Fix NoneType error when [service_user] is misconfigured

If the [service_user]/send_service_user_token option is
set to True but the actual auth options are incomplete,
like missing to set the auth_type option, we eventually
fail to re-auth with keystone due to a NoneType error
in keystoneauth1.

We can detect this issue because load_auth_from_conf_options
will return None and we can just log a warning and continue
as if the service user was never configured in the first place.

Co-Authored-By: Eric Fried <efried@us.ibm.com>
Change-Id: I0a96c835d620307f1ab34736ba42c2deb1321a23
Closes-Bug: #1733642
This commit is contained in:
Matt Riedemann 2017-11-21 12:01:33 -05:00 committed by Eric Fried
parent 42706270b9
commit cff8b08837
3 changed files with 33 additions and 2 deletions

View File

@ -13,15 +13,23 @@
from keystoneauth1 import loading as ks_loading from keystoneauth1 import loading as ks_loading
from keystoneauth1 import service_token from keystoneauth1 import service_token
from oslo_log import log as logging
import nova.conf import nova.conf
CONF = nova.conf.CONF CONF = nova.conf.CONF
LOG = logging.getLogger(__name__)
_SERVICE_AUTH = None _SERVICE_AUTH = None
def reset_globals():
"""For async unit test consistency."""
global _SERVICE_AUTH
_SERVICE_AUTH = None
def get_auth_plugin(context): def get_auth_plugin(context):
user_auth = context.get_auth_plugin() user_auth = context.get_auth_plugin()
@ -32,6 +40,12 @@ def get_auth_plugin(context):
CONF, CONF,
group= group=
nova.conf.service_token.SERVICE_USER_GROUP) nova.conf.service_token.SERVICE_USER_GROUP)
if _SERVICE_AUTH is None:
# This indicates a misconfiguration so log a warning and
# return the user_auth.
LOG.warning('Unable to load auth from [service_user] '
'configuration. Ensure "auth_type" is set.')
return user_auth
return service_token.ServiceTokenAuthWrapper( return service_token.ServiceTokenAuthWrapper(
user_auth=user_auth, user_auth=user_auth,
service_auth=_SERVICE_AUTH) service_auth=_SERVICE_AUTH)

View File

@ -47,6 +47,7 @@ from nova.pci import manager as pci_manager
from nova.pci import utils as pci_utils from nova.pci import utils as pci_utils
from nova.pci import whitelist as pci_whitelist from nova.pci import whitelist as pci_whitelist
from nova import policy from nova import policy
from nova import service_auth
from nova import test from nova import test
from nova.tests.unit import fake_instance from nova.tests.unit import fake_instance
from nova.tests import uuidsentinel as uuids from nova.tests import uuidsentinel as uuids
@ -121,6 +122,7 @@ class TestNeutronClient(test.NoDBTestCase):
def setUp(self): def setUp(self):
super(TestNeutronClient, self).setUp() super(TestNeutronClient, self).setUp()
neutronapi.reset_state() neutronapi.reset_state()
self.addCleanup(service_auth.reset_globals)
def test_withtoken(self): def test_withtoken(self):
self.flags(url='http://anyhost/', group='neutron') self.flags(url='http://anyhost/', group='neutron')
@ -141,7 +143,8 @@ class TestNeutronClient(test.NoDBTestCase):
neutronapi.get_client, neutronapi.get_client,
my_context) my_context)
def test_non_admin_with_service_token(self): @mock.patch.object(ks_loading, 'load_auth_from_conf_options')
def test_non_admin_with_service_token(self, mock_load):
self.flags(send_service_user_token=True, group='service_user') self.flags(send_service_user_token=True, group='service_user')
my_context = context.RequestContext('userid', my_context = context.RequestContext('userid',

View File

@ -28,6 +28,7 @@ class ServiceAuthTestCase(test.NoDBTestCase):
def setUp(self): def setUp(self):
super(ServiceAuthTestCase, self).setUp() super(ServiceAuthTestCase, self).setUp()
self.ctx = context.RequestContext('fake', 'fake') self.ctx = context.RequestContext('fake', 'fake')
self.addCleanup(service_auth.reset_globals)
@mock.patch.object(ks_loading, 'load_auth_from_conf_options') @mock.patch.object(ks_loading, 'load_auth_from_conf_options')
def test_get_auth_plugin_no_wraps(self, mock_load): def test_get_auth_plugin_no_wraps(self, mock_load):
@ -39,9 +40,22 @@ class ServiceAuthTestCase(test.NoDBTestCase):
self.assertEqual("fake", result) self.assertEqual("fake", result)
mock_load.assert_not_called() mock_load.assert_not_called()
def test_get_auth_plugin_wraps(self): @mock.patch.object(ks_loading, 'load_auth_from_conf_options')
def test_get_auth_plugin_wraps(self, mock_load):
self.flags(send_service_user_token=True, group='service_user') self.flags(send_service_user_token=True, group='service_user')
result = service_auth.get_auth_plugin(self.ctx) result = service_auth.get_auth_plugin(self.ctx)
self.assertIsInstance(result, service_token.ServiceTokenAuthWrapper) self.assertIsInstance(result, service_token.ServiceTokenAuthWrapper)
@mock.patch.object(ks_loading, 'load_auth_from_conf_options',
return_value=None)
def test_get_auth_plugin_wraps_bad_config(self, mock_load):
"""Tests the case that send_service_user_token is True but there
is some misconfiguration with the [service_user] section which makes
KSA return None for the service user auth.
"""
self.flags(send_service_user_token=True, group='service_user')
result = service_auth.get_auth_plugin(self.ctx)
self.assertEqual(1, mock_load.call_count)
self.assertNotIsInstance(result, service_token.ServiceTokenAuthWrapper)