-si.com>
> >
> > Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> > Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> > Stefan Ferber, Michael Hahn
> >
> >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list