keystone throws error when removing user from tenant.

Bug #1078497 reported by Joseph Heck
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Critical
Vish Ishaya
Folsom
Fix Released
Critical
Dolph Mathews
keystone (Ubuntu)
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned

Bug Description

Related to debugging https://bugs.launchpad.net/keystone/+bug/1064914::

>>> c.users.list_roles()
Traceback (most recent call last):
  File "<input>", line 1, in <module>
TypeError: list_roles() takes at least 2 arguments (1 given)
>>> c.users.list_roles('090eded8752f4186b474f1d8aaa6bd10', tenant='5045d6c82f4f4c41b42cadd268ae98d9')
[<Role {u'id': u'08ccc339c0074a548104b9050bdf9492', u'name': u'Member'}>]
>>> c.tenants.remove_user('5045d6c82f4f4c41b42cadd268ae98d9', '090eded8752f4186b474f1d8aaa6bd10', '08ccc339c0074a548104b9050bdf9492')
Traceback (most recent call last):
  File "<input>", line 1, in <module>
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/v2_0/tenants.py", line 144, in remove_user
    base.getid(tenant))
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/v2_0/roles.py", line 91, in remove_user_role
    return self._delete(route % params)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 88, in _delete
    resp, body = self.api.delete(url)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/client.py", line 186, in delete
    return self._cs_request(url, 'DELETE', **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/client.py", line 161, in _cs_request
    **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/client.py", line 141, in request
    raise exceptions.from_response(resp, body)
ClientException: An unexpected error prevented the server from fulfilling your request. 'NoneType' object has no attribute 'get' (HTTP 500)
>>> c.users.list_roles('090eded8752f4186b474f1d8aaa6bd10', tenant='5045d6c82f4f4c41b42cadd268ae98d9')
[]

Joseph Heck (heckj)
Changed in python-keystoneclient:
importance: Undecided → Critical
status: New → Confirmed
assignee: nobody → Joseph Heck (heckj)
assignee: Joseph Heck (heckj) → nobody
Changed in keystone:
importance: Undecided → Critical
status: New → Confirmed
summary: - keyclient unable to remove user from tenant - getting traceback
+ keystoneclient unable to remove user from tenant - getting traceback
Revision history for this message
Vish Ishaya (vishvananda) wrote : Re: keystoneclient unable to remove user from tenant - getting traceback

'NoneType' object has no attribute 'get'
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 204, in __call__
    result = method(context, **params)#012 File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 621, in remove_role_from_user
    self.token_api.revoke_tokens(context, user_id, tenant_id)
  File "/usr/lib/python2.7/dist-packages/keystone/token/core.py", line 48, in revoke_tokens
    for token_id in self.list_tokens(context, user_id, tenant_id):
  File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 47, in _wrapper
    return f(*args, **kw)#012 File "/usr/lib/python2.7/dist-packages/keystone/token/backends/sql.py", line 113, in list_tokens
    if token_ref_dict['tenant'].get('id') != tenant_id:
AttributeError: 'NoneType' object has no attribute 'get'

Tracback from keystone.

Revision history for this message
Vish Ishaya (vishvananda) wrote :

seems like a keystone error.

summary: - keystoneclient unable to remove user from tenant - getting traceback
+ keystone throws error when removing user from tenant.
Revision history for this message
Vish Ishaya (vishvananda) wrote :

so i've tracked down where this is happening. It seems that there are at least some tokens stored that have tenant set to null, although we are checking for unset which seems strange

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/16027

Changed in keystone:
assignee: nobody → Vish Ishaya (vishvananda)
status: Confirmed → In Progress
tags: added: folsom-backport
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/16027
Committed: http://github.com/openstack/keystone/commit/ac2d5b85b16da31ebf4833b6264961c567125249
Submitter: Jenkins
Branch: master

commit ac2d5b85b16da31ebf4833b6264961c567125249
Author: Vishvananda Ishaya <email address hidden>
Date: Tue Nov 13 15:34:00 2012 -0800

    Properly list tokens with a null tenant

    We store the tenant as a null value in json, so checking to see
    if it exists is not sufficient. This makes the check safer, checking
    for existance and not null before continuing.

    Fixes bug 1078497

    Change-Id: Ida1b958e5df6f93a30efae0d3f71df668751ff81

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/folsom)

Fix proposed to branch: stable/folsom
Review: https://review.openstack.org/16191

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/folsom)

Reviewed: https://review.openstack.org/16191
Committed: http://github.com/openstack/keystone/commit/80d63c882c7b847a8b73cf1e2b0f587a25be4d5f
Submitter: Jenkins
Branch: stable/folsom

commit 80d63c882c7b847a8b73cf1e2b0f587a25be4d5f
Author: Vishvananda Ishaya <email address hidden>
Date: Tue Nov 13 15:34:00 2012 -0800

    Properly list tokens with a null tenant

    We store the tenant as a null value in json, so checking to see
    if it exists is not sufficient. This makes the check safer, checking
    for existance and not null before continuing.

    Fixes bug 1078497

    Change-Id: Ida1b958e5df6f93a30efae0d3f71df668751ff81

Alan Pevec (apevec)
no longer affects: python-keystoneclient
Joseph Heck (heckj)
Changed in keystone:
milestone: none → grizzly-1
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Changed in keystone (Ubuntu):
status: New → Fix Released
Changed in keystone (Ubuntu Quantal):
status: New → Confirmed
Revision history for this message
Clint Byrum (clint-fewbar) wrote : Please test proposed package

Hello Joseph, or anyone else affected,

Accepted keystone into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/keystone/2012.2.1-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in keystone (Ubuntu Quantal):
status: Confirmed → Fix Committed
tags: added: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package keystone - 2012.2.1-0ubuntu1

---------------
keystone (2012.2.1-0ubuntu1) quantal-proposed; urgency=low

  * Ubuntu updates:
    - debian/control: Ensure keystoneclient is upgraded with keystone,
      require python-keystoneclient >= 1:0.1.3. (LP: #1073273)
    - Dropped patches, applied upsteram:
      - debian/patches/CVE-2012-5563.patch
      - debian/patches/CVE-2012-5571.patch
      - debian/patches/fix-ssl-tests-lp1068851.patch
  * Resynchronize with stable/folsom (7869c3ec) (LP: #1085255):
    - [f9d4766] token expires time incorrect for auth by one token
      (LP: #1079216)
    - [80d63c8] keystone throws error when removing user from tenant.
      (LP: #1078497)
    - [37308dd] Removing user from a tenant isn't invalidating user access to
      tenant (LP: #1064914)
    - [bec9b68] Redo part of bp/sql-identiy-pam undone by bug 968519
      (LP: #1068674)
    - [ee645e6] Jenkins jobs fail because of incompatibility between sqlalchemy-
      migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
    - [094c494] Non PKI Tokens longer than 32 characters can never be valid
      (LP: #1060389)
    - [3cd343b] Openssl tests rely on expired certificate (LP: #1068851)
    - [2f9807e] Set defaultbranch in .gitreview to stable/folsom
 -- Adam Gandelman <email address hidden> Tue, 04 Dec 2012 09:19:41 -0800

Changed in keystone (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/essex)

Fix proposed to branch: stable/essex
Review: https://review.openstack.org/24449

Thierry Carrez (ttx)
Changed in keystone:
milestone: grizzly-1 → 2013.1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/27104

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/essex)

Fix proposed to branch: stable/essex
Review: https://review.openstack.org/27406

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/27104
Committed: http://github.com/openstack/keystone/commit/08aaeb081958b05124ee60a0a9d34797b1f2c364
Submitter: Jenkins
Branch: master

commit 08aaeb081958b05124ee60a0a9d34797b1f2c364
Author: Bernhard M. Wiedemann <email address hidden>
Date: Thu Apr 18 10:39:15 2013 +0200

    Test listing of tokens with a null tenant

    Test for fix of bug 1078497

    Change-Id: I5cd28b38111f3e80adbb33ef1b1c8db7630d75f8

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.