OpenStack Identity (keystone)

K2K: 'NoneType' object has no attribute 'check_output'

Bug #1521122 reported by Jamie Lennox
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Low
Jamie Lennox
OpenStack Identity (keystone) mitaka-1 "m1"

Bug Description

When messing with keystone 2 keystone I was getting 500 Errors telling me that the signing process was failing when generating ECP assertions. When i looked into it i found it was because the federation/idp.py was being imported before the code had the chance to do a environment.use_stdlib(). This meant that the global subprocess variable [1] was being assigned before the environment code had the chance to specify which subprocess to use, leaving the value as None.

After this because of the overly generic exception handler around signing [2] this was being reported as a signing failure and a 500 Error.

I was using my own wsgi launcher rather than the /usr/local/bin/keystone-wsgi-[admin|public] but it wasn't doing anything complex [3].

This should no longer be a problem when we remove eventlet as we can remove the environment code for good.

Fixes:
1) You should always use variables from environment as close to the location as possible as these values are late bound.
2) We should make a more specific error handler for the signing process. It really should only have to catch the output of the subprocess.

[1] https://github.com/openstack/keystone/blob/8f30e9a0785234a5a9cf4daaa95207c9adb10835/keystone/federation/idp.py#L40
[2] https://github.com/openstack/keystone/blob/8f30e9a0785234a5a9cf4daaa95207c9adb10835/keystone/federation/idp.py#L440
[3] http://paste.openstack.org/show/480338/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/251276

Changed in keystone:
assignee: nobody → Jamie Lennox (jamielennox)
status: New → In Progress
Revision history for this message
Steve Martinelli (stevemar) wrote :

jamie, your fix is gating now, feel free close the bug if you think it's solved

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/251276
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1981aeaeed78576963d3d97b777e8c85969a8982
Submitter: Jenkins
Branch: master

commit 1981aeaeed78576963d3d97b777e8c85969a8982
Author: Jamie Lennox <email address hidden>
Date: Mon Nov 30 21:09:35 2015 +1100

    Reference environment close to use

    Variables in environment are only bound after calling
    environment.use_stdlib() or environment.use_eventlet(). By binding the
    variable at the top of a file like this it is assigned at import time
    and so may be left referencing a None value. This means the value is
    wrong when it is used later, even though it has since been bound
    properly.

    There are no additional tests for this as I'm really not sure how to do
    it. It would involve testing a complicated series of module loading and
    the problem will be negated when we remove eventlet.

    Change-Id: Ic56a42c0f1a0fe4e8cc0b5512f00368a3ab8102c
    Partial-Bug: #1521122

Revision history for this message
Jamie Lennox (jamielennox) wrote :

I did it as partial because it didn't solve the problem of the overly generic exception handler. I'm ok to leave that as a generic problem and close this out

Changed in keystone:
status: In Progress → Fix Committed
Steve Martinelli (stevemar)
Changed in keystone:
importance: Undecided → Low
milestone: none → mitaka-1
Doug Hellmann (doug-hellmann)
Changed in keystone:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.