keystone-manage should produce a friendlier error when it cannot read the config files

Bug #1273273 reported by Peter Wang on 2014-01-27
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Wishlist
Colleen Murphy

Bug Description

below is the detail:

i have setup keystone database in mysql and grant all privilege to the keystone user

when i execute 'keystone-manage db_sync'

peter@openstack:~$ keystone-manage db_sync
peter@openstack:~$

but actually , in mysql no tables will be create in keystone database

[there should be a error to indicate user that no tables created due to not enough privilege]

only when :
peter@openstack:~$ sudo keystone-manage db_sync
peter@openstack:~$

all tables will created in keystone database correctly.

summary:
if a prompt displayed, that will be very usefully for user to proceed installing keystone successfully

Dolph Mathews (dolph) wrote :

Hmm, is the underlying issue that keystone.conf isn't readable by the unprivileged user?

Changed in keystone:
status: New → Incomplete
Peter Wang (peter.wang) wrote :

here is the cli operation command:

peter@openstack:~$ ls -l /etc/keystone/keystone.conf
ls: cannot access /etc/keystone/keystone.conf: Permission denied
peter@openstack:~$ sudo ls -l /etc/keystone/keystone.conf
[sudo] password for peter:
-rw-r--r-- 1 root root 14824 Jan 27 06:18 /etc/keystone/keystone.conf
peter@openstack:~$ cat /etc/keystone/keystone.conf
cat: /etc/keystone/keystone.conf: Permission denied

how do you think?

sagar pradhan (sagar-pradhan) wrote :

Hello Peter ,

I would be looking it in to the issue.
As it is rightly stated keystone.conf can be accessed only by privileged user .
I am planning to put a check in keystone-manage to check whether it is executed with sudo access or not and alert the user accordingly.

Regards,
Sagar

Changed in keystone:
assignee: nobody → sagar pradhan (sagar-pradhan)
Peter Wang (peter.wang) wrote :

great, that's what i meant

information type: Public → Public Security
information type: Public Security → Private Security
information type: Private Security → Public Security
information type: Public Security → Private Security
information type: Private Security → Public
Dolph Mathews (dolph) wrote :

keystone-manage should not care whether it's executed with sudo or not, it should only care about having the authorization to do what it needs. In this case, it appears that it should raise a more user-friendly exception if keystone.conf cannot be read.

tags: removed: keystone
sagar pradhan (sagar-pradhan) wrote :

Hi Peter/Dolph,

I investigated the issue further .
Following were my findings
I created a user sags and issued "keystone-manage db_sync" but got the following trace

sags@ubuntu:~$ keystone-manage db_sync
Traceback (most recent call last):
  File "/usr/local/bin/keystone-manage", line 7, in <module>
    execfile(__file__)
  File "/opt/stack/keystone/bin/keystone-manage", line 56, in <module>
    cli.main(argv=sys.argv, config_files=config_files)
  File "/opt/stack/keystone/keystone/cli.py", line 222, in main
    default_config_files=config_files)
  File "/opt/stack/oslo.config/oslo/config/cfg.py", line 1603, in __call__
    raise ConfigFilesNotFoundError(self._namespace.files_not_found)
oslo.config.cfg.ConfigFilesNotFoundError: Failed to read some config files: /etc/keystone/keystone.conf

even for keystone-manage db_version it gives the same output

sags@ubuntu:~$ keystone-manage db_version
in keystone-manage
Traceback (most recent call last):
  File "/usr/local/bin/keystone-manage", line 7, in <module>
    execfile(__file__)
  File "/opt/stack/keystone/bin/keystone-manage", line 56, in <module>
    cli.main(argv=sys.argv, config_files=config_files)
  File "/opt/stack/keystone/keystone/cli.py", line 222, in main
    default_config_files=config_files)
  File "/opt/stack/oslo.config/oslo/config/cfg.py", line 1603, in __call__
    raise ConfigFilesNotFoundError(self._namespace.files_not_found)
 oslo.config.cfg.ConfigFilesNotFoundError: Failed to read some config files: /etc/keystone/keystone.conf

This is case with all the options for keystone-manage . The main reason being unprivileged does not have

access to keystone.conf

I am not sure why Peter did not recieve the above trace.

if we run the same command using "sudo" everything works fine.

sags@ubuntu:~$ sudo keystone-manage db_version
[sudo] password for sags:
37

I think the fix for this problem would be handling the exception

File "/opt/stack/oslo.config/oslo/config/cfg.py", line 1603, in __call__
    raise ConfigFilesNotFoundError(self._namespace.files_not_found)
 oslo.config.cfg.ConfigFilesNotFoundError: Failed to read some config files: /etc/keystone/keystone.conf

in a more user-friendly manner .

Kindly share your views on this .

Regards,
Sagar

Dolph Mathews (dolph) wrote :

Peter, what release of keystone are you using? The above feedback may have been added in a more recent release.

Peter Wang (peter.wang) wrote :

0.3.2
i use the ubuntu cloud repository of havana

sagar pradhan (sagar-pradhan) wrote :

Hi All ,

I have made code changes by handling a=the exception in more user friendly manner which displays a message "You do not have the privileges or file does not exist "

Regards,
Sagar

Peter Wang (peter.wang) wrote :

great, which release can we got the change, Icehouse?
also please change status of This Bug

Thanks
Peter

Dolph Mathews (dolph) wrote :

Is there a patch in review for this?

sagar pradhan (sagar-pradhan) wrote :

I will add this for review

Regards,
Thanks

sagar pradhan (sagar-pradhan) wrote :

Added for review

Changed in keystone:
status: Incomplete → In Progress
Morgan Fainberg (mdrnstm) wrote :

Unassigning due to lack of activity.

Changed in keystone:
assignee: sagar pradhan (sagar-pradhan) → nobody
importance: Undecided → Wishlist
status: In Progress → Confirmed
summary: - if run 'keystone-manage db_sync' without 'sudo', there should be a
- prompt that tables notcreated
+ keystone-manage should produce a friendlier error when it cannot read
+ the config files
tags: added: user-experience
rajiv (rajiv-kumar) on 2015-02-20
Changed in keystone:
assignee: nobody → rajiv (rajiv-kumar)
rajiv (rajiv-kumar) on 2015-03-10
Changed in keystone:
assignee: rajiv (rajiv-kumar) → nobody
Changed in keystone:
assignee: nobody → Solomon (solomongreenberg)
Solomon (solomongreenberg) wrote :

Does this bug only appear when running db_sync, or is it pervasive with all keystone-manage commands?

Changed in keystone:
status: Confirmed → In Progress
Steve Martinelli (stevemar) wrote :

oslo.config has gone through a few releases now, i'm wondering if this is still an issue.

regardless, unassigning due to inactivity.

Changed in keystone:
assignee: Solomon (solomongreenberg) → nobody
status: In Progress → Triaged
Colleen Murphy (krinkle) wrote :

I can reproduce this (on master of keystone, 3.9.0 of oslo.config). However it now manifests itself a bit differently, as I25b717d9616e9d31316441ae3671d2f86229c2bf created an implied connection default of 'sqlite:///keystone.db', so running `keystone-manage db_sync` while keystone.conf is unreadable or absent happily creates a sqlite database in the current working directory.

I don't see the the traceback Sagar sees unless also using the --config-file option with keystone-manage. It seems that oslo.config looks for keystone.conf in certain directories, and if it doesn't find any it returns empty without raising an error (http://git.openstack.org/cgit/openstack/oslo.config/tree/oslo_config/cfg.py#n562)

Fix proposed to branch: master
Review: https://review.openstack.org/300131

Changed in keystone:
assignee: nobody → Colleen Murphy (krinkle)
status: Triaged → In Progress
Changed in keystone:
assignee: Colleen Murphy (krinkle) → Morgan Fainberg (mdrnstm)
Changed in keystone:
assignee: Morgan Fainberg (mdrnstm) → Colleen Murphy (krinkle)
milestone: none → newton-1

Reviewed: https://review.openstack.org/300131
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=32203d4951f951c6423a9de6dd04a47bcffe40b5
Submitter: Jenkins
Branch: master

commit 32203d4951f951c6423a9de6dd04a47bcffe40b5
Author: Colleen Murphy <email address hidden>
Date: Thu Mar 31 10:47:02 2016 -0700

    Add logging to cli if keystone.conf is not found

    If keystone.conf is not found at one of ./etc/keystone.conf,
    ~/.keystone/keystone.conf, ~/keystone.conf,
    /etc/keystone/keystone.conf, or /etc/keystone.conf, the keystone-manage
    command will use defaults configured in keystone.common.config[1] (or
    elsewhere, e.g. keystone.common.sql.core[2]). If it does not find a
    default value for a parameter it needs to use, it will error at that
    point (for example, the samp_idp_metadata command errors when
    idp_entity_id is not set). However, if all of the parameters it is
    using have default values, which is the case for commands like db_sync
    and ssl_setup, keystone-manage will silently proceed with those
    defaults. This is not obvious to the user, who may have misplaced the
    keystone.conf or is lacking permissions to read keystone.conf. This
    patch adds a warning that will notify the user if it can't find the
    config file, but otherwise proceeds as normal.

    Why not fix this in oslo.config? The behavior of silently continuing if
    config files aren't found is longstanding, so changing that behavior
    would probably not be backwards-compatible. Moreover, other projects
    might want to handle this differently or not handle it at all.

    [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/config.py
    [2] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/sql/core.py#n73

    Closes-bug: #1273273

    Change-Id: I276c671a0da78e3d1d2aa7336e55f65be41d8cca

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 10.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers