At a high level I was getting validation failures for the identity provider (which was enabled in Keystone and was otherwise correct in terms of config) in the /v3/auth/token code path.
I narrowed it down to a validation error due to a type mismatch (bytes vs str):
1) the error occurs in send_notification:
> /usr/lib/python3/dist-packages/keystone/auth/plugins/mapped.py(101)handle_scoped_token()->None
-> send_notification(taxonomy.OUTCOME_SUCCESS)
(Pdb) l
96 # send off failed authentication notification, raise the exception
97 # after sending the notification
98 send_notification(taxonomy.OUTCOME_FAILURE)
99 raise
100 else:
101 -> send_notification(taxonomy.OUTCOME_SUCCESS)
When clicking through tabs very fast I encountered a glitch which results in the following error messages being displayed (see the screencast in the attachment):
Error: "Unable to retrieve key pairs"/"Unable to retrieve images"/""Unable to retrieve server groups"
Warning: "Policy check failed"
I tried to set breakpoints in the same place - the same validation error does NOT occur with the patch so this is something else unrelated to py2 vs py3 string handling.
Ran into a related problem during debugging of dashboard errors ("Unable to retrieve key pairs") with a Rocky cloud & identity federation.
There was no clear indication as to why failures occurred.
https:/ /paste. ubuntu. com/p/v5HXyyWXC 2/ (full pdb trace)
At a high level I was getting validation failures for the identity provider (which was enabled in Keystone and was otherwise correct in terms of config) in the /v3/auth/token code path.
I narrowed it down to a validation error due to a type mismatch (bytes vs str):
1) the error occurs in send_notification:
> /usr/lib/ python3/ dist-packages/ keystone/ auth/plugins/ mapped. py(101) handle_ scoped_ token() ->None on(taxonomy. OUTCOME_ SUCCESS) on(taxonomy. OUTCOME_ FAILURE) on(taxonomy. OUTCOME_ SUCCESS)
-> send_notificati
(Pdb) l
96 # send off failed authentication notification, raise the exception
97 # after sending the notification
98 send_notificati
99 raise
100 else:
101 -> send_notificati
# ...
2) this is how the validation error looks like:
(Pdb) setattr(self, FED_CRED_ KEYNAME_ IDENTITY_ PROVIDER, identity_provider) tial.<lambda> at 0x7fa0016ef9d8>
*** ValueError: identity_provider failed validation: <function FederatedCreden
3) the lambda function where the error occurs
67 class FederatedCreden tial(Credential ): ValidatorDescri ptor( KEYNAME_ IDENTITY_ PROVIDER, ValidatorDescri ptor( KEYNAME_ USER, ValidatorDescri ptor( KEYNAME_ GROUPS,
68 identity_provider = cadftype.
69 FED_CRED_
70 -> lambda x: isinstance(x, six.string_types))
71 user = cadftype.
72 FED_CRED_
73 lambda x: isinstance(x, six.string_types))
74 groups = cadftype.
75 FED_CRED_
4) type comparison (b'adfs' is the identity provider name):
((Pdb)) x
b'adfs'
((Pdb)) six.string_types
(<class 'str'>,)
((Pdb)) type(x)
<class 'bytes'>
Using a package from James' PPA helped as I am not getting errors in the same code-path anymore.
apt policy keystone 0-0ubuntu2~ ubuntu18. 04.1~ppa2019061 40719 0-0ubuntu2~ ubuntu18. 04.1~ppa2019061 40719 0-0ubuntu2~ ubuntu18. 04.1~ppa2019061 40719 500
keystone:
Installed: 2:14.1.
Candidate: 2:14.1.
Version table:
*** 2:14.1.
When clicking through tabs very fast I encountered a glitch which results in the following error messages being displayed (see the screencast in the attachment):
Error: "Unable to retrieve key pairs"/"Unable to retrieve images"/""Unable to retrieve server groups"
Warning: "Policy check failed"
I tried to set breakpoints in the same place - the same validation error does NOT occur with the patch so this is something else unrelated to py2 vs py3 string handling.