Mirantis OpenStack

[Keystone] Federated users can't use EC2 API

Bug #1728555 reported by Kirill Bespalov on 2017-10-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mirantis OpenStack	Fix Committed	High	Kirill Bespalov	Mirantis OpenStack 9.2-mu-4

Bug Description

Environment: MOS 9.2 (Mitaka)

Description:

For Mitaka federated users belong to a domain which does not exist in Keystone DB.
Code at keystone/contrib/ec2/controllers.py:147 does not expect that domain is not defined.

https://github.com/openstack/keystone/blob/mitaka-eol/keystone/contrib/ec2/controllers.py#L148-L149

Steps to reproduce:

1) Create EC2 credentials for a federated user
2) Try to authenticate with /v3/ec2tokens keystone endpoint using the credentials

Result:

Keystone fails with the following logs:

2017-07-04 15:46:50.871734 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi Traceback (most recent call last):
2017-07-04 15:46:50.871737 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 249, in __call__
2017-07-04 15:46:50.871739 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi result = method(context, **params)
2017-07-04 15:46:50.871742 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/contrib/ec2/controllers.py", line 383, in authenticate
2017-07-04 15:46:50.871744 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi ec2credentials=ec2Credentials)
2017-07-04 15:46:50.871746 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/contrib/ec2/controllers.py", line 147, in _authenticate
2017-07-04 15:46:50.871749 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi domain_id=user_ref['domain_id'])
2017-07-04 15:46:50.871751 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 124, in wrapped
2017-07-04 15:46:50.871753 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi __ret_val = __f(*args, **kwargs)
2017-07-04 15:46:50.871755 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/resource/core.py", line 260, in assert_domain_enabled
2017-07-04 15:46:50.871757 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi domain = self.get_domain(domain_id)
2017-07-04 15:46:50.871760 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 124, in wrapped
2017-07-04 15:46:50.871762 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi __ret_val = __f(*args, **kwargs)
2017-07-04 15:46:50.871764 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/dogpile/cache/region.py", line 1053, in decorate
2017-07-04 15:46:50.871766 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi should_cache_fn)
2017-07-04 15:46:50.871768 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/dogpile/cache/region.py", line 657, in get_or_create
2017-07-04 15:46:50.871770 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi async_creator) as value:
2017-07-04 15:46:50.871772 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 158, in __enter__
2017-07-04 15:46:50.871774 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi return self._enter()
2017-07-04 15:46:50.871776 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 98, in _enter
2017-07-04 15:46:50.871779 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi generated = self._enter_create(createdtime)
2017-07-04 15:46:50.871791 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 149, in _enter_create
2017-07-04 15:46:50.871794 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi created = self.creator()
2017-07-04 15:46:50.871796 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/dogpile/cache/region.py", line 625, in gen_value
2017-07-04 15:46:50.871798 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi created_value = creator()
2017-07-04 15:46:50.871800 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/dogpile/cache/region.py", line 1049, in creator
2017-07-04 15:46:50.871802 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi return fn(*arg, **kw)
2017-07-04 15:46:50.871804 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/resource/core.py", line 702, in get_domain
2017-07-04 15:46:50.871811 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi project = self.driver.get_project(domain_id)
2017-07-04 15:46:50.871813 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/resource/backends/sql.py", line 50, in get_project
2017-07-04 15:46:50.871815 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi return self._get_project(session, project_id).to_dict()
2017-07-04 15:46:50.871818 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/resource/backends/sql.py", line 43, in _get_project
2017-07-04 15:46:50.871820 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi project_ref = session.query(Project).get(project_id)
2017-07-04 15:46:50.871822 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/query.py", line 831, in get
2017-07-04 15:46:50.871824 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi return self._get_impl(ident, loading.load_on_ident)
2017-07-04 15:46:50.871826 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/query.py", line 842, in _get_impl
2017-07-04 15:46:50.871828 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi if len(ident) != len(mapper.primary_key):
2017-07-04 15:46:50.871830 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi TypeError: object of type 'NoneType' has no len()
2017-07-04 15:46:50.871832 2017-07-04 15:46:50.868 4516 ERROR keystone.common.wsgi

Kirill Bespalov (k-besplv) on 2017-10-30

Changed in mos:
assignee:	nobody → Kirill Bespalov (k-besplv)

Denis Meltsaykin (dmeltsaykin) on 2017-10-30

Changed in mos:
milestone:	9.x-updates → 9.2-mu-4
importance:	Undecided → High
status:	New → Confirmed

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2018-01-26: Fix merged to openstack/keystone (9.0/mitaka)

Reviewed: https://review.fuel-infra.org/36654
Submitter: Pkgs Jenkins <email address hidden>
Branch: 9.0/mitaka

Commit: 26a35084425d79f8897b5fff8194676fd2176e02
Author: Dmitry Stepanenko <email address hidden>
Date: Mon Oct 30 10:00:48 2017

Do not always check domains for ec2 auth

In case user doesn't have domain (user is federated) domains
shouldn't be checked while authenticating with ec2 credentials.

Change-Id: I02d3172fce7ed71a70f4d85d4939048d4e69b11d
Closes-Bug: #1728555

Changed in mos:
status:	Confirmed → Fix Committed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.