OpenStack Identity (keystone)

Unclear error when attempting to create duplicate resources with certain names

Bug #1668563 reported by Colleen Murphy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Undecided
Colleen Murphy
OpenStack Identity (keystone) pike-1 "pike-1"

Bug Description

When a user accidentally tries to create certain resources they have already created, if the name of the resource has 'name' or 'id' in the name, the action fails with a very unclear error message. For example, when creating a federation mapping:

$ openstack mapping create mapping_with_id_in_the_string --rules rules.json
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | mapping_with_id_in_the_string |
| rules | [{u'remote': [{u'type': u'HTTP_OIDC_EMAIL'}], u'local': [{u'group': {u'domain': {u'name': u'Default'}, u'name': u'federated_users'}, u'user': {u'name': u'{0}'}}]}] |
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+
$ openstack mapping create mapping_with_id_in_the_string --rules rules.json·
string indices must be integers (HTTP 400) (Request-ID: req-d37fa5f1-f354-45a8-9408-7b2b254b8c41)
$ openstack mapping create mapping_with_name_in_the_string --rules rules.json
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | mapping_with_name_in_the_string |
| rules | [{u'remote': [{u'type': u'HTTP_OIDC_EMAIL'}], u'local': [{u'group': {u'domain': {u'name': u'Default'}, u'name': u'federated_users'}, u'user': {u'name': u'{0}'}}]}] |
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+
$ openstack mapping create mapping_with_name_in_the_string --rules rules.json·
string indices must be integers (HTTP 400) (Request-ID: req-5efee6af-e924-428e-a929-cee5c8efb48c)

But the error is clearer if the string does not have a special substring in it:

$ openstack mapping create mapping_with_nothing_special_in_the_string --rules rules.json·
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | mapping_with_nothing_special_in_the_string |
| rules | [{u'remote': [{u'type': u'HTTP_OIDC_EMAIL'}], u'local': [{u'group': {u'domain': {u'name': u'Default'}, u'name': u'federated_users'}, u'user': {u'name': u'{0}'}}]}] |
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+
$ openstack mapping create mapping_with_nothing_special_in_the_string --rules rules.json·
Conflict occurred attempting to store mapping - Duplicate entry. (HTTP 409) (Request-ID: req-8fa12715-7cce-40b7-95f4-92431bb13132)

Similarly for creating a federation protocol with 'id' or 'name' in the the name of the protocol:

$ openstack federation protocol create protocol_with_id_in_the_string --mapping mapping_with_nothing_special_in_the_string --identity-provider google
+-------------------+--------------------------------------------+
| Field | Value |
+-------------------+--------------------------------------------+
| id | protocol_with_id_in_the_string |
| identity_provider | google |
| mapping | mapping_with_nothing_special_in_the_string |
+-------------------+--------------------------------------------+
$ openstack federation protocol create protocol_with_id_in_the_string --mapping mapping_with_nothing_special_in_the_string --identity-provider google
string indices must be integers (HTTP 400) (Request-ID: req-d0659c94-9662-4c57-a230-9e4fbcd33fb0)

Or if the identity provider has 'id' or 'name' in its name:

$ openstack federation protocol create normal_protocol --mapping mapping_with_nothing_special_in_the_string --identity-provider sso_service_with_id_in_the_string
+-------------------+--------------------------------------------+
| Field | Value |
+-------------------+--------------------------------------------+
| id | normal_protocol |
| identity_provider | sso_service_with_id_in_the_string |
| mapping | mapping_with_nothing_special_in_the_string |
+-------------------+--------------------------------------------+
$ openstack federation protocol create normal_protocol --mapping mapping_with_nothing_special_in_the_string --identity-provider sso_service_with_id_in_the_string
string indices must be integers (HTTP 400) (Request-ID: req-ddafd212-91e3-4ea5-9af0-a3cde6f7398b)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/438896

Changed in keystone:
assignee: nobody → Colleen Murphy (krinkle)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/438896
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=59d7b1fcd710a0eff289f467bbb82a07037a51b0
Submitter: Jenkins
Branch: master

commit 59d7b1fcd710a0eff289f467bbb82a07037a51b0
Author: Colleen Murphy <email address hidden>
Date: Tue Feb 28 11:03:40 2017 +0100

    Fix duplicate handling for user-specified IDs

    For resources such as federation protocols and federation mappings, the
    database primary keys are ID strings specified by the user creating
    them. If the user created such a resource that happened to have the
    substrings 'id' or 'name' in the identifier, and then by accident tried
    to create it again, it would fail with a message that did not appear to
    relate to the entry being a duplicate:

     string indices must be integers (HTTP 400)

    This was because the method that is supposed to form a user-friendly
    message receives all the arguments as a tuple and iterates over it,
    looking for a dictionary with the keys 'id' or 'name' to figure out what
    was trying to be duplicated. However, it can't distinguish between a
    dictionary with 'id' or 'name' as a key and a string with 'id' or 'name'
    as a substring, and trips if it finds such a string. This logic for
    looking for 'id', 'name', or 'domain_id' in an object really only makes
    sense if the object is a dict, so this patch adds a check to ensure it
    is a dict before looking for keys in it.

    Change-Id: If3c23a28eb5594efaa49c6a15d8db11cfc8d9057
    Closes-bug: #1668563

Changed in keystone:
status: In Progress → Fix Released
Lance Bragstad (lbragstad)
Changed in keystone:
milestone: none → pike-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 12.0.0.0b1

This issue was fixed in the openstack/keystone 12.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.