keystone-manage mapping_engine tester problems

Bug #1655182 reported by John Dennis on 2017-01-10
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
John Dennis
Ubuntu Cloud Archive
Undecided
Unassigned
Declined for Ocata by James Page
Mitaka
Undecided
Unassigned
Newton
Undecided
Unassigned
keystone (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned

Bug Description

[Impact]

 * A bug in keystone-manage tool prohibits the use of the mapping_engine command for testing federation rules.

 * Users of Keystone Federation will not be able to verify their mapping rules before pushing these to production.

 * Not being able to test rules before pushing to production is a major operational challenge for our users.

 * The proposed upload fixes this by backporting a fix for this issue from upstream stable/ocata.

[Test Case]

 * Deploy keystone using Juju with this bundle:
   http://pastebin.ubuntu.com/24855409/

 * ssh to keystone unit, grab artifacts and run command:
   - mapping.json: http://pastebin.ubuntu.com/24855419/
   - input.txt: http://pastebin.ubuntu.com/24855420/
   - command:
   'keystone-manage mapping_engine --rules mapping.json --input input.txt'

 * Observe that command provides no output and that a Python Traceback is printed in /var/log/keystone/keystone.log

 * Install the proposed package, repeat the above steps and observe that the command now outputs its interpretation and effect of the rules.

[Regression Potential]

 * keystone-manage mapping_engine is a operational test tool and is solely used by the operator to test their rules.

 * The distributed version of this command in Xenial and Yakkety does currently not work at all.

 * The change will make the command work as our users expect it to.

[Original bug description]
There are several problems with keystone-manage mapping_engine

* It aborts with a backtrace because of wrong number of arguments
  passed to the RuleProcessor

* The --engine-debug option does not work.

* Error messages related to input data are cryptic and inprecise.

Fix proposed to branch: master
Review: https://review.openstack.org/418165

Changed in keystone:
assignee: nobody → John Dennis (jdennis-a)
status: New → In Progress
Changed in keystone:
importance: Undecided → Medium
Changed in keystone:
milestone: none → ocata-3
Changed in keystone:
assignee: John Dennis (jdennis-a) → Steve Martinelli (stevemar)
Changed in keystone:
assignee: Steve Martinelli (stevemar) → John Dennis (jdennis-a)

Reviewed: https://review.openstack.org/418165
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f2d0f8c9ab38172a6e37b02339eac59da911435c
Submitter: Jenkins
Branch: master

commit f2d0f8c9ab38172a6e37b02339eac59da911435c
Author: John Dennis <email address hidden>
Date: Tue Nov 29 11:36:32 2016 -0500

    Fix keystone-manage mapping_engine tester

    There were several problems with keystone-manage mapping_engine

    * It aborts with a backtrace because of wrong number of arguments
      passed to the RuleProcessor, it was missing the mapping_id
      parameter.

    * Error messages related to input data were cryptic and inprecise.

    * The --engine-debug option did not work.

    A fake mapping_id is now generated and passed to the RuleProcessor.

    If there was invalid data passed it was nearly impossible to determine
    what was causing the error, the command takes 2 input files, but which
    file contained the error? At what line? Why? For example I was
    consistently getting this error:

    Error while parsing line: '{': need more than 1 value to unpack

    and had no idea of what was wrong, the JSON looked valid to me. Turns
    out the assertion file is not formatted as JSON (yes this is
    documented in the help message but given the rules are JSON formatted
    and the RuleProcessor expects a dict for the assertion_data it's
    reasonsable to assume the data in the assertion file is formatted as a
    JSON object).

    The documentation in mapping_combinations.rst added a note in the
    section suggesting the use of the keystone-manage mapping_engine
    tester alerting the reader to the expected file formats.

    The MappingEngineTester class was refactored slighly to allow each
    method to know what file it was operating on and emit error messages
    that identify the file. The error message in addition to the pathname
    now includes the offending line number as well. As a bonus it doesn't
    fail if there is a blank line. The error message now looks like this:

    assertion file input.txt at line 4 expected 'key: value' but found 'foo' see help for file format

    The mapping_engine.LOG.logger level is now explictily set to DEBUG
    when --engine-debug is passed instead of (mistakenly assuming it
    defaulted to DEBUG) otherwise it's set to WARN.

    Closes-Bug: 1655182
    Signed-off-by: John Dennis <email address hidden>
    Change-Id: I2dea0f38b127ec185b79bfe06dd6a212da75cbca

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 11.0.0.0b3 development milestone.

Frode Nordahl (fnordahl) on 2017-05-22
tags: added: sts
Frode Nordahl (fnordahl) wrote :

As bug 1677730 demonstrates, this is also a bug that renders the mapping_engine command unusable on stable/newton and stable/mitaka.

description: updated
tags: added: sts-sru-needed
Changed in keystone (Ubuntu):
status: New → Fix Released
Changed in cloud-archive:
status: New → Fix Released
Frode Nordahl (fnordahl) wrote :
James Page (james-page) on 2017-06-19
Changed in keystone (Ubuntu Xenial):
status: New → Triaged
Changed in keystone (Ubuntu Yakkety):
status: New → Triaged
James Page (james-page) on 2017-07-05
Changed in keystone (Ubuntu Yakkety):
status: Triaged → Won't Fix

Reviewed: https://review.openstack.org/466873
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8726573940c435ec75ca72a9ec20d9744561c07c
Submitter: Jenkins
Branch: stable/newton

commit 8726573940c435ec75ca72a9ec20d9744561c07c
Author: John Dennis <email address hidden>
Date: Tue Nov 29 11:36:32 2016 -0500

    Fix keystone-manage mapping_engine tester

    There were several problems with keystone-manage mapping_engine

    * It aborts with a backtrace because of wrong number of arguments
      passed to the RuleProcessor, it was missing the mapping_id
      parameter.

    * Error messages related to input data were cryptic and inprecise.

    * The --engine-debug option did not work.

    A fake mapping_id is now generated and passed to the RuleProcessor.

    If there was invalid data passed it was nearly impossible to determine
    what was causing the error, the command takes 2 input files, but which
    file contained the error? At what line? Why? For example I was
    consistently getting this error:

    Error while parsing line: '{': need more than 1 value to unpack

    and had no idea of what was wrong, the JSON looked valid to me. Turns
    out the assertion file is not formatted as JSON (yes this is
    documented in the help message but given the rules are JSON formatted
    and the RuleProcessor expects a dict for the assertion_data it's
    reasonsable to assume the data in the assertion file is formatted as a
    JSON object).

    The documentation in mapping_combinations.rst added a note in the
    section suggesting the use of the keystone-manage mapping_engine
    tester alerting the reader to the expected file formats.

    The MappingEngineTester class was refactored slighly to allow each
    method to know what file it was operating on and emit error messages
    that identify the file. The error message in addition to the pathname
    now includes the offending line number as well. As a bonus it doesn't
    fail if there is a blank line. The error message now looks like this:

    assertion file input.txt at line 4 expected 'key: value' but found 'foo' see help for file format

    The mapping_engine.LOG.logger level is now explictily set to DEBUG
    when --engine-debug is passed instead of (mistakenly assuming it
    defaulted to DEBUG) otherwise it's set to WARN.

    Closes-Bug: 1655182
    Signed-off-by: John Dennis <email address hidden>
    Change-Id: I2dea0f38b127ec185b79bfe06dd6a212da75cbca
    (cherry picked from commit f2d0f8c9ab38172a6e37b02339eac59da911435c)

Frode Nordahl (fnordahl) wrote :
James Page (james-page) wrote :

Fixes for mitaka and newton pushed to git repository for keystone package

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers