OpenStack Identity (keystone)

Keystone raise 500 error when authorize request token with invalid body

Bug #1736875 reported by wangxiyuan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Undecided
wangxiyuan
OpenStack Identity (keystone) queens-rc2

Bug Description

Keystone raise 500 error when authorize request token with invalid body.
reproduce:
1. create a request token first, suppose the token key is f13b2c6755634131b59cf5fa08d49331
2. PUT http://keystone-server/v3/OS-OAUTH1/authorize/f13b2c6755634131b59cf5fa08d49331 with body:

{
 "roles": [
  {
   "id": "711aa6371a6343a9a43e8a310fbe4a6f"
  },
  {
   "name": "admin"
  }
 ]
}

Keystone will raise 500 error. error log:

 Traceback (most recent call last):
   File "/opt/stack/keystone/keystone/common/wsgi.py", line 226, in __call__
     result = method(req, **params)
   File "/opt/stack/keystone/keystone/common/controller.py", line 82, in inner
     return f(self, request, *args, **kwargs)
   File "/opt/stack/keystone/keystone/oauth1/controllers.py", line 404, in authorize_request_token
     authed_roles.add(role['id'])
 KeyError: 'id'

here are two things we can improve:
1. Add the schema check for request token authorize API
2. Support role name.

To fix the 500 error, step 1 is enough.

wangxiyuan (wangxiyuan)
Changed in keystone:
assignee: nobody → wangxiyuan (wangxiyuan)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/526295

Changed in keystone:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/526296

Revision history for this message
Dave Chen (wei-d-chen) wrote :

I assume that your body didn't include role "id" property.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/526295
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=af151559eef407dad400df58e1743b847440fc42
Submitter: Zuul
Branch: master

commit af151559eef407dad400df58e1743b847440fc42
Author: wangxiyuan <email address hidden>
Date: Thu Dec 7 15:03:42 2017 +0800

    Expose a bug when authorize request token

    Keystone raise 500 error when authorize request token
    with invalid body.

    This patch expose the bug that keystone raise 500
    error instead of 400 in this case.

    Change-Id: I3ddeebf8a46467ed090d8831fd8cf35edee7ce04
    Partial-Bug: #1736875

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/526296
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1f0473a597c7420b9a98face33a30d5e57592dc7
Submitter: Zuul
Branch: master

commit 1f0473a597c7420b9a98face33a30d5e57592dc7
Author: wangxiyuan <email address hidden>
Date: Thu Dec 7 14:51:39 2017 +0800

    Add schema check for authorize request token

    This patch add the schema check for authorize
    request token API. It'll avoiding some 500 error
    caused by invalid input format and it will raise
    400 error correctly.

    This patch also add role name support for
    authorize request token

    Closes-bug: #1736875
    Change-Id: I9d113692702e7aaa0127ffa9405a17908c0c6ff7

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 13.0.0.0b3

This issue was fixed in the openstack/keystone 13.0.0.0b3 development milestone.

Lance Bragstad (lbragstad)
Changed in keystone:
milestone: none → queens-rc2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.