New account is created after switching an existing Eclipse Che instance from 'stable' -> 'tech-preview-stable-all-namespace' channel, and enabling DevWorkspace engine

[ibuziuk]

Describe the bug

New account is created after switching an existing Eclipse Che instance from 'stable' -> 'tech-preview-stable-all-namespace' channel, and enabling DevWorkspace engine

Che version

7.37@latest

Steps to reproduce

• install 'eclipse-che' using the stable channel
• create CR with a single-host and OpenShift Auth enabled
• create an account (using 'developer' OpenShift account on the crc for example) with a couple of workspaces and start one of them
• wait until workspace is running, run build / run command
• start preparations for the migration procedure from the stable to tech-preview-stable-all-namespace
• delete eclipse-che subscription from the namespace

[ibuziuk@fedora ~]$ oc get subscription
NAME          PACKAGE       SOURCE                CHANNEL
eclipse-che   eclipse-che   community-operators   stable
[ibuziuk@fedora ~]$ oc delete subscription eclipse-che
subscription.operators.coreos.com "eclipse-che" deleted

• delete csv and dependent objects
  
• IMPORTANT! Do not delete previously created CR / CRD
• operator pod in the namespace will be terminated
  
• install 'eclipse-che' using the tech-preview-stable-all-namespace
  
• operators are installed in the all-namespace mode as expected
  
• update the CR from the eclipse-che namespace and enable devWorkspace

  devWorkspace:
    enable: true

• go back to the running workspace
• session expired / re-login is required
• login using the existing 'developer' account that was used previously
• ERROR: on the 'eclipse-che' end the new account is created

• ERROR: UD shows the following errors
  

• Start a new DevWorkspace

• ERROR: Workspace is started, but since the account is different, in a different namespace (not developer-dev, but
  developeryv6z-dev)
  

for some reason, a new account is created after the devWorkspace switch, which is utterly unexpected:

dbche=# SELECT * from account;
                  id                  |     name      |   type   
--------------------------------------+---------------+----------
 434d4bdf-7bae-47de-b657-9c3d675bf4d2 | developer     | personal
 e8a1a712-743c-4978-b095-9b3db488a110 | developeryv6z | personal
(2 rows)

Expected behavior

The same account is used after switching an existing eclipse-che instance to all-namespace channel and enabling DevWorkspace engine

Runtime

CodeReady Container

Screenshots

No response

Installation method

OperatorHub

Environment

Linux

Eclipse Che Logs

No response

Additional context

No response

[AndrienkoAleksandr]

Status update:
I completed investigation: I see after migration from Keycloak based Che to the Che with devworkspace engine, users weren't reused, because keycloak stored users with some auto-generated id to the postgre database. Devworkspace engine with native authentification uses original Openshift user id to store them in the postgre database. So for the same user we've got two entities in the database instead of single due different user id. So I think admin before migration should execute some users id migration. I think we have to provide a way to archive it.
In progress:
I'm working on solution: admin user id migration script. Script should be executed before migration Che to the dev workspace engine, because we need to have running keycloak container. This script should migrate users in the database from Keycloak generated id to the Openshift user id. That's a possible, because keycloak actually mapped keycloak user to the federation identity provider object. And this object has original Openshift user id. So script should replace in the postgre database keycloak generated user id to the Openshift user id for each user. After that admin can migrate Che to devworkspace engine. After migration users could login to Che and Che should normally identify them by Openshift id istead of creation new users entity.

[AndrienkoAleksandr]

Hello, I wrote some database migration script https://github.com/AndrienkoAleksandr/che-user-migration/blob/master/migrationCheToDevEngine.sh . Demo to show how it works: https://www.youtube.com/watch?v=tL7_GVpgRrI&ab_channel=OleksandrAndriienko. Also I think we have to apply backup step before admin is going to switch from "stable" to "tech-preview-stable-all-namespace" channel for safety. Also I faced with bug: when Che reuses oauth users previously created on stable channel, user dashboard is failing to load user profile information and doesn't render LOGOUT button(I guess due retrieve user profile exception). Also when user loginned - dashboard renders old workspace from stable channel, but they doesn't work, because we don't have any workspace migration mechanism(I guess that's expected behavior). But user could create new workspaces and they works fine using devworkspace engine.

[tolusha]

Investigation is completed. There is nothing to code.
Users migration script will be a part of #20614

@AndrienkoAleksandr
Thank you!