Token without tenant - An unexpected error prevented the server from fulfilling your request. 'NoneType' object has no attribute 'get'
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-keystoneclient |
Invalid
|
High
|
Unassigned |
Bug Description
If I issue the
# keystone --os_auth_url http://
a new token with null (None) tenant created in the database.
The console message without tenant parameter:
No handlers could be found for logger "keystoneclient
Invalid OpenStack Identity credentials.
Note:
Console message with tenant paramter (No issue):
You are not authorized to perform the requested action: admin_required (HTTP 403)
When I try to modify the demo user's role I get on error message I am using the admin users credentials correctly in environment variables:
# keystone user-role-add --user `keystone user-list| awk '/\| demo\s*\|$/{ print $2}'` --role `keystone role-list| awk '/\| admin *\|$/ { print $2}'` --tenant `keystone tenant-list| awk '/\| demo *\| True /{ print $2}'`
Or
keystone user-role-remove --user `keystone user-list| awk '/\| demo\s*\|$/{ print $2}'` --role `keystone role-list| awk '/\| admin *\|$/ { print $2}'` --tenant `keystone tenant-list| awk '/\| demo *\| True /{ print $2}'`
(I can't modify just the user who requested token without a tenant ID)
In the console I see:
An unexpected error prevented the server from fulfilling your request. 'NoneType' object has no attribute 'get' (HTTP 500)
Exception in the keystone log file:
Exception:
2012-10-13 01:14:34 ERROR [root] 'NoneType' object has no attribute 'get'
Traceback (most recent call last):
File "/usr/lib/
result = method(context, **params)
File "/usr/lib/
self.
File "/usr/lib/
for token_id in self.list_
File "/usr/lib/
return f(*args, **kw)
File "/usr/lib/
if token_ref_
AttributeError: 'NoneType' object has no attribute 'get'
Workaround:
Ignoring the tokens without tenant
if token_ref_
I assume, it shouldn't be in the database so it is just a workaround.
Expected result:
- Do not create invalid token entry
- Always be able to change the users role as admin
Affected versions:
From Essex (openstack-
I can reproduce on a "clean" fedora 17 install. The installation based on the : http://
I can send sql dumps wireshark captures or anything else.
Changed in keystone: | |
status: | Invalid → New |
Changed in python-keystoneclient: | |
assignee: | nobody → Wu Wenxiang (wu-wenxiang) |
status: | Confirmed → In Progress |
Changed in python-keystoneclient: | |
assignee: | nobody → jiaxi (tjxiter) |
Changed in python-keystoneclient: | |
assignee: | jiaxi (tjxiter) → nobody |
Attila,
I'm afraid this is a (crappy) side effect of the V2 API. When you get a token with just a username and password, the token returned is an 'unscoped' token and of very limited capability. Pretty much the only thing you *can* do with that token is to get a list of tenants (from the AUTH_URL, not the MGMT_URL) and request a token scoped to a tenant.
If you get a token starting off with requesting an appropriate project name - i.e. adding on --tenant-name=... to your arguments, you shouldn't have any issue from there.