[keycloak-dev] Migration to 4.2.1 extracting RESOURCE_URIs fails with fine-grained admin permissions
Thomas Darimont
thomas.darimont at googlemail.com
Thu Aug 9 06:42:59 EDT 2018
Awesome thanks Hynek et al.,
Are you planning a new 4.2.x or rather a 4.3.x release with the fix?
Cheers,
Thomas
Hynek Mlnarik <hmlnarik at redhat.com> schrieb am Mi., 8. Aug. 2018, 11:03:
> The fix has been merged to latest master.
>
> On Wed, Aug 8, 2018 at 9:35 AM Schuster Sebastian (INST/ESY1) <
> Sebastian.Schuster at bosch-si.com> wrote:
>
>> Thanks for fixing this so fast!
>>
>>
>>
>> Best regards,
>>
>> Sebastian
>>
>>
>>
>> Mit freundlichen Grüßen / Best regards
>>
>>
>> *Dr.-Ing. Sebastian Schuster *
>> Engineering and Support (INST/ESY1)
>> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
>> GERMANY | www.bosch-si.com
>> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
>> Sebastian.Schuster at bosch-si.com
>>
>> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
>> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung:
>> Dr. Stefan Ferber, Michael Hahn
>>
>>
>>
>> *From:* Pedro Igor Silva <psilva at redhat.com>
>> *Sent:* Mittwoch, 8. August 2018 00:31
>> *To:* Hynek Mlnarik <hmlnarik at redhat.com>
>> *Cc:* Thomas Darimont <thomas.darimont at googlemail.com>; keycloak-dev <
>> keycloak-dev at lists.jboss.org>; Schuster Sebastian (INST/ESY1) <
>> Sebastian.Schuster at bosch-si.com>
>> *Subject:* Re: [keycloak-dev] Migration to 4.2.1 extracting
>> RESOURCE_URIs fails with fine-grained admin permissions
>>
>>
>>
>> Sent a PR: https://github.com/keycloak/keycloak/pull/5446.
>>
>>
>>
>> On Tue, Aug 7, 2018 at 3:08 PM, Hynek Mlnarik <hmlnarik at redhat.com>
>> wrote:
>>
>> Apologies for this oversight, this will be fixed in the next version.
>>
>> https://issues.jboss.org/browse/KEYCLOAK-8003
>>
>>
>> On Tue, Aug 7, 2018 at 7:00 PM Thomas Darimont <
>> thomas.darimont at googlemail.com> wrote:
>>
>> > Hello,
>> >
>> > I was just bitten by this as well 3hours ago, but thankfully only in our
>> > staging environment. We had only one entry
>> > in the RESOURCE_SERVER_RESOURCE table that had a null value in the uri
>> and
>> > icon_uri column.
>> > This caused the migration to fail. In our prod env I there was no entry
>> in
>> > that table, so the migration went through.
>> > As a quick fix in the staging env I just changed those uris to
>> > http://doesnotexist.local and http://doesnotexist.local/icon
>> respectively
>> > to see make it pass.
>> >
>> > It seems that I triggered the creation of those entries in the
>> > RESOURCE_SERVER_RESOURCE table when
>> > I activated and deactivated the authz support for a client.
>> >
>> > I think this should be addressed in the migrations. There should be at
>> > least a note about that in the migration guides.
>> > It took me a while to find the table that contained the null values that
>> > were indirectly causing the migration to fail.
>> >
>> > Cheers,
>> > Thomas
>> >
>> > On Tue, Aug 7, 2018 at 5:25 PM Schuster Sebastian (INST/ESY1) <
>> > Sebastian.Schuster at bosch-si.com> wrote:
>> >
>> > > Hi everybody,
>> > >
>> > > I just noticed that 4.2.1 contains a migration
>> > > (jpa-changelog-authz-4.2.0.Final.xml) that extracts the URI column
>> from
>> > the
>> > > RESOURCE_SERVER_RESOURCE table and puts it into a separate table
>> > > RESOURCE_URIS. This table has a NOT NULL constraint on the new uri
>> column
>> > > (called VALUE). The accompanying data migration
>> > > AuthzResourceUseMoreURIs.java selects rows from the old table and
>> inserts
>> > > URIs it into the new. This fails for all resources that did not have a
>> > URI
>> > > before because of the NOT NULL constraint, for example for
>> > > Keycloak-internal resources like groups that don’t have a URI.
>> > >
>> > > Is this intended behavior?
>> > >
>> > > Best regards,
>> > > Sebastian
>> > >
>> > > Mit freundlichen Grüßen / Best regards
>> > >
>> > > Dr.-Ing. Sebastian Schuster
>> > >
>> > > Engineering and Support (INST/ESY1)
>> > > Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
>> > > GERMANY | www.bosch-si.com<http://www.bosch-si.com>
>> > > Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
>> > > Sebastian.Schuster at bosch-si.com<mailto:
>> Sebastian.Schuster at bosch-si.com>
>> > >
>> > > Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411
>> B
>> > > Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung:
>> Dr.
>> > > Stefan Ferber, Michael Hahn
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > keycloak-dev mailing list
>> > > keycloak-dev at lists.jboss.org
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>>
>
More information about the keycloak-dev
mailing list