OpenStack Identity (keystone)

trusts in keystone fail in backend when impersonation is not provided

Bug #1278739 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Lance Bragstad
OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

When creating trusts in Keystone, if 'impersonation' is not provided Keystone fails out in the backend code. This should probably be handed at the controller level to be consistent across all backends.

lbragstad@precise64:~/curl-examples$ cat create_trust.json
{
    "trust": {
        "expires_at": "2014-02-27T18:30:59.999999Z",
        "project_id": "c7e2b98178e64418bb884929d3611b89",
        "impersonation": true,
        "roles": [
            {
                "name": "admin"
            }
        ],
        "trustee_user_id": "bf3a4c9ef46d44fa9ce57349462b1998",
        "trustor_user_id": "406e6d96a30449069bf4241a00308b23"
    }
}

lbragstad@precise64:~/curl-examples$ cat create_trust_bad.json
{
    "trust": {
        "expires_at": "2014-02-27T18:30:59.999999Z",
        "project_id": "c7e2b98178e64418bb884929d3611b89",
        "roles": [
            {
                "name": "admin"
            }
        ],
        "trustee_user_id": "bf3a4c9ef46d44fa9ce57349462b1998",
        "trustor_user_id": "406e6d96a30449069bf4241a00308b23"
    }
}

Using impersonation in the create_trust.json file returns a trust successfully:

lbragstad@precise64:~/curl-examples$ curl -si -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" -d @create_trust.json http://localhost:5000/v3/OS-TRUST/trusts
HTTP/1.1 201 Created
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 675
Date: Sun, 09 Feb 2014 04:36:56 GMT

{"trust": {"impersonation": true, "roles_links": {"self": "http://10.0.2.15:5000/v3/OS-TRUST/trusts/12ce9f7214f04c018384f654f5ea9aa5/roles", "previous": null, "next": null}, "trustor_user_id": "406e6d96a30449069bf4241a00308b23", "links": {"self": "http://10.0.2.15:5000/v3/OS-TRUST/trusts/12ce9f7214f04c018384f654f5ea9aa5"}, "roles": [{"id": "937488fff5444edb9da1e93d20596d4b", "links": {"self": "http://10.0.2.15:5000/v3/roles/937488fff5444edb9da1e93d20596d4b"}, "name": "admin"}], "expires_at": "2014-02-27T18:30:59.999999Z", "trustee_user_id": "bf3a4c9ef46d44fa9ce57349462b1998", "project_id": "c7e2b98178e64418bb884929d3611b89", "id": "12ce9f7214f04c018384f654f5ea9aa5"}}

When using the request without impersonation defined I get:

lbragstad@precise64:~/curl-examples$ curl -si -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" -d @create_trust_bad.json http://localhos
t:5000/v3/OS-TRUST/trusts
HTTP/1.1 500 Internal Server Error
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 618
Date: Sun, 09 Feb 2014 04:33:08 GMT

{"error": {"message": "An unexpected error prevented the server from fulfilling your request. (OperationalError) (1048, \"Column 'impersonation
' cannot be null\") 'INSERT INTO trust (id, trustor_user_id, trustee_user_id, project_id, impersonation, deleted_at, expires_at, extra) VALUES
(%s, %s, %s, %s, %s, %s, %s, %s)' ('b49ac0c7558a4450949c22c840db9794', '406e6d96a30449069bf4241a00308b23', 'bf3a4c9ef46d44fa9ce57349462b1998',
'c7e2b98178e64418bb884929d3611b89', None, None, datetime.datetime(2014, 2, 27, 18, 30, 59, 999999), '{\"roles\": [{\"name\": \"admin\"}]}')", "
code": 500, "title": "Internal Server Error"}}

According to the Identity V3 API, 'impersonation' is a requirement when creating a trust. https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-trust-ext.md#trusts

See original description
Tags: trusts v3
Lance Bragstad (lbragstad)
summary: - trusts in keystone fail in driver when impersonation is not provided
+ trusts in keystone fail in backend when impersonation is not provided
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/72582

Changed in keystone:
assignee: nobody → Lance Bragstad (ldbragst)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/72581
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=dec2db651471fc05800fbca11d40742f50e5343e
Submitter: Jenkins
Branch: master

commit dec2db651471fc05800fbca11d40742f50e5343e
Author: Lance Bragstad <email address hidden>
Date: Tue Feb 11 03:41:41 2014 +0000

    Move _BaseController to common/controllers.py

    The _BaseController class from the Federation work offered
    some nice functionality for ensuring the controller checks for required
    arguments in resource CRUD. Moving this to controller.V3Controller so
    that it can be used consistently on resources in the Identity V3 API.

    Related-Bug: 1278739
    Change-Id: Icb66e2e324820959fa9409a3b1388c89b82f8ec0

OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Lance Bragstad (ldbragst) → Morgan Fainberg (mdrnstm)
Morgan Fainberg (mdrnstm)
Changed in keystone:
assignee: Morgan Fainberg (mdrnstm) → Lance Bragstad (ldbragst)
importance: Undecided → High
importance: High → Medium
Revision history for this message
Lance Bragstad (lbragstad) wrote :

this should be fixed by jsonschema validation

 https://github.com/openstack/keystone/blob/53237b5d9b1af8ff2849bd7f13a4bb9461669fff/keystone/trust/schema.py#L47

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
Lance Bragstad (lbragstad) wrote :

fixed by - https://review.openstack.org/#/c/104066/

Changed in keystone:
milestone: none → 2015.1.0
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.