Magnum

AttributeError: 'Cluster' object has no attribute 'trustee_domain_id' when using magnum-ui

Bug #1689797 reported by Mark Goddard on 2017-05-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Magnum	Fix Released	Undecided	Mark Goddard

Bug Description

When using the magnum-ui horizon extension, viewing clusters or cluster templates fails with the following error in magnum API:

AttributeError: 'Cluster' object has no attribute 'trustee_domain_id'

Detailed traceback from the logs:

2017-05-10 11:10:33.165 26 ERROR wsme.api [req-18c98aeb-aab0-4a3e-b385-435669d359b8 - - - - -] Server-side error: "'Cluster' object has no attribute 'trustee_domain_id'". Detail:
Traceback (most recent call last):

File "/usr/lib/python2.7/site-packages/wsmeext/pecan.py", line 84, in callfunction
result = f(self, *args, **kwargs)

File "/usr/lib/python2.7/site-packages/magnum/api/controllers/v1/cluster.py", line 350, in get_one
action='cluster:get')

File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 96, in enforce
do_raise=do_raise, exc=exc, *args, **kwargs)

File "/usr/lib/python2.7/site-packages/oslo_policy/policy.py", line 724, in enforce
result = self.rules[rule](target, creds, self)

File "/usr/lib/python2.7/site-packages/oslo_policy/_checks.py", line 204, in __call__
return enforcer.rules[self.match](target, creds, enforcer)

File "/usr/lib/python2.7/site-packages/oslo_policy/_checks.py", line 106, in __call__
return not self.rule(target, cred, enforcer)

File "/usr/lib/python2.7/site-packages/oslo_policy/_checks.py", line 297, in __call__
match = self.match % target

File "/usr/lib/python2.7/site-packages/oslo_versionedobjects/base.py", line 759, in __getitem__
return getattr(self, name)

AttributeError: 'Cluster' object has no attribute 'trustee_domain_id'

2017-05-10 11:10:33.166 26 INFO werkzeug [req-18c98aeb-aab0-4a3e-b385-435669d359b8 - - - - -] 192.168.7.2 - - [10/May/2017 11:10:33] "GET /v1/clusters/8b1c36a0-b939-4758-b256-578f3ae5d585 HTTP/1.1" 500 -

Analysis:

This seems to be happening because the magnum API passes magnum.objects.cluster.Cluster (and template) objects as the 'target' argument to oslo_policy.policy.Enforcer.enforce() [1]. The enforcer expects this to be a dict, and magnum's policy.json references trustee_domain_id in the cluster:get rule, which should therefore be in the target dict.

Workaround:
I have locally worked around this [2].

[1] https://github.com/openstack/magnum/blob/9e2af470595d925202ae7c98b9eff9854a5f4507/magnum/api/controllers/v1/cluster.py#L348
[2] https://github.com/stackhpc/magnum/commit/cbbc3ebeca06bb48d63d2969e5ce4225feeeb7d2

Tags:

Revision history for this message

Mark Goddard (mgoddard) wrote on 2017-05-10:

The workaround that I initially provided has proven not to work as it prevents oslo_policy from accessing some necessary fields in the cluster object.

My second attempt[1] is looking more promising. It converts the RPC objects to mutable mappings using the as_dict() method.

[1] https://github.com/stackhpc/magnum/commit/186e10f7629c81c61301c6ca98fd7a6745d56eeb

Mark Goddard (mgoddard) on 2017-05-10

Changed in magnum:
assignee:	nobody → Mark Goddard (mgoddard)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-10: Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/463825

Changed in magnum:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-14: Fix merged to magnum (master)

Reviewed: https://review.openstack.org/463825
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=f1326626b94778dfd03e1ca76e61cbecb10495aa
Submitter: Jenkins
Branch: master

commit f1326626b94778dfd03e1ca76e61cbecb10495aa
Author: Mark Goddard <email address hidden>
Date: Wed May 10 16:50:26 2017 +0100

Pass a mutable target to oslo policy enforcer

    Magnum API previously passed magnum.objects.cluster.Cluster objects as
    the target argument to magnum.common.policy.enforce(). However, enforce()
    expects target to be a mutable mapping, as it adds an entry for
    trustee_domain_id which is used by the magnum policy.json. This causes
    cluster detailed GET requests to fail with the following message:

AttributeError: 'Cluster' object has no attribute 'trustee_domain_id'

This change uses the as_dict() method of the magnum RPC objects to
provide a mutable mapping to the policy enforcer.

Change-Id: I54b136243afff9e0fadae3be4b36cad1679e5721
Closes-Bug: #1689797

Changed in magnum:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-15: Fix proposed to magnum (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/474502

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-16: Fix merged to magnum (stable/ocata)

Reviewed: https://review.openstack.org/474502
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=3afe70ad80d19ed3079fc48bdddcaf65011c48de
Submitter: Jenkins
Branch: stable/ocata

commit 3afe70ad80d19ed3079fc48bdddcaf65011c48de
Author: Mark Goddard <email address hidden>
Date: Wed May 10 16:50:26 2017 +0100

Pass a mutable target to oslo policy enforcer

AttributeError: 'Cluster' object has no attribute 'trustee_domain_id'

This change uses the as_dict() method of the magnum RPC objects to
provide a mutable mapping to the policy enforcer.

    Change-Id: I54b136243afff9e0fadae3be4b36cad1679e5721
    Closes-Bug: #1689797
    (cherry picked from commit f1326626b94778dfd03e1ca76e61cbecb10495aa)