[Yahoo-eng-team] [Bug 1405726] Re: getting scoped federation token fails when using db2

[Launchpad Bug Tracker]

[Expired for OpenStack Identity (keystone) because there has been no
activity for 60 days.]

** Changed in: keystone
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1405726

Title:
  getting scoped federation token fails when using db2

Status in OpenStack Identity (keystone):
  Expired

Bug description:
  I am using federation.
  Following are the commands I executed.

  I already have an admin_group created that is gets mapped to when user is 
back from doing saml authentication with IdP.
  I then do

  openstack role add --group admin_group --domain default  admin

   curl --insecure -X GET https://172.20.14.16:35357/v3/OS-FEDERATION/domains 
-H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H 
"X-Auth-Token:  58e6ceef8dcf4aceb508323e5a2a7c35"
  {"domains": [{"links": {"self": 
"https://172.20.14.16:5000/v3/domains/default"}, "enabled": true, 
"description": "Owns users and tenants (i.e. projects) available on Identity 
API v2.", "name": "Default", "id": "default"}], "links": {"self": 
"https://172.20.14.16:5000/v3/OS-FEDERATION/domains";, "previous": null, "next": 
null}}

  openstack role add --group admin_group --project admin admin
  curl --insecure -X GET https://172.20.14.16:35357/v3/OS-FEDERATION/projects 
-H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H 
"X-Auth-Token:  58e6ceef8dcf4aceb508323e5a2a7c35"

  ****************command to get scoped token*********************************
  curl --insecure -X POST  POST https://sp.machine:35357/v3/auth/tokens  -H 
"User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H 
"X-Auth-Token:  58e6ceef8dcf4aceb508323e5a2a7c35"  -d 
'{"auth":{"identity":{"methods":["saml2"],"saml2":{"id":"58e6ceef8dcf4aceb508323e5a2a7c35"}},"scope":{"project":{"domain":
 {"id": "default"},"name":"admin"}}}}'

  This gives an error as follows
  2014-12-26 05:58:14.622 26820 ERROR keystone.common.wsgi [-] 
(ProgrammingError) ibm_db_dbi::ProgrammingError: SQLNumResultCols failed: 
[IBM][CLI Driver][DB2/LINUXX8664] SQL0134N  Improper use of a string column, 
host variable, constant, or function "ROLE_EXTRA".  SQLSTATE=42907 SQLCODE=-134 
'SELECT DISTINCT role.id AS role_id, role.name AS role_name, role.extra AS 
role_extra \nFROM role, assignment \nWHERE assignment."type" = ? AND 
assignment.target_id = ? AND role.id = assignment.role_id AND 
assignment.actor_id IN (?)' ('GroupProject', 
'c9efdd57ae9d4f5f97d07424c5c4da90', '83ef4a24bf18480f849e903ddfaba7a9')
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi Traceback (most 
recent call last):
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 207, in 
__call__
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     result = 
method(context, **params)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.6/site-packages/keystone/auth/controllers.py", line 343, in 
authenticate_for_token
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     domain_id, 
auth_context, trust, metadata_ref, include_catalog)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.6/site-packages/keystone/common/manager.py", line 78, in 
_wrapper
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return f(*args, 
**kw)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.6/site-packages/keystone/token/providers/common.py", line 
428, in issue_v3_token
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     domain_id)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.6/site-packages/keystone/token/providers/common.py", line 
503, in _handle_saml2_tokens
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     group_ids, 
project_id, domain_id, user_id)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.6/site-packages/keystone/token/providers/common.py", line 
199, in _populate_roles_for_groups
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     domain_id)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.6/site-packages/keystone/common/manager.py", line 78, in 
_wrapper
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return f(*args, 
**kw)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.6/site-packages/keystone/assignment/backends/sql.py", line 
320, in get_roles_for_groups
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return 
[role.to_dict() for role in query.all()]
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File 
"/usr/lib64/python2.6/site-packages/sqlalchemy/orm/query.py", line 2115, in all
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return list(self)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File 
"/usr/lib64/python2.6/site-packages/sqlalchemy/orm/query.py", line 2227, in 
__iter__
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     return 
self._execute_and_instances(context)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File 
"/usr/lib64/python2.6/site-packages/sqlalchemy/orm/query.py", line 2242, in 
_execute_and_instances
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     result = 
conn.execute(querycontext.statement, self._params)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File 
"/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1449, in 
execute
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     params)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File 
"/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1584, in 
_execute_clauseelement
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     compiled_sql, 
distilled_params
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File 
"/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1698, in 
_execute_context
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     context)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File 
"/usr/lib64/python2.6/site-packages/sqlalchemy/engine/base.py", line 1691, in 
_execute_context
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     context)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.6/site-packages/ibm_db_sa/ibm_db.py", line 104, in do_execute
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     
cursor.execute(statement, parameters)
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File 
"/usr/lib64/python2.6/site-packages/ibm_db_dbi.py", line 1334, in execute
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     
self._set_cursor_helper()
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi   File 
"/usr/lib64/python2.6/site-packages/ibm_db_dbi.py", line 1217, in 
_set_cursor_helper
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi     raise 
self.messages[len(self.messages) - 1]
  2014-12-26 05:58:14.622 26820 TRACE keystone.common.wsgi ProgrammingError: 
(ProgrammingError) ibm_db_dbi::ProgrammingError: SQLNumResultCols failed: 
[IBM][CLI Driver][DB2/LINUXX8664] SQL0134N  Improper use of a string column, 
host variable, constant, or function "ROLE_EXTRA".  SQLSTATE=42907 SQLCODE=-134 
'SELECT DISTINCT role.id AS role_id, role.name AS role_name, role.extra AS 
role_extra \nFROM role, assignment \nWHERE assignment."type" = ? AND 
assignment.target_id = ? AND role.id = assignment.role_id AND 
assignment.actor_id IN (?)' ('GroupProject', 
'c9efdd57ae9d4f5f97d07424c5c4da90', '83ef4a24bf18480f849e903ddfaba7a9')

  This is happening because of the distinct clause on the select query when the 
extra column is a json blob.
  There are two ways to fix this.
  1) Remove the distinct - I tried this and it worked.
  310         sql_constraints = sqlalchemy.and_(
  311             RoleAssignment.type == assignment_type,
  312             RoleAssignment.target_id == target_id,
  313             Role.id == RoleAssignment.role_id,
  314             RoleAssignment.actor_id.in_(group_ids))
  315
  316         session = sql.get_session()
  *317         with session.begin():
  318             query = session.query(Role).filter(
  319                 sql_constraints)#.distinct()*
  320         return [role.to_dict() for role in query.all()]

  in "/usr/lib/python2.6/site-
  packages/keystone/assignment/backends/sql.py"

  2)  Cast the json blob to a varchar(xxx).

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1405726/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp