OpenStack Identity (keystone)

set_last_active_at on deleted user results in AttributeError

Bug #2044624 reported by Boris Bobrov on 2023-11-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Undecided	Unassigned

Bug Description

Steps to reproduce:

0. keystone stable/zed

1. You need a system with 2 scripts and a keystone user in sql, running in parallel:
Script 1 performs many authentications with username+password
Script 2 deletes the user

2. With enough luck, you get the following backtrace:

2023-11-25 19:56:10.675007 AttributeError: 'NoneType' object has no attribute 'last_active_at'
2023-11-25 19:56:10.674995 user_ref.last_active_at = datetime.datetime.utcnow().date()
2023-11-25 19:56:10.674993 File "/var/lib/openstack/lib/python3.10/site-packages/keystone/identity/shadow_backends/sql.py", line 161, in set_last_active_at

I think the reason is that in some cases authentication is slower than deletion. Which results in a race condition: deletion process has finished, but authentication is still mid-execution.

Expected: keystone either finishes the authentication successfully returning the token or raises a 4xx error
Observed: keystone crashes, resulting in error 500

See original description

Boris Bobrov (bbobrov) on 2023-11-25

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-11-25: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/keystone/+/901885

Changed in keystone:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-01-26: Fix merged to keystone (master)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/901885
Committed: https://opendev.org/openstack/keystone/commit/26c8812b4c41843f749924cee787ea3b3f8ad022
Submitter: "Zuul (22348)"
Branch: master

commit 26c8812b4c41843f749924cee787ea3b3f8ad022
Author: Boris Bobrov <email address hidden>
Date: Sun Nov 26 00:44:55 2023 +0100

Check user existence before setting last_active_at

    A situation might arise, when the user does not exist any more and we
    are attempting to set last_active_at on them. This results in keystone
    raising AttributeError.

Check for user existense before addressing the attribute

Closes-Bug: 2044624
Change-Id: I3eb5890fb6d52a222b7caa4a52effc06774c0542

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-03-19: Fix included in openstack/keystone 25.0.0.0rc1

This issue was fixed in the openstack/keystone 25.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.