HTTP 400 creating heat stack if fails to create trust
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Triaged
|
Medium
|
Rabi Mishra |
Bug Description
When keystone trusts are disabled (CONF.trusts.
The caller needs a response code/reason that indicates there is an issue with the service so that they go bug their operator to look into it, not waste time trying to figure out what is wrong with their request. And the operator needs something useful logged so they can distinguish this from other possible errors.
Note: it doesn't appear that HTTP 400 would be appropriate for any of the possible reasons for getting to the line of code referenced above, so having trusts disabled in keystone is but one way to hit this issue. Another configuration issue that might hit this line is if the trustee user does not exist, though this was not tested. All reasons for hitting this line should be analyzed and the appropriate error and logging may differ between them.
Found in Pike.
Changed in heat: | |
status: | New → Triaged |
Changed in heat: | |
milestone: | none → no-priority-tag-bugs |
Yeah, HTTP 400 response is not correct in both the below cases
1. When trusts are disabled in keystone
2. trustee user does not exist.
The fact that keystone returns a 404 NotFound() in all these cases including that when the user does not have required 'trusts_ delegated_ roles'[ 2] does not help.
Probably the assumption earlier had been that if you've deferred_ auth_method= trusts[ 1], trusts is expected to be enabled (which is the default) in keystone and the trustee user configured should exist.
I think change[3] tried to make the error more clear when the user does not have the required roles. However, it hides the other reasons for 404 from keystone.
Now that we inherit all roles when creating a trust context by default[4], we can probably
revert[3] rather than creating different errors for the user based on the error message from keystone.
[1] https:/ /github. com/openstack/ heat/blob/ master/ heat/common/ config. py#L101 /github. com/openstack/ heat/blob/ master/ heat/common/ config. py#L117 /github. com/openstack/ heat/commit/ 4e0538e2145b4db 79c2489cbb1fb5e 286a05ecd3 /github. com/openstack/ heat/commit/ aab01c00ff330d7 43fc15e97d7ae14 4eac5015bb
[2] https:/
[3] https:/
[4] https:/