OpenStack Identity (keystone)

  1. Bug #1190708
  2. Activity log

Activity log for bug #1190708

Date Who What changed Old value New value Message
2013-06-13 19:04:06 Brant Knudson bug added bug
2013-06-13 19:08:04 Brant Knudson keystone: assignee Brant Knudson (blk-u)
2013-06-13 19:26:00 Brant Knudson description When the admin_token_auth is removed from the paste pipeline, the server responds to requests with a 500 Internal Server Error rather than the correct data. Operations should work even without the To recreate: 1) Start with devstack. 2) Reconfigure Keystone to remove admin_token_auth from the paste pipeline. [pipeline:public_api] #pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension user_crud_extension public_service pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension user_crud_extension public_service [pipeline:admin_api] #pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service [pipeline:api_v3] #pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension service_v3 pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension s3_extension service_v3 3) Do a request using v2 admin api. $ keystone user-list An unexpected error prevented the server from fulfilling your request. 'is_admin' (HTTP 500) I think the problem is that the server is assuming that is_admin will be in the context, but it's only there if the request has gone through the admin_token_auth middleware. If this is the case then the server could be changed so that is_admin in the context is optional. Another option is to provide an alternative bit of middleware that sets the is_admin flag to False. When the admin_token_auth middleware is removed from the paste pipeline, the server responds to requests with a 500 Internal Server Error rather than the correct data. Operations should work even without the To recreate: 1) Start with devstack. 2) Reconfigure Keystone to remove admin_token_auth from the paste pipeline. [pipeline:public_api] #pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension user_crud_extension public_service pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension user_crud_extension public_service [pipeline:admin_api] #pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service [pipeline:api_v3] #pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension service_v3 pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension s3_extension service_v3 3) Do a request using v2 admin api. $ keystone user-list An unexpected error prevented the server from fulfilling your request. 'is_admin' (HTTP 500) I think the problem is that the server is assuming that is_admin will be in the context, but it's only there if the request has gone through the admin_token_auth middleware. If this is the case then the server could be changed so that is_admin in the context is optional. Another option is to provide an alternative bit of middleware that sets the is_admin flag to False.
2013-06-13 19:29:21 Brant Knudson description When the admin_token_auth middleware is removed from the paste pipeline, the server responds to requests with a 500 Internal Server Error rather than the correct data. Operations should work even without the To recreate: 1) Start with devstack. 2) Reconfigure Keystone to remove admin_token_auth from the paste pipeline. [pipeline:public_api] #pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension user_crud_extension public_service pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension user_crud_extension public_service [pipeline:admin_api] #pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service [pipeline:api_v3] #pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension service_v3 pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension s3_extension service_v3 3) Do a request using v2 admin api. $ keystone user-list An unexpected error prevented the server from fulfilling your request. 'is_admin' (HTTP 500) I think the problem is that the server is assuming that is_admin will be in the context, but it's only there if the request has gone through the admin_token_auth middleware. If this is the case then the server could be changed so that is_admin in the context is optional. Another option is to provide an alternative bit of middleware that sets the is_admin flag to False. When the admin_token_auth middleware is removed from the paste pipeline, the server responds to requests with a 500 Internal Server Error rather than the correct data. Operations should work even without the admin_token_auth middleware To recreate: 1) Start with devstack. 2) Reconfigure Keystone to remove admin_token_auth from the paste pipeline. [pipeline:public_api] #pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension user_crud_extension public_service pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension user_crud_extension public_service [pipeline:admin_api] #pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service [pipeline:api_v3] #pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension service_v3 pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension s3_extension service_v3 3) Do a request using v2 admin api. $ keystone user-list An unexpected error prevented the server from fulfilling your request. 'is_admin' (HTTP 500) I think the problem is that the server is assuming that is_admin will be in the context, but it's only there if the request has gone through the admin_token_auth middleware. If this is the case then the server could be changed so that is_admin in the context is optional. Another option is to provide an alternative bit of middleware that sets the is_admin flag to False.
2013-06-13 21:02:23 Dolph Mathews keystone: importance Undecided High
2013-06-13 21:02:30 Dolph Mathews keystone: status New Triaged
2013-07-01 18:58:36 OpenStack Infra keystone: status Triaged In Progress
2013-07-09 00:13:04 OpenStack Infra keystone: status In Progress Fix Committed
2013-07-17 12:05:33 Thierry Carrez keystone: status Fix Committed Fix Released
2013-07-17 12:05:33 Thierry Carrez keystone: milestone havana-2
2013-10-17 12:36:37 Thierry Carrez keystone: milestone havana-2 2013.2