← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1405726] [NEW] Federation, getting scoped token results in error.

 

Public bug reported:

I am using federation.
Following are the commands I executed.

I already have an admin_group created that is gets mapped to when user is back from doing saml authentication with IdP.
I then do

openstack role add --group admin_group --domain default  admin

 curl --insecure -X GET https://172.20.14.16:35357/v3/OS-FEDERATION/domains -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token:  58e6ceef8dcf4aceb508323e5a2a7c35"
{"domains": [{"links": {"self": "https://172.20.14.16:5000/v3/domains/default"}, "enabled": true, "description": "Owns users and tenants (i.e. projects) available on Identity API v2.", "name": "Default", "id": "default"}], "links": {"self": "https://172.20.14.16:5000/v3/OS-FEDERATION/domains";, "previous": null, "next": null}}

openstack role add --group admin_group --project admin admin
curl --insecure -X GET https://172.20.14.16:35357/v3/OS-FEDERATION/projects -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token:  58e6ceef8dcf4aceb508323e5a2a7c35"

****************command to get scoped token*********************************
curl --insecure -X POST  POST https://sp.machine:35357/v3/auth/tokens  -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token:  58e6ceef8dcf4aceb508323e5a2a7c35"  -d '{"auth":{"identity":{"methods":["saml2"],"saml2":{"id":"58e6ceef8dcf4aceb508323e5a2a7c35"}},"scope":{"project":{"domain": {"id": "default"},"name":"admin"}}}}'

This gives an error as follows
2014-12-26 05:58:14.622 26820 ERROR keystone.common.wsgi [-] (ProgrammingError) ibm_db_dbi::ProgrammingError: SQLNumResultCols failed: [IBM][CLI Driver][DB2/LINUXX8664] SQL0134N  Improper use of a string column, host variable, constant, or function "ROLE_EXTRA".  SQLSTATE=42907 SQLCODE=-134 'SELECT DISTINCT role.id AS role_id, role.name AS role_name, role.extra AS role_extra \nFROM role, assignment \nWHERE assignment."type" = ? AND assignment.target_id = ? AND role.id = assignment.role_id AND assignment.actor_id IN (?)' ('GroupProject', 'c9efdd57ae9d4f5f97d07424c5c4da90', '83ef4a24bf18480f849e903ddfaba7a9')
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 207, in __call__
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     result = method(context, **params)
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/auth/controllers.py", line 343, in authenticate_for_token
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     domain_id, auth_context, trust, metadata_ref, include_catalog)
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/manager.py", line 78, in _wrapper
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return f(*args, **kw)
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/providers/common.py", line 428, in issue_v3_token
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     domain_id)
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/providers/common.py", line 503, in _handle_saml2_tokens
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     group_ids, project_id, domain_id, user_id)
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/providers/common.py", line 199, in _populate_roles_for_groups
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     domain_id)
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/manager.py", line 78, in _wrapper
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return f(*args, **kw)
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/assignment/backends/sql.py", line 320, in get_roles_for_groups
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return [role.to_dict() for role in query.all()]
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/orm/query.py", line 2115, in all
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return list(self)
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/orm/query.py", line 2227, in __iter__
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return self._execute_and_instances(context)
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/orm/query.py", line 2242, in _execute_and_instances
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     result = conn.execute(querycontext.statement, self._params)
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1449, in execute
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     params)
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1584, in _execute_clauseelement
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     compiled_sql, distilled_params
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1698, in _execute_context
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     context)
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1691, in _execute_context
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     context)
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/ibm_db_sa/ibm_db.py", line 104, in do_execute
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     cursor.execute(statement, parameters)
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/ibm_db_dbi.py", line 1334, in execute
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     self._set_cursor_helper()
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/ibm_db_dbi.py", line 1217, in _set_cursor_helper
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     raise self.messages[len(self.messages) - 1]
2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi ProgrammingError: (ProgrammingError) ibm_db_dbi::ProgrammingError: SQLNumResultCols failed: [IBM][CLI Driver][DB2/LINUXX8664] SQL0134N  Improper use of a string column, host variable, constant, or function "ROLE_EXTRA".  SQLSTATE=42907 SQLCODE=-134 'SELECT DISTINCT role.id AS role_id, role.name AS role_name, role.extra AS role_extra \nFROM role, assignment \nWHERE assignment."type" = ? AND assignment.target_id = ? AND role.id = assignment.role_id AND assignment.actor_id IN (?)' ('GroupProject', 'c9efdd57ae9d4f5f97d07424c5c4da90', '83ef4a24bf18480f849e903ddfaba7a9')

This is happening because of the distinct clause on the select query when the extra column is a json blob.
There are two ways to fix this.
1) Remove the distinct - I tried this and it worked.
310         sql_constraints = sqlalchemy.and_(
311             RoleAssignment.type == assignment_type,
312             RoleAssignment.target_id == target_id,
313             Role.id == RoleAssignment.role_id,
314             RoleAssignment.actor_id.in_(group_ids))
315
316         session = sql.get_session()
*317         with session.begin():
318             query = session.query(Role).filter(
319                 sql_constraints)#.distinct()*
320         return [role.to_dict() for role in query.all()]

in "/usr/lib/python2.6/site-
packages/keystone/assignment/backends/sql.py"

2)  Cast the json blob to a varchar(xxx).

** Affects: keystone
     Importance: Undecided
         Status: New

** Description changed:

  I am using federation.
  Following are the commands I executed.
  
  I already have an admin_group created that is gets mapped to when user is back from doing saml authentication with IdP.
  I then do
  
  openstack role add --group admin_group --domain default  admin
  
-  curl --insecure -X GET https://172.20.14.16:35357/v3/OS-FEDERATION/domains -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token:  58e6ceef8dcf4aceb508323e5a2a7c35"
+  curl --insecure -X GET https://172.20.14.16:35357/v3/OS-FEDERATION/domains -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token:  58e6ceef8dcf4aceb508323e5a2a7c35"
  {"domains": [{"links": {"self": "https://172.20.14.16:5000/v3/domains/default"}, "enabled": true, "description": "Owns users and tenants (i.e. projects) available on Identity API v2.", "name": "Default", "id": "default"}], "links": {"self": "https://172.20.14.16:5000/v3/OS-FEDERATION/domains";, "previous": null, "next": null}}
- 
  
  openstack role add --group admin_group --project admin admin
  curl --insecure -X GET https://172.20.14.16:35357/v3/OS-FEDERATION/projects -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token:  58e6ceef8dcf4aceb508323e5a2a7c35"
  
- 
  ****************command to get scoped token*********************************
  curl --insecure -X POST  POST https://sp.machine:35357/v3/auth/tokens  -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token:  58e6ceef8dcf4aceb508323e5a2a7c35"  -d '{"auth":{"identity":{"methods":["saml2"],"saml2":{"id":"58e6ceef8dcf4aceb508323e5a2a7c35"}},"scope":{"project":{"domain": {"id": "default"},"name":"admin"}}}}'
- 
  
  This gives an error as follows
  2014-12-26 05:58:14.622 26820 ERROR keystone.common.wsgi [-] (ProgrammingError) ibm_db_dbi::ProgrammingError: SQLNumResultCols failed: [IBM][CLI Driver][DB2/LINUXX8664] SQL0134N  Improper use of a string column, host variable, constant, or function "ROLE_EXTRA".  SQLSTATE=42907 SQLCODE=-134 'SELECT DISTINCT role.id AS role_id, role.name AS role_name, role.extra AS role_extra \nFROM role, assignment \nWHERE assignment."type" = ? AND assignment.target_id = ? AND role.id = assignment.role_id AND assignment.actor_id IN (?)' ('GroupProject', 'c9efdd57ae9d4f5f97d07424c5c4da90', '83ef4a24bf18480f849e903ddfaba7a9')
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi Traceback (most recent call last):
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 207, in __call__
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     result = method(context, **params)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/auth/controllers.py", line 343, in authenticate_for_token
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     domain_id, auth_context, trust, metadata_ref, include_catalog)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/manager.py", line 78, in _wrapper
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return f(*args, **kw)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/providers/common.py", line 428, in issue_v3_token
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     domain_id)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/providers/common.py", line 503, in _handle_saml2_tokens
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     group_ids, project_id, domain_id, user_id)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/providers/common.py", line 199, in _populate_roles_for_groups
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     domain_id)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/manager.py", line 78, in _wrapper
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return f(*args, **kw)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/assignment/backends/sql.py", line 320, in get_roles_for_groups
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return [role.to_dict() for role in query.all()]
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/orm/query.py", line 2115, in all
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return list(self)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/orm/query.py", line 2227, in __iter__
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return self._execute_and_instances(context)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/orm/query.py", line 2242, in _execute_and_instances
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     result = conn.execute(querycontext.statement, self._params)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1449, in execute
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     params)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1584, in _execute_clauseelement
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     compiled_sql, distilled_params
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1698, in _execute_context
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     context)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1691, in _execute_context
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     context)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/ibm_db_sa/ibm_db.py", line 104, in do_execute
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     cursor.execute(statement, parameters)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/ibm_db_dbi.py", line 1334, in execute
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     self._set_cursor_helper()
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/ibm_db_dbi.py", line 1217, in _set_cursor_helper
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     raise self.messages[len(self.messages) - 1]
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi ProgrammingError: (ProgrammingError) ibm_db_dbi::ProgrammingError: SQLNumResultCols failed: [IBM][CLI Driver][DB2/LINUXX8664] SQL0134N  Improper use of a string column, host variable, constant, or function "ROLE_EXTRA".  SQLSTATE=42907 SQLCODE=-134 'SELECT DISTINCT role.id AS role_id, role.name AS role_name, role.extra AS role_extra \nFROM role, assignment \nWHERE assignment."type" = ? AND assignment.target_id = ? AND role.id = assignment.role_id AND assignment.actor_id IN (?)' ('GroupProject', 'c9efdd57ae9d4f5f97d07424c5c4da90', '83ef4a24bf18480f849e903ddfaba7a9')
  
- 
  This is happening because of the distinct clause on the select query when the extra column is a json blob.
  There are two ways to fix this.
  1) Remove the distinct - I tried this and it worked.
  310         sql_constraints = sqlalchemy.and_(
  311             RoleAssignment.type == assignment_type,
  312             RoleAssignment.target_id == target_id,
  313             Role.id == RoleAssignment.role_id,
  314             RoleAssignment.actor_id.in_(group_ids))
  315
  316         session = sql.get_session()
- 317         with session.begin():
+ *317         with session.begin():
  318             query = session.query(Role).filter(
- 319                 sql_constraints)#.distinct()
+ 319                 sql_constraints)#.distinct()*
  320         return [role.to_dict() for role in query.all()]
-  
- in "/usr/lib/python2.6/site-packages/keystone/assignment/backends/sql.py"
+ 
+ in "/usr/lib/python2.6/site-
+ packages/keystone/assignment/backends/sql.py"
  
  2)  Cast the json blob to a varchar(xxx).

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1405726

Title:
  Federation, getting scoped token results in error.

Status in OpenStack Identity (Keystone):
  New

Bug description:
  I am using federation.
  Following are the commands I executed.

  I already have an admin_group created that is gets mapped to when user is back from doing saml authentication with IdP.
  I then do

  openstack role add --group admin_group --domain default  admin

   curl --insecure -X GET https://172.20.14.16:35357/v3/OS-FEDERATION/domains -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token:  58e6ceef8dcf4aceb508323e5a2a7c35"
  {"domains": [{"links": {"self": "https://172.20.14.16:5000/v3/domains/default"}, "enabled": true, "description": "Owns users and tenants (i.e. projects) available on Identity API v2.", "name": "Default", "id": "default"}], "links": {"self": "https://172.20.14.16:5000/v3/OS-FEDERATION/domains";, "previous": null, "next": null}}

  openstack role add --group admin_group --project admin admin
  curl --insecure -X GET https://172.20.14.16:35357/v3/OS-FEDERATION/projects -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token:  58e6ceef8dcf4aceb508323e5a2a7c35"

  ****************command to get scoped token*********************************
  curl --insecure -X POST  POST https://sp.machine:35357/v3/auth/tokens  -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token:  58e6ceef8dcf4aceb508323e5a2a7c35"  -d '{"auth":{"identity":{"methods":["saml2"],"saml2":{"id":"58e6ceef8dcf4aceb508323e5a2a7c35"}},"scope":{"project":{"domain": {"id": "default"},"name":"admin"}}}}'

  This gives an error as follows
  2014-12-26 05:58:14.622 26820 ERROR keystone.common.wsgi [-] (ProgrammingError) ibm_db_dbi::ProgrammingError: SQLNumResultCols failed: [IBM][CLI Driver][DB2/LINUXX8664] SQL0134N  Improper use of a string column, host variable, constant, or function "ROLE_EXTRA".  SQLSTATE=42907 SQLCODE=-134 'SELECT DISTINCT role.id AS role_id, role.name AS role_name, role.extra AS role_extra \nFROM role, assignment \nWHERE assignment."type" = ? AND assignment.target_id = ? AND role.id = assignment.role_id AND assignment.actor_id IN (?)' ('GroupProject', 'c9efdd57ae9d4f5f97d07424c5c4da90', '83ef4a24bf18480f849e903ddfaba7a9')
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi Traceback (most recent call last):
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 207, in __call__
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     result = method(context, **params)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/auth/controllers.py", line 343, in authenticate_for_token
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     domain_id, auth_context, trust, metadata_ref, include_catalog)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/manager.py", line 78, in _wrapper
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return f(*args, **kw)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/providers/common.py", line 428, in issue_v3_token
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     domain_id)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/providers/common.py", line 503, in _handle_saml2_tokens
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     group_ids, project_id, domain_id, user_id)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/providers/common.py", line 199, in _populate_roles_for_groups
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     domain_id)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/manager.py", line 78, in _wrapper
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return f(*args, **kw)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/assignment/backends/sql.py", line 320, in get_roles_for_groups
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return [role.to_dict() for role in query.all()]
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/orm/query.py", line 2115, in all
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return list(self)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/orm/query.py", line 2227, in __iter__
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return self._execute_and_instances(context)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/orm/query.py", line 2242, in _execute_and_instances
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     result = conn.execute(querycontext.statement, self._params)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1449, in execute
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     params)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1584, in _execute_clauseelement
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     compiled_sql, distilled_params
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1698, in _execute_context
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     context)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1691, in _execute_context
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     context)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/ibm_db_sa/ibm_db.py", line 104, in do_execute
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     cursor.execute(statement, parameters)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/ibm_db_dbi.py", line 1334, in execute
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     self._set_cursor_helper()
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/ibm_db_dbi.py", line 1217, in _set_cursor_helper
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     raise self.messages[len(self.messages) - 1]
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi ProgrammingError: (ProgrammingError) ibm_db_dbi::ProgrammingError: SQLNumResultCols failed: [IBM][CLI Driver][DB2/LINUXX8664] SQL0134N  Improper use of a string column, host variable, constant, or function "ROLE_EXTRA".  SQLSTATE=42907 SQLCODE=-134 'SELECT DISTINCT role.id AS role_id, role.name AS role_name, role.extra AS role_extra \nFROM role, assignment \nWHERE assignment."type" = ? AND assignment.target_id = ? AND role.id = assignment.role_id AND assignment.actor_id IN (?)' ('GroupProject', 'c9efdd57ae9d4f5f97d07424c5c4da90', '83ef4a24bf18480f849e903ddfaba7a9')

  This is happening because of the distinct clause on the select query when the extra column is a json blob.
  There are two ways to fix this.
  1) Remove the distinct - I tried this and it worked.
  310         sql_constraints = sqlalchemy.and_(
  311             RoleAssignment.type == assignment_type,
  312             RoleAssignment.target_id == target_id,
  313             Role.id == RoleAssignment.role_id,
  314             RoleAssignment.actor_id.in_(group_ids))
  315
  316         session = sql.get_session()
  *317         with session.begin():
  318             query = session.query(Role).filter(
  319                 sql_constraints)#.distinct()*
  320         return [role.to_dict() for role in query.all()]

  in "/usr/lib/python2.6/site-
  packages/keystone/assignment/backends/sql.py"

  2)  Cast the json blob to a varchar(xxx).

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1405726/+subscriptions


Follow ups

References