[keystone][oslo] presence of policy.json breaks Keystone?
Ben Nemec
openstack at nemebean.com
Tue Sep 24 13:30:16 UTC 2019
On 9/23/19 10:46 PM, Bernd Bausch wrote:
> This is on a stable Stein Devstack. Problem description:
>
> ubuntu at devstack:~$ oslopolicy-sample-generator --namespace keystone
> >/etc/keystone/policy.json
> ubuntu at devstack:~$ openstack user list
> Internal Server Error (HTTP 500)
>
> Note that I did not modify the policy.json file above. It's mere
> presence is sufficient to cause the problem. When I remove it and
> restart Keystone, the problem goes away.
>
> The Keystone log contains a huge stacktrace with two methods in
> oslopolicy/_checks.py playing ping-pong with each other until they give
> up with RuntimeError: maximum recursion depth exceeded.
>
> This only happens with Keystone. Nova and Cinder (which also keep policy
> in code) are fine.
>
> This looks like a bug, but I didn't find it in launchpad. Is there a
> workaround? I would like to use a modified Keystone policy in a training
> course.
Unfortunately there are two potential bugs that you may be hitting.
Fortunately they're both fixed on master. I've proposed backports of the
patches to stable/stein.
First is bad aliases created when a policy rule is deprecated but the
name isn't changed: https://review.opendev.org/#/c/684316
Second is a problem with the deprecation logic that can cause an
implicit loop because of how we handle overrides of deprecated policies:
https://review.opendev.org/#/c/684314/
I'm guessing you're hitting one of those. This is a relatively new thing
because of the migration to use scopes in Keystone, which is why you
don't see it in any of the other projects.
>
> Thanks for any feedback.
>
> Bernd.
>
>
More information about the openstack-discuss
mailing list