OpenStack Identity (keystone)

Flaskification broke ECP

Bug #1794552 reported by Adam Young on 2018-09-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Morgan Fainberg	OpenStack Identity (keystone) stein-1

Bug Description

THe Federation itegration (not voting) tests for Python35 are failing.

==============================
2018-09-26 06:26:21.371093 | primary | Failed 1 tests - output below:
2018-09-26 06:26:21.371172 | primary | ==============================
2018-09-26 06:26:21.371200 | primary |
2018-09-26 06:26:21.371360 | primary | keystone_tempest_plugin.tests.scenario.test_federated_authentication.TestSaml2EcpFederatedAuthentication.test_request_scoped_token
2018-09-26 06:26:21.371521 | primary | ----------------------------------------------------------------------------------------------------------------------------------
2018-09-26 06:26:21.371538 | primary |
2018-09-26 06:26:21.371576 | primary | Captured traceback:
2018-09-26 06:26:21.371614 | primary | ~~~~~~~~~~~~~~~~~~~
2018-09-26 06:26:21.371675 | primary | b'Traceback (most recent call last):'
2018-09-26 06:26:21.371900 | primary | b' File "/opt/stack/new/tempest/.tox/tempest/lib/python3.5/site-packages/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py", line 176, in test_request_scoped_token'
2018-09-26 06:26:21.371979 | primary | b" project_id=projects[0]['id'], token=token_id)"
2018-09-26 06:26:21.372155 | primary | b' File "/opt/stack/new/tempest/tempest/lib/services/identity/v3/token_client.py", line 140, in auth'
2018-09-26 06:26:21.372357 | primary | b' resp, body = self.post(self.auth_url, body=body)'
2018-09-26 06:26:21.372573 | primary | b' File "/opt/stack/new/tempest/tempest/lib/common/rest_client.py", line 279, in post'
2018-09-26 06:26:21.372724 | primary | b" return self.request('POST', url, extra_headers, headers, body, chunked)"
2018-09-26 06:26:21.372881 | primary | b' File "/opt/stack/new/tempest/tempest/lib/services/identity/v3/token_client.py", line 172, in request'
2018-09-26 06:26:21.372961 | primary | b" 'Unexpected status code {0}'.format(resp.status))"
2018-09-26 06:26:21.373034 | primary | b'tempest.lib.exceptions.IdentityError: Got identity error'
2018-09-26 06:26:21.373088 | primary | b'Details: Unexpected status code 500'
2018-09-26 06:26:21.373108 | primary | b''

Looking in the logs for Keystone show an improper string replacement:

/OS-FEDERATION/identity_providers/<string:idp_id>/protocols

See below

2018-09-26 06:26:16.800826 | primary | b' Body: b\'{"protocol": {"links": {"self": "http://149.202.181.254/identity/v3/OS-FEDERATION/identity_providers/<string:idp_id>/protocols/mapped", "identity_provider": "http://149.202.181.254/identity/v3/testshib"}, "mapping_id": "608508b0cd09476289b2be05bcca98e3", "id": "mapped"}}\\n\''
2018-09-26 06:26:16.801021 | primary | b'2018-09-26 06:26:16,423 30292 INFO [tempest.lib.common.rest_client] Request (TestSaml2EcpFederatedAuthentication:test_request_scoped_token): 500 POST http://149.202.181.254/identity/v3/auth/tokens'
2018-09-26 06:26:16.801187 | primary | b"2018-09-26 06:26:16,424 30292 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json'}"
2018-09-26 06:26:16.801241 | primary | b' Body: <omitted>'
2018-09-26 06:26:16.801530 | primary | b" Response - Headers: {'connection': 'close', 'content-type': 'application/json', 'server': 'Apache/2.4.18 (Ubuntu)', 'date': 'Wed, 26 Sep 2018 06:26:16 GMT', 'x-openstack-request-id': 'req-2185af52-06fa-41c3-80eb-de3d5e667380', 'content-location': 'http://149.202.181.254/identity/v3/auth/tokens', 'content-length': '143', 'vary': 'X-Auth-Token', 'status': '500'}"
2018-09-26 06:26:16.801855 | primary | b' Body: b\'{"error": {"message": "An unexpected error prevented the server from fulfilling your request.", "title": "Internal Server Error", "code": 500}}\''

Adam Young (ayoung) on 2018-09-26

Changed in keystone:
assignee:	nobody → Morgan Fainberg (mdrnstm)

Colleen Murphy (krinkle) on 2018-09-28

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Critical
importance:	Critical → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-28: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/606195

Changed in keystone:
status:	Triaged → In Progress

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2018-10-01:

This breaks only testing due to links being weird. It shouldn't have an impact on actual federated auth. Moving this back to medium prio (fix is proposed)

Changed in keystone:
importance:	High → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-02: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/606195
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1efecc92c09d5f691fac1e9373ff123b549ced39
Submitter: Zuul
Branch: master

commit 1efecc92c09d5f691fac1e9373ff123b549ced39
Author: Morgan Fainberg <email address hidden>
Date: Fri Sep 28 13:08:37 2018 -0700

Properly replace flask view args in links

    When the API Prefix is used in a Flask API, it is possible the flask
    view argument specification will bleed through to the self link instead
    of a properly formated url.

    The add_self_reference_links mechanism in keystone.server.flask.common
    now substitutes out the self link to the {} substitution and applies
    a .format() utilizing the view args to the URI in the self link.

Change-Id: Ic5c89c285ed964de7411b273567bb97fcf43da06
closes-bug: #1794552