EC2 keystone auth middleware isn't setting project_id correctly

Bug #941119 reported by Dan Prince on 2012-02-25
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Dan Prince

Bug Description

When using the EC2 API with keystone (KSL) it appears that we store a dict of tenant information as the 'tenant_id' in the request context. This causes a slew of SQL errors in various nova services. For example the following is from the network.log:

(nova.rpc.common): TRACE: ProgrammingError: (ProgrammingError) (1064, 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \': "\'d94c76d76d9f426eb62008d184de657f\'", u\'enabled\': \'1\', u\'description\': \'NULL\',\' at line 4') 'SELECT count(*) AS count_1 \nFROM (SELECT floating_ips.created_at AS floating_ips_created_at, floating_ips.updated_at AS floating_ips_updated_at, floating_ips.deleted_at AS floating_ips_deleted_at, floating_ips.deleted AS floating_ips_deleted, AS floating_ips_id, floating_ips.address AS floating_ips_address, floating_ips.fixed_ip_id AS floating_ips_fixed_ip_id, floating_ips.project_id AS floating_ips_project_id, AS floating_ips_host, floating_ips.auto_assigned AS floating_ips_auto_assigned, floating_ips.pool AS floating_ips_pool, floating_ips.interface AS floating_ips_interface \nFROM floating_ips \nWHERE floating_ips.deleted = %s AND floating_ips.project_id = %s AND floating_ips.auto_assigned = %s) AS anon_1' (0, {u'enabled': True, u'description': None, u'name': u'admin', u'id': u'd94c76d76d9f426eb62008d184de657f'}, 0)


The fix seems to be to grab the tenant 'id' instead.

Given that '/ec2tokens' is an un-versioned keystone extension I think it is acceptable to allow to change in this regard. Thus... I'm suggesting we change nova to match it:

+++ b/nova/api/ec2/
@@ -307,7 +307,7 @@ class EC2KeystoneAuth(wsgi.Middleware):
             token_id = result['access']['token']['id']
             user_id = result['access']['user']['id']
- project_id = result['access']['token']['tenant']
+ project_id = result['access']['token']['tenant']['id']
             roles = [role['name'] for role
                      in result['access']['user']['roles']]
         except (AttributeError, KeyError), e:

Dan Prince (dan-prince) on 2012-02-25
Changed in nova:
status: New → In Progress
assignee: nobody → Dan Prince (dan-prince)
importance: Undecided → High
Brian Waldon (bcwaldon) on 2012-02-26
Changed in nova:
milestone: none → essex-4

Submitter: Jenkins
Branch: master

commit e2be2d8238c906de430611d4d0c1187b8699e87b
Author: Dan Prince <email address hidden>
Date: Sat Feb 25 16:43:34 2012 -0500

    Update EC2KeystoneAuth to grab tenant 'id'.

    Updates the EC2KeystoneAuth middleware so that it supports
    formatting changes to the Keystone /ec2tokens extension.
    Instead of setting project_id to a tenant dict this change
    correctly sets it to an id.

    Fixes LP Bug #941119.

    Change-Id: I318ed594929162eafb5d7c3d8b9583cb109b73d4

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-02-29
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in nova:
milestone: essex-4 → 2012.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers