ec2tokens errors in v2 api after Ocata upgrade

Bug #1691111 reported by Jose Castro Leon
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Jose Castro Leon
Ocata
Fix Committed
High
Unassigned

Bug Description

After the ocata upgrade we are seeing some errors while authenticating users using v2 api and ec2 credentials

Same as reported in here:
https://ask.openstack.org/en/question/106557/swift3s3-api-errors-when-authenticating-with-ec2-keys/

2017-05-11 16:05:22.453 6081 INFO keystone.common.wsgi [req-ddd8c06b-d4a2-46ba-9c0e-34aa597d6734 - - - - -] POST http://controller:35357/v2.0/s3tokens
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi [req-ddd8c06b-d4a2-46ba-9c0e-34aa597d6734 - - - - -] need more than 4 values to unpack
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi Traceback (most recent call last):
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi result = method(req, **params)
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/oslo_log/versionutils.py", line 178, in wrapped
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi return func_or_cls(*args, **kwargs)
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/contrib/ec2/controllers.py", line 264, in authenticate
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi ec2credentials=ec2Credentials)
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi ValueError: need more than 4 values to unpack
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi

The commit "Remove metadata from token provider" with ID (I4b37289c06df2012ed4473227df5c309440af162) broke the ec2 v2 controller. The call to _authenticate expects 5 parameters in v2 and 4 in v3 giving that exception.

Also the removal of the issue_v2_token token provider method did not have effect in the ec2 v2 controller that it is still using it.

The bug was introduced in Ocata and it is still there in the master branch

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/465530

Changed in keystone:
assignee: nobody → Jose Castro Leon (jose-castro-leon)
status: New → In Progress
Revision history for this message
Lance Bragstad (lbragstad) wrote :

A bug was opened saying that the ec2 stuff in keystone is completely untested [0]. I'm pretty sure the ec2 stuff in contrib pre-dates my involvement on the project, but I'm pretty sure there was never testing for it.

I'd be nice to have that since it would catch situations like this.

[0] https://bugs.launchpad.net/keystone/+bug/1635389

Changed in keystone:
importance: Undecided → High
Changed in keystone:
milestone: none → pike-3
tags: added: office-hours
Changed in keystone:
milestone: pike-3 → pike-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/465530
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=820d9d9a84f2a65677a2654b36a4677eaeba59fc
Submitter: Jenkins
Branch: master

commit 820d9d9a84f2a65677a2654b36a4677eaeba59fc
Author: Jose Castro Leon <email address hidden>
Date: Wed May 17 14:00:34 2017 +0200

    Fix ec2tokens validation in v2 after regression in metadata_ref removal

    Since the last patch in the ocata release that removed the metadata_ref,
    the ec2tokens api is broken due to unable to unpack the result of the
    authenticate command (4 elements) while expecting to expand it into 5.

    Change-Id: I71c4b51444ea9f7a3016b68d7dee9a4747e9c0fd
    Closes-Bug: #1691111
    Closes-Bug: #1635389

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 12.0.0.0rc1

This issue was fixed in the openstack/keystone 12.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/507434

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/ocata)

Reviewed: https://review.openstack.org/507434
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e1a94f39edb6cf777c71c7a511476b1e60436ab9
Submitter: Jenkins
Branch: stable/ocata

commit e1a94f39edb6cf777c71c7a511476b1e60436ab9
Author: Jose Castro Leon <email address hidden>
Date: Wed May 17 14:00:34 2017 +0200

    Fix ec2tokens validation in v2 after regression in metadata_ref removal

    Since the last patch in the ocata release that removed the metadata_ref,
    the ec2tokens api is broken due to unable to unpack the result of the
    authenticate command (4 elements) while expecting to expand it into 5.

    Change-Id: I71c4b51444ea9f7a3016b68d7dee9a4747e9c0fd
    Closes-Bug: #1691111
    Closes-Bug: #1635389
    (cherry picked from commit 820d9d9a84f2a65677a2654b36a4677eaeba59fc)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 11.0.4

This issue was fixed in the openstack/keystone 11.0.4 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.