EC2 keystone auth middleware isn't setting project_id correctly

Bug #941119 reported by Dan Prince
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
Dan Prince

Bug Description

When using the EC2 API with keystone (KSL) it appears that we store a dict of tenant information as the 'tenant_id' in the request context. This causes a slew of SQL errors in various nova services. For example the following is from the network.log:

(nova.rpc.common): TRACE: ProgrammingError: (ProgrammingError) (1064, 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \': "\'d94c76d76d9f426eb62008d184de657f\'", u\'enabled\': \'1\', u\'description\': \'NULL\',\' at line 4') 'SELECT count(*) AS count_1 \nFROM (SELECT floating_ips.created_at AS floating_ips_created_at, floating_ips.updated_at AS floating_ips_updated_at, floating_ips.deleted_at AS floating_ips_deleted_at, floating_ips.deleted AS floating_ips_deleted, floating_ips.id AS floating_ips_id, floating_ips.address AS floating_ips_address, floating_ips.fixed_ip_id AS floating_ips_fixed_ip_id, floating_ips.project_id AS floating_ips_project_id, floating_ips.host AS floating_ips_host, floating_ips.auto_assigned AS floating_ips_auto_assigned, floating_ips.pool AS floating_ips_pool, floating_ips.interface AS floating_ips_interface \nFROM floating_ips \nWHERE floating_ips.deleted = %s AND floating_ips.project_id = %s AND floating_ips.auto_assigned = %s) AS anon_1' (0, {u'enabled': True, u'description': None, u'name': u'admin', u'id': u'd94c76d76d9f426eb62008d184de657f'}, 0)

----

The fix seems to be to grab the tenant 'id' instead.

Given that '/ec2tokens' is an un-versioned keystone extension I think it is acceptable to allow to change in this regard. Thus... I'm suggesting we change nova to match it:

+++ b/nova/api/ec2/__init__.py
@@ -307,7 +307,7 @@ class EC2KeystoneAuth(wsgi.Middleware):
         try:
             token_id = result['access']['token']['id']
             user_id = result['access']['user']['id']
- project_id = result['access']['token']['tenant']
+ project_id = result['access']['token']['tenant']['id']
             roles = [role['name'] for role
                      in result['access']['user']['roles']]
         except (AttributeError, KeyError), e:

Dan Prince (dan-prince)
Changed in nova:
status: New → In Progress
assignee: nobody → Dan Prince (dan-prince)
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/4538

Brian Waldon (bcwaldon)
Changed in nova:
milestone: none → essex-4
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/4538
Committed: http://github.com/openstack/nova/commit/e2be2d8238c906de430611d4d0c1187b8699e87b
Submitter: Jenkins
Branch: master

commit e2be2d8238c906de430611d4d0c1187b8699e87b
Author: Dan Prince <email address hidden>
Date: Sat Feb 25 16:43:34 2012 -0500

    Update EC2KeystoneAuth to grab tenant 'id'.

    Updates the EC2KeystoneAuth middleware so that it supports
    formatting changes to the Keystone /ec2tokens extension.
    Instead of setting project_id to a tenant dict this change
    correctly sets it to an id.

    Fixes LP Bug #941119.

    Change-Id: I318ed594929162eafb5d7c3d8b9583cb109b73d4

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: essex-4 → 2012.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.