← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1278739] [NEW] trusts in keystone fail in backend when impersonation is not provided

 

Public bug reported:

When creating trusts in Keystone, if 'impersonation' is not provided
Keystone fails out in the backend code. This should probably be handed
at the controller level to be consistent across all backends.

lbragstad@precise64:~/curl-examples$ cat create_trust.json
{
    "trust": {
        "expires_at": "2014-02-27T18:30:59.999999Z",
        "project_id": "c7e2b98178e64418bb884929d3611b89",
        "impersonation": true,
        "roles": [
            {
                "name": "admin"
            }
        ],
        "trustee_user_id": "bf3a4c9ef46d44fa9ce57349462b1998",
        "trustor_user_id": "406e6d96a30449069bf4241a00308b23"
    }
}

lbragstad@precise64:~/curl-examples$ cat create_trust_bad.json
{
    "trust": {
        "expires_at": "2014-02-27T18:30:59.999999Z",
        "project_id": "c7e2b98178e64418bb884929d3611b89",
        "roles": [
            {
                "name": "admin"
            }
        ],
        "trustee_user_id": "bf3a4c9ef46d44fa9ce57349462b1998",
        "trustor_user_id": "406e6d96a30449069bf4241a00308b23"
    }
}

Using impersonation in  the create_trust.json file returns a trust
successfully:

lbragstad@precise64:~/curl-examples$ curl -si -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" -d @create_trust.json http://localhost:5000/v3/OS-TRUST/trusts
HTTP/1.1 201 Created
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 675
Date: Sun, 09 Feb 2014 04:36:56 GMT

{"trust": {"impersonation": true, "roles_links": {"self":
"http://10.0.2.15:5000/v3/OS-
TRUST/trusts/12ce9f7214f04c018384f654f5ea9aa5/roles", "previous": null,
"next": null}, "trustor_user_id": "406e6d96a30449069bf4241a00308b23",
"links": {"self": "http://10.0.2.15:5000/v3/OS-
TRUST/trusts/12ce9f7214f04c018384f654f5ea9aa5"}, "roles": [{"id":
"937488fff5444edb9da1e93d20596d4b", "links": {"self":
"http://10.0.2.15:5000/v3/roles/937488fff5444edb9da1e93d20596d4b"},
"name": "admin"}], "expires_at": "2014-02-27T18:30:59.999999Z",
"trustee_user_id": "bf3a4c9ef46d44fa9ce57349462b1998", "project_id":
"c7e2b98178e64418bb884929d3611b89", "id":
"12ce9f7214f04c018384f654f5ea9aa5"}}

When using the request without impersonation defined I get:

lbragstad@precise64:~/curl-examples$ curl -si -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" -d @create_trust_bad.json http://localhos
t:5000/v3/OS-TRUST/trusts
HTTP/1.1 500 Internal Server Error
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 618
Date: Sun, 09 Feb 2014 04:33:08 GMT

{"error": {"message": "An unexpected error prevented the server from fulfilling your request. (OperationalError) (1048, \"Column 'impersonation
' cannot be null\") 'INSERT INTO trust (id, trustor_user_id, trustee_user_id, project_id, impersonation, deleted_at, expires_at, extra) VALUES
(%s, %s, %s, %s, %s, %s, %s, %s)' ('b49ac0c7558a4450949c22c840db9794', '406e6d96a30449069bf4241a00308b23', 'bf3a4c9ef46d44fa9ce57349462b1998',
'c7e2b98178e64418bb884929d3611b89', None, None, datetime.datetime(2014, 2, 27, 18, 30, 59, 999999), '{\"roles\": [{\"name\": \"admin\"}]}')", "
code": 500, "title": "Internal Server Error"}}


According to the Identity V3 API, 'impersonation' is a requirement when creating a trust. https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-trust-ext.md#trusts

** Affects: keystone
     Importance: Undecided
     Assignee: Lance Bragstad (ldbragst)
         Status: In Progress


** Tags: trusts v3

** Summary changed:

- trusts in keystone fail in driver when impersonation is not provided
+ trusts in keystone fail in backend when impersonation is not provided

** Description changed:

  When creating trusts in Keystone, if 'impersonation' is not provided
  Keystone fails out in the backend code. This should probably be handed
  at the controller level to be consistent across all backends.
  
  lbragstad@precise64:~/curl-examples$ cat create_trust.json
  {
-     "trust": {
-         "expires_at": "2014-02-27T18:30:59.999999Z",
-         "project_id": "c7e2b98178e64418bb884929d3611b89",
-         "impersonation": true,
-         "roles": [
-             {
-                 "name": "admin"
-             }
-         ],
-         "trustee_user_id": "bf3a4c9ef46d44fa9ce57349462b1998",
-         "trustor_user_id": "406e6d96a30449069bf4241a00308b23"
-     }
+     "trust": {
+         "expires_at": "2014-02-27T18:30:59.999999Z",
+         "project_id": "c7e2b98178e64418bb884929d3611b89",
+         "impersonation": true,
+         "roles": [
+             {
+                 "name": "admin"
+             }
+         ],
+         "trustee_user_id": "bf3a4c9ef46d44fa9ce57349462b1998",
+         "trustor_user_id": "406e6d96a30449069bf4241a00308b23"
+     }
  }
  
  lbragstad@precise64:~/curl-examples$ cat create_trust_bad.json
  {
-     "trust": {
-         "expires_at": "2014-02-27T18:30:59.999999Z",
-         "project_id": "c7e2b98178e64418bb884929d3611b89",
-         "roles": [
-             {
-                 "name": "admin"
-             }
-         ],
-         "trustee_user_id": "bf3a4c9ef46d44fa9ce57349462b1998",
-         "trustor_user_id": "406e6d96a30449069bf4241a00308b23"
-     }
+     "trust": {
+         "expires_at": "2014-02-27T18:30:59.999999Z",
+         "project_id": "c7e2b98178e64418bb884929d3611b89",
+         "roles": [
+             {
+                 "name": "admin"
+             }
+         ],
+         "trustee_user_id": "bf3a4c9ef46d44fa9ce57349462b1998",
+         "trustor_user_id": "406e6d96a30449069bf4241a00308b23"
+     }
  }
  
  Using impersonation in  the create_trust.json file returns a trust
  successfully:
  
  lbragstad@precise64:~/curl-examples$ curl -si -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" -d @create_trust.json http://localhost:5000/v3/OS-TRUST/trusts
  HTTP/1.1 201 Created
  Vary: X-Auth-Token
  Content-Type: application/json
  Content-Length: 675
  Date: Sun, 09 Feb 2014 04:36:56 GMT
  
  {"trust": {"impersonation": true, "roles_links": {"self":
  "http://10.0.2.15:5000/v3/OS-
  TRUST/trusts/12ce9f7214f04c018384f654f5ea9aa5/roles", "previous": null,
  "next": null}, "trustor_user_id": "406e6d96a30449069bf4241a00308b23",
  "links": {"self": "http://10.0.2.15:5000/v3/OS-
  TRUST/trusts/12ce9f7214f04c018384f654f5ea9aa5"}, "roles": [{"id":
  "937488fff5444edb9da1e93d20596d4b", "links": {"self":
  "http://10.0.2.15:5000/v3/roles/937488fff5444edb9da1e93d20596d4b"},
  "name": "admin"}], "expires_at": "2014-02-27T18:30:59.999999Z",
  "trustee_user_id": "bf3a4c9ef46d44fa9ce57349462b1998", "project_id":
  "c7e2b98178e64418bb884929d3611b89", "id":
  "12ce9f7214f04c018384f654f5ea9aa5"}}
  
  When using the request without impersonation defined I get:
  
  lbragstad@precise64:~/curl-examples$ curl -si -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" -d @create_trust_bad.json http://localhos
  t:5000/v3/OS-TRUST/trusts
  HTTP/1.1 500 Internal Server Error
  Vary: X-Auth-Token
  Content-Type: application/json
  Content-Length: 618
  Date: Sun, 09 Feb 2014 04:33:08 GMT
  
  {"error": {"message": "An unexpected error prevented the server from fulfilling your request. (OperationalError) (1048, \"Column 'impersonation
  ' cannot be null\") 'INSERT INTO trust (id, trustor_user_id, trustee_user_id, project_id, impersonation, deleted_at, expires_at, extra) VALUES
  (%s, %s, %s, %s, %s, %s, %s, %s)' ('b49ac0c7558a4450949c22c840db9794', '406e6d96a30449069bf4241a00308b23', 'bf3a4c9ef46d44fa9ce57349462b1998',
  'c7e2b98178e64418bb884929d3611b89', None, None, datetime.datetime(2014, 2, 27, 18, 30, 59, 999999), '{\"roles\": [{\"name\": \"admin\"}]}')", "
  code": 500, "title": "Internal Server Error"}}
+ 
+ 
+ According to the Identity V3 API, 'impersonation' is a requirement when creating a trust. https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-trust-ext.md#trusts

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1278739

Title:
  trusts in keystone fail in backend when impersonation is not provided

Status in OpenStack Identity (Keystone):
  In Progress

Bug description:
  When creating trusts in Keystone, if 'impersonation' is not provided
  Keystone fails out in the backend code. This should probably be handed
  at the controller level to be consistent across all backends.

  lbragstad@precise64:~/curl-examples$ cat create_trust.json
  {
      "trust": {
          "expires_at": "2014-02-27T18:30:59.999999Z",
          "project_id": "c7e2b98178e64418bb884929d3611b89",
          "impersonation": true,
          "roles": [
              {
                  "name": "admin"
              }
          ],
          "trustee_user_id": "bf3a4c9ef46d44fa9ce57349462b1998",
          "trustor_user_id": "406e6d96a30449069bf4241a00308b23"
      }
  }

  lbragstad@precise64:~/curl-examples$ cat create_trust_bad.json
  {
      "trust": {
          "expires_at": "2014-02-27T18:30:59.999999Z",
          "project_id": "c7e2b98178e64418bb884929d3611b89",
          "roles": [
              {
                  "name": "admin"
              }
          ],
          "trustee_user_id": "bf3a4c9ef46d44fa9ce57349462b1998",
          "trustor_user_id": "406e6d96a30449069bf4241a00308b23"
      }
  }

  Using impersonation in  the create_trust.json file returns a trust
  successfully:

  lbragstad@precise64:~/curl-examples$ curl -si -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" -d @create_trust.json http://localhost:5000/v3/OS-TRUST/trusts
  HTTP/1.1 201 Created
  Vary: X-Auth-Token
  Content-Type: application/json
  Content-Length: 675
  Date: Sun, 09 Feb 2014 04:36:56 GMT

  {"trust": {"impersonation": true, "roles_links": {"self":
  "http://10.0.2.15:5000/v3/OS-
  TRUST/trusts/12ce9f7214f04c018384f654f5ea9aa5/roles", "previous":
  null, "next": null}, "trustor_user_id":
  "406e6d96a30449069bf4241a00308b23", "links": {"self":
  "http://10.0.2.15:5000/v3/OS-
  TRUST/trusts/12ce9f7214f04c018384f654f5ea9aa5"}, "roles": [{"id":
  "937488fff5444edb9da1e93d20596d4b", "links": {"self":
  "http://10.0.2.15:5000/v3/roles/937488fff5444edb9da1e93d20596d4b"},
  "name": "admin"}], "expires_at": "2014-02-27T18:30:59.999999Z",
  "trustee_user_id": "bf3a4c9ef46d44fa9ce57349462b1998", "project_id":
  "c7e2b98178e64418bb884929d3611b89", "id":
  "12ce9f7214f04c018384f654f5ea9aa5"}}

  When using the request without impersonation defined I get:

  lbragstad@precise64:~/curl-examples$ curl -si -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" -d @create_trust_bad.json http://localhos
  t:5000/v3/OS-TRUST/trusts
  HTTP/1.1 500 Internal Server Error
  Vary: X-Auth-Token
  Content-Type: application/json
  Content-Length: 618
  Date: Sun, 09 Feb 2014 04:33:08 GMT

  {"error": {"message": "An unexpected error prevented the server from fulfilling your request. (OperationalError) (1048, \"Column 'impersonation
  ' cannot be null\") 'INSERT INTO trust (id, trustor_user_id, trustee_user_id, project_id, impersonation, deleted_at, expires_at, extra) VALUES
  (%s, %s, %s, %s, %s, %s, %s, %s)' ('b49ac0c7558a4450949c22c840db9794', '406e6d96a30449069bf4241a00308b23', 'bf3a4c9ef46d44fa9ce57349462b1998',
  'c7e2b98178e64418bb884929d3611b89', None, None, datetime.datetime(2014, 2, 27, 18, 30, 59, 999999), '{\"roles\": [{\"name\": \"admin\"}]}')", "
  code": 500, "title": "Internal Server Error"}}

  
  According to the Identity V3 API, 'impersonation' is a requirement when creating a trust. https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-trust-ext.md#trusts

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1278739/+subscriptions


Follow ups

References