yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1405726] Re: getting scoped federation token fails when using db2

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1405726@xxxxxxxxxxxxxxxxxx>
Date: Mon, 16 Nov 2015 04:17:33 -0000
Reply-to: Bug 1405726 <1405726@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
[Expired for OpenStack Identity (keystone) because there has been no
activity for 60 days.]

** Changed in: keystone
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1405726

Title:
  getting scoped federation token fails when using db2

Status in OpenStack Identity (keystone):
  Expired

Bug description:
  I am using federation.
  Following are the commands I executed.

  I already have an admin_group created that is gets mapped to when user is back from doing saml authentication with IdP.
  I then do

  openstack role add --group admin_group --domain default  admin

   curl --insecure -X GET https://172.20.14.16:35357/v3/OS-FEDERATION/domains -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token:  58e6ceef8dcf4aceb508323e5a2a7c35"
  {"domains": [{"links": {"self": "https://172.20.14.16:5000/v3/domains/default"}, "enabled": true, "description": "Owns users and tenants (i.e. projects) available on Identity API v2.", "name": "Default", "id": "default"}], "links": {"self": "https://172.20.14.16:5000/v3/OS-FEDERATION/domains";, "previous": null, "next": null}}

  openstack role add --group admin_group --project admin admin
  curl --insecure -X GET https://172.20.14.16:35357/v3/OS-FEDERATION/projects -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token:  58e6ceef8dcf4aceb508323e5a2a7c35"

  ****************command to get scoped token*********************************
  curl --insecure -X POST  POST https://sp.machine:35357/v3/auth/tokens  -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token:  58e6ceef8dcf4aceb508323e5a2a7c35"  -d '{"auth":{"identity":{"methods":["saml2"],"saml2":{"id":"58e6ceef8dcf4aceb508323e5a2a7c35"}},"scope":{"project":{"domain": {"id": "default"},"name":"admin"}}}}'

  This gives an error as follows
  2014-12-26 05:58:14.622 26820 ERROR keystone.common.wsgi [-] (ProgrammingError) ibm_db_dbi::ProgrammingError: SQLNumResultCols failed: [IBM][CLI Driver][DB2/LINUXX8664] SQL0134N  Improper use of a string column, host variable, constant, or function "ROLE_EXTRA".  SQLSTATE=42907 SQLCODE=-134 'SELECT DISTINCT role.id AS role_id, role.name AS role_name, role.extra AS role_extra \nFROM role, assignment \nWHERE assignment."type" = ? AND assignment.target_id = ? AND role.id = assignment.role_id AND assignment.actor_id IN (?)' ('GroupProject', 'c9efdd57ae9d4f5f97d07424c5c4da90', '83ef4a24bf18480f849e903ddfaba7a9')
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi Traceback (most recent call last):
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 207, in __call__
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     result = method(context, **params)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/auth/controllers.py", line 343, in authenticate_for_token
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     domain_id, auth_context, trust, metadata_ref, include_catalog)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/manager.py", line 78, in _wrapper
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return f(*args, **kw)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/providers/common.py", line 428, in issue_v3_token
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     domain_id)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/providers/common.py", line 503, in _handle_saml2_tokens
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     group_ids, project_id, domain_id, user_id)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/providers/common.py", line 199, in _populate_roles_for_groups
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     domain_id)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/manager.py", line 78, in _wrapper
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return f(*args, **kw)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/assignment/backends/sql.py", line 320, in get_roles_for_groups
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return [role.to_dict() for role in query.all()]
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/orm/query.py", line 2115, in all
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return list(self)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/orm/query.py", line 2227, in __iter__
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return self._execute_and_instances(context)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/orm/query.py", line 2242, in _execute_and_instances
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     result = conn.execute(querycontext.statement, self._params)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1449, in execute
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     params)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1584, in _execute_clauseelement
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     compiled_sql, distilled_params
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1698, in _execute_context
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     context)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1691, in _execute_context
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     context)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/ibm_db_sa/ibm_db.py", line 104, in do_execute
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     cursor.execute(statement, parameters)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/ibm_db_dbi.py", line 1334, in execute
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     self._set_cursor_helper()
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/site-packages/ibm_db_dbi.py", line 1217, in _set_cursor_helper
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     raise self.messages[len(self.messages) - 1]
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi ProgrammingError: (ProgrammingError) ibm_db_dbi::ProgrammingError: SQLNumResultCols failed: [IBM][CLI Driver][DB2/LINUXX8664] SQL0134N  Improper use of a string column, host variable, constant, or function "ROLE_EXTRA".  SQLSTATE=42907 SQLCODE=-134 'SELECT DISTINCT role.id AS role_id, role.name AS role_name, role.extra AS role_extra \nFROM role, assignment \nWHERE assignment."type" = ? AND assignment.target_id = ? AND role.id = assignment.role_id AND assignment.actor_id IN (?)' ('GroupProject', 'c9efdd57ae9d4f5f97d07424c5c4da90', '83ef4a24bf18480f849e903ddfaba7a9')

  This is happening because of the distinct clause on the select query when the extra column is a json blob.
  There are two ways to fix this.
  1) Remove the distinct - I tried this and it worked.
  310         sql_constraints = sqlalchemy.and_(
  311             RoleAssignment.type == assignment_type,
  312             RoleAssignment.target_id == target_id,
  313             Role.id == RoleAssignment.role_id,
  314             RoleAssignment.actor_id.in_(group_ids))
  315
  316         session = sql.get_session()
  *317         with session.begin():
  318             query = session.query(Role).filter(
  319                 sql_constraints)#.distinct()*
  320         return [role.to_dict() for role in query.all()]

  in "/usr/lib/python2.6/site-
  packages/keystone/assignment/backends/sql.py"

  2)  Cast the json blob to a varchar(xxx).

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1405726/+subscriptions
References

[Bug 1405726] [NEW] Federation, getting scoped token results in error.
From: Mahesh Sawaiker, 2014-12-26