OpenStack Identity (keystone)

OAUTH functional tests are broken on stable/ocata and stable/newton

  1. Series ocata
  2. Bug #1704148
Bug #1704148 reported by Colleen Murphy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Lance Bragstad
OpenStack Identity (keystone) pike-3 "pike-3"
Newton
Fix Released
High
Lance Bragstad
Ocata
Fix Released
High
Lance Bragstad
Lance Bragstad (lbragstad)
Changed in keystone:
status: New → Confirmed
importance: Undecided → High
milestone: none → pike-3
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Those tests were recently added to the keystone-tempest-plugin [0]. It could be that they didn't pass against stable/ocata or stable/newton, but they just weren't tested.

Not much has changed in stable/ocata or stable/newton recently.

[0] https://review.openstack.org/#/c/473245/

Revision history for this message
Lance Bragstad (lbragstad) wrote :

It looks like anything dealing with the request_token is failing:

http://logs.openstack.org/06/482606/1/check/gate-keystone-dsvm-functional-ubuntu-xenial/3bfe409/logs/apache/access.txt.gz

Revision history for this message
Lance Bragstad (lbragstad) wrote :

One possible solution until we figure out exactly what is going on would be to revert https://review.openstack.org/#/c/473245/3.

FWIW - I'm not sure how much of a difference this makes yet - but the request to create a request token are getting made to the identity_v2_admin endpoint. Other requests are being made to identity/v3/. I'm sure that just how devstack and tempest are configured though, they should route to the same v3 path.

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Actually - https://review.openstack.org/#/c/473245/3 was proposed because we asked Hemanth to add functional tests for another bug he was fixing [0]. That bug was dealing with a case where creating a request token resulted in a 401. I don't think the patch for that fix was backported to stable/ocata or stable/newton, which would make complete sense as to why both of those branches are failing with 401s in the OAUTH1 tests.

I'll backport the original fix [1] to bug 1687593.

[0] https://bugs.launchpad.net/keystone/+bug/1687593
[1] https://review.openstack.org/#/c/461736/

Revision history for this message
Lance Bragstad (lbragstad) wrote :

I've attempted to summarize what I've found on the mailing list [0].

[0] http://lists.openstack.org/pipermail/openstack-dev/2017-July/119684.html

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
Revision history for this message
Jeremy Stanley (fungi) wrote :

To avoid similar wedges, changes to the openstack/tempest repository's master branch (the only branch it has) are tested against supported stable branch versions of some tempest jobs like gate-tempest-dsvm-neutron-full-ubuntu-xenial-ocata and gate-tempest-dsvm-neutron-full-ubuntu-xenial-newton. You might consider creating branch-overridden versions of gate-keystone-dsvm-functional-ubuntu-xenial along those lines.

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Thanks for the information, Jeremy. Would that be using the BRANCH_OVERRIDE bits [0]? I'm going to mark this as fixed since the issue it resolve, but I'll continue following up so we get the coverage describing in comment #6.

[0] https://github.com/openstack-infra/project-config/blob/cb33e387046dffb5fa23cd50bb624b323c5def68/jenkins/jobs/keystone.yaml#L23

Changed in keystone:
status: Confirmed → Fix Committed
Lance Bragstad (lbragstad)
Changed in keystone:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.