[keystone][oslo] presence of policy.json breaks Keystone?
Thomas Goirand
zigo at debian.org
Tue Sep 24 15:17:31 UTC 2019
On 9/24/19 3:30 PM, Ben Nemec wrote:
>
> On 9/23/19 10:46 PM, Bernd Bausch wrote:
>> This is on a stable Stein Devstack. Problem description:
>>
>> ubuntu at devstack:~$ oslopolicy-sample-generator --namespace keystone
>> >/etc/keystone/policy.json
>> ubuntu at devstack:~$ openstack user list
>> Internal Server Error (HTTP 500)
>>
>> Note that I did not modify the policy.json file above. It's mere
>> presence is sufficient to cause the problem. When I remove it and
>> restart Keystone, the problem goes away.
>>
>> The Keystone log contains a huge stacktrace with two methods in
>> oslopolicy/_checks.py playing ping-pong with each other until they
>> give up with RuntimeError: maximum recursion depth exceeded.
>>
>> This only happens with Keystone. Nova and Cinder (which also keep
>> policy in code) are fine.
>>
>> This looks like a bug, but I didn't find it in launchpad. Is there a
>> workaround? I would like to use a modified Keystone policy in a
>> training course.
>
> Unfortunately there are two potential bugs that you may be hitting.
> Fortunately they're both fixed on master. I've proposed backports of the
> patches to stable/stein.
>
> First is bad aliases created when a policy rule is deprecated but the
> name isn't changed: https://review.opendev.org/#/c/684316
>
> Second is a problem with the deprecation logic that can cause an
> implicit loop because of how we handle overrides of deprecated policies:
> https://review.opendev.org/#/c/684314/
>
> I'm guessing you're hitting one of those. This is a relatively new thing
> because of the migration to use scopes in Keystone, which is why you
> don't see it in any of the other projects.
Hi Ben,
Please do backport these patch, they are useful, and the bug is kind of
annoying. :)
Cheers,
Thomas Goirand (zigo)
More information about the openstack-discuss
mailing list