Fix NoneType error when [service_user] is misconfigured

If the [service_user]/send_service_user_token option is set to True but the actual auth options are incomplete, like missing to set the auth_type option, we eventually fail to re-auth with keystone due to a NoneType error in keystoneauth1. We can detect this issue because load_auth_from_conf_options will return None and we can just log a warning and continue as if the service user was never configured in the first place. Co-Authored-By: Eric Fried <efried@us.ibm.com> Change-Id: I0a96c835d620307f1ab34736ba42c2deb1321a23 Closes-Bug: #1733642
2017-11-21 12:01:33 -05:00 · 2017-11-21 12:01:33 -05:00 · cff8b08837
commit cff8b08837
parent 42706270b9
3 changed files with 33 additions and 2 deletions
--- a/nova/service_auth.py
+++ b/nova/service_auth.py
@ -13,15 +13,23 @@

 from keystoneauth1 import loading as ks_loading
 from keystoneauth1 import service_token
+from oslo_log import log as logging

 import nova.conf


 CONF = nova.conf.CONF
+LOG = logging.getLogger(__name__)

 _SERVICE_AUTH = None


+def reset_globals():
+    """For async unit test consistency."""
+    global _SERVICE_AUTH
+    _SERVICE_AUTH = None
+
+
 def get_auth_plugin(context):
    user_auth = context.get_auth_plugin()

@ -32,6 +40,12 @@ def get_auth_plugin(context):
                                CONF,
                                group=
                                nova.conf.service_token.SERVICE_USER_GROUP)
+            if _SERVICE_AUTH is None:
+                # This indicates a misconfiguration so log a warning and
+                # return the user_auth.
+                LOG.warning('Unable to load auth from [service_user] '
+                            'configuration. Ensure "auth_type" is set.')
+                return user_auth
        return service_token.ServiceTokenAuthWrapper(
                   user_auth=user_auth,
                   service_auth=_SERVICE_AUTH)
--- a/nova/tests/unit/network/test_neutronv2.py
+++ b/nova/tests/unit/network/test_neutronv2.py
@ -47,6 +47,7 @@ from nova.pci import manager as pci_manager
 from nova.pci import utils as pci_utils
 from nova.pci import whitelist as pci_whitelist
 from nova import policy
+from nova import service_auth
 from nova import test
 from nova.tests.unit import fake_instance
 from nova.tests import uuidsentinel as uuids
@ -121,6 +122,7 @@ class TestNeutronClient(test.NoDBTestCase):
    def setUp(self):
        super(TestNeutronClient, self).setUp()
        neutronapi.reset_state()
+        self.addCleanup(service_auth.reset_globals)

    def test_withtoken(self):
        self.flags(url='http://anyhost/', group='neutron')
@ -141,7 +143,8 @@ class TestNeutronClient(test.NoDBTestCase):
                          neutronapi.get_client,
                          my_context)

-    def test_non_admin_with_service_token(self):
+    @mock.patch.object(ks_loading, 'load_auth_from_conf_options')
+    def test_non_admin_with_service_token(self, mock_load):
        self.flags(send_service_user_token=True, group='service_user')

        my_context = context.RequestContext('userid',
--- a/nova/tests/unit/test_service_auth.py
+++ b/nova/tests/unit/test_service_auth.py
@ -28,6 +28,7 @@ class ServiceAuthTestCase(test.NoDBTestCase):
    def setUp(self):
        super(ServiceAuthTestCase, self).setUp()
        self.ctx = context.RequestContext('fake', 'fake')
+        self.addCleanup(service_auth.reset_globals)

    @mock.patch.object(ks_loading, 'load_auth_from_conf_options')
    def test_get_auth_plugin_no_wraps(self, mock_load):
@ -39,9 +40,22 @@ class ServiceAuthTestCase(test.NoDBTestCase):
        self.assertEqual("fake", result)
        mock_load.assert_not_called()

-    def test_get_auth_plugin_wraps(self):
+    @mock.patch.object(ks_loading, 'load_auth_from_conf_options')
+    def test_get_auth_plugin_wraps(self, mock_load):
        self.flags(send_service_user_token=True, group='service_user')

        result = service_auth.get_auth_plugin(self.ctx)

        self.assertIsInstance(result, service_token.ServiceTokenAuthWrapper)
+
+    @mock.patch.object(ks_loading, 'load_auth_from_conf_options',
+                       return_value=None)
+    def test_get_auth_plugin_wraps_bad_config(self, mock_load):
+        """Tests the case that send_service_user_token is True but there
+        is some misconfiguration with the [service_user] section which makes
+        KSA return None for the service user auth.
+        """
+        self.flags(send_service_user_token=True, group='service_user')
+        result = service_auth.get_auth_plugin(self.ctx)
+        self.assertEqual(1, mock_load.call_count)
+        self.assertNotIsInstance(result, service_token.ServiceTokenAuthWrapper)