Fix NoneType error when [service_user] is misconfigured
If the [service_user]/send_service_user_token option is set to True but the actual auth options are incomplete, like missing to set the auth_type option, we eventually fail to re-auth with keystone due to a NoneType error in keystoneauth1. We can detect this issue because load_auth_from_conf_options will return None and we can just log a warning and continue as if the service user was never configured in the first place. Co-Authored-By: Eric Fried <efried@us.ibm.com> Change-Id: I0a96c835d620307f1ab34736ba42c2deb1321a23 Closes-Bug: #1733642
This commit is contained in:
parent
42706270b9
commit
cff8b08837
@ -13,15 +13,23 @@
|
|||||||
|
|
||||||
from keystoneauth1 import loading as ks_loading
|
from keystoneauth1 import loading as ks_loading
|
||||||
from keystoneauth1 import service_token
|
from keystoneauth1 import service_token
|
||||||
|
from oslo_log import log as logging
|
||||||
|
|
||||||
import nova.conf
|
import nova.conf
|
||||||
|
|
||||||
|
|
||||||
CONF = nova.conf.CONF
|
CONF = nova.conf.CONF
|
||||||
|
LOG = logging.getLogger(__name__)
|
||||||
|
|
||||||
_SERVICE_AUTH = None
|
_SERVICE_AUTH = None
|
||||||
|
|
||||||
|
|
||||||
|
def reset_globals():
|
||||||
|
"""For async unit test consistency."""
|
||||||
|
global _SERVICE_AUTH
|
||||||
|
_SERVICE_AUTH = None
|
||||||
|
|
||||||
|
|
||||||
def get_auth_plugin(context):
|
def get_auth_plugin(context):
|
||||||
user_auth = context.get_auth_plugin()
|
user_auth = context.get_auth_plugin()
|
||||||
|
|
||||||
@ -32,6 +40,12 @@ def get_auth_plugin(context):
|
|||||||
CONF,
|
CONF,
|
||||||
group=
|
group=
|
||||||
nova.conf.service_token.SERVICE_USER_GROUP)
|
nova.conf.service_token.SERVICE_USER_GROUP)
|
||||||
|
if _SERVICE_AUTH is None:
|
||||||
|
# This indicates a misconfiguration so log a warning and
|
||||||
|
# return the user_auth.
|
||||||
|
LOG.warning('Unable to load auth from [service_user] '
|
||||||
|
'configuration. Ensure "auth_type" is set.')
|
||||||
|
return user_auth
|
||||||
return service_token.ServiceTokenAuthWrapper(
|
return service_token.ServiceTokenAuthWrapper(
|
||||||
user_auth=user_auth,
|
user_auth=user_auth,
|
||||||
service_auth=_SERVICE_AUTH)
|
service_auth=_SERVICE_AUTH)
|
||||||
|
@ -47,6 +47,7 @@ from nova.pci import manager as pci_manager
|
|||||||
from nova.pci import utils as pci_utils
|
from nova.pci import utils as pci_utils
|
||||||
from nova.pci import whitelist as pci_whitelist
|
from nova.pci import whitelist as pci_whitelist
|
||||||
from nova import policy
|
from nova import policy
|
||||||
|
from nova import service_auth
|
||||||
from nova import test
|
from nova import test
|
||||||
from nova.tests.unit import fake_instance
|
from nova.tests.unit import fake_instance
|
||||||
from nova.tests import uuidsentinel as uuids
|
from nova.tests import uuidsentinel as uuids
|
||||||
@ -121,6 +122,7 @@ class TestNeutronClient(test.NoDBTestCase):
|
|||||||
def setUp(self):
|
def setUp(self):
|
||||||
super(TestNeutronClient, self).setUp()
|
super(TestNeutronClient, self).setUp()
|
||||||
neutronapi.reset_state()
|
neutronapi.reset_state()
|
||||||
|
self.addCleanup(service_auth.reset_globals)
|
||||||
|
|
||||||
def test_withtoken(self):
|
def test_withtoken(self):
|
||||||
self.flags(url='http://anyhost/', group='neutron')
|
self.flags(url='http://anyhost/', group='neutron')
|
||||||
@ -141,7 +143,8 @@ class TestNeutronClient(test.NoDBTestCase):
|
|||||||
neutronapi.get_client,
|
neutronapi.get_client,
|
||||||
my_context)
|
my_context)
|
||||||
|
|
||||||
def test_non_admin_with_service_token(self):
|
@mock.patch.object(ks_loading, 'load_auth_from_conf_options')
|
||||||
|
def test_non_admin_with_service_token(self, mock_load):
|
||||||
self.flags(send_service_user_token=True, group='service_user')
|
self.flags(send_service_user_token=True, group='service_user')
|
||||||
|
|
||||||
my_context = context.RequestContext('userid',
|
my_context = context.RequestContext('userid',
|
||||||
|
@ -28,6 +28,7 @@ class ServiceAuthTestCase(test.NoDBTestCase):
|
|||||||
def setUp(self):
|
def setUp(self):
|
||||||
super(ServiceAuthTestCase, self).setUp()
|
super(ServiceAuthTestCase, self).setUp()
|
||||||
self.ctx = context.RequestContext('fake', 'fake')
|
self.ctx = context.RequestContext('fake', 'fake')
|
||||||
|
self.addCleanup(service_auth.reset_globals)
|
||||||
|
|
||||||
@mock.patch.object(ks_loading, 'load_auth_from_conf_options')
|
@mock.patch.object(ks_loading, 'load_auth_from_conf_options')
|
||||||
def test_get_auth_plugin_no_wraps(self, mock_load):
|
def test_get_auth_plugin_no_wraps(self, mock_load):
|
||||||
@ -39,9 +40,22 @@ class ServiceAuthTestCase(test.NoDBTestCase):
|
|||||||
self.assertEqual("fake", result)
|
self.assertEqual("fake", result)
|
||||||
mock_load.assert_not_called()
|
mock_load.assert_not_called()
|
||||||
|
|
||||||
def test_get_auth_plugin_wraps(self):
|
@mock.patch.object(ks_loading, 'load_auth_from_conf_options')
|
||||||
|
def test_get_auth_plugin_wraps(self, mock_load):
|
||||||
self.flags(send_service_user_token=True, group='service_user')
|
self.flags(send_service_user_token=True, group='service_user')
|
||||||
|
|
||||||
result = service_auth.get_auth_plugin(self.ctx)
|
result = service_auth.get_auth_plugin(self.ctx)
|
||||||
|
|
||||||
self.assertIsInstance(result, service_token.ServiceTokenAuthWrapper)
|
self.assertIsInstance(result, service_token.ServiceTokenAuthWrapper)
|
||||||
|
|
||||||
|
@mock.patch.object(ks_loading, 'load_auth_from_conf_options',
|
||||||
|
return_value=None)
|
||||||
|
def test_get_auth_plugin_wraps_bad_config(self, mock_load):
|
||||||
|
"""Tests the case that send_service_user_token is True but there
|
||||||
|
is some misconfiguration with the [service_user] section which makes
|
||||||
|
KSA return None for the service user auth.
|
||||||
|
"""
|
||||||
|
self.flags(send_service_user_token=True, group='service_user')
|
||||||
|
result = service_auth.get_auth_plugin(self.ctx)
|
||||||
|
self.assertEqual(1, mock_load.call_count)
|
||||||
|
self.assertNotIsInstance(result, service_token.ServiceTokenAuthWrapper)
|
||||||
|
Loading…
Reference in New Issue
Block a user