Discovered with and applies to openstack-keystone-2013.1.1-1.el6ost. When there are existing Trusts with Roles specified, the list-trusts request fails with 500 Internal Server Error. When there are Trusts but non of them has the Role(s) specified, or after they were deleted, listing of Trusts works correctly. 1) Create Role/User/Project and add that role to the user on that project > keystone tenant-create/user-create ... > keystone role-create --name testRole > keystone user-role-add --user yourUser --role testRole --tenant yourProject 2) Create Trust with a Role(s) specified with request like this: > localhost:5000 POST /v3/OS-TRUST/trusts > {"trust": > {"impersonation":false, > "project_id":"<your-project-id>", > "trustor_user_id":"<your-user-id>", > "trustee_user_id":"<other-user-id>", > "roles":[{"name":"testRole"}] > }} 3) List Trusts > localhost:5000 GET /v3/OS-TRUST/trusts which ends with 500 error instead of response with list of Trusts: > reply: 'HTTP/1.1 500 Internal Server Error\r\n' > header: Vary: X-Auth-Token > header: Content-Type: application/json > header: Content-Length: 148 > header: Date: Wed, 22 May 2013 15:30:33 GMT > Reply body: > {'error': {'code': 500, > 'message': "An unexpected error prevented the server from > fulfilling your request. 'id'", > 'title': 'Internal Server Error'}} In the keystone.log there is following backtrace after such request: > 2013-05-22 17:30:33 ERROR [root] 'id' > Traceback (most recent call last): > File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 236, in __call__ > result = method(context, **params) > File "/usr/lib/python2.6/site-packages/keystone/common/controller.py", line 104, in wrapper > return f(self, context, **kwargs) > File "/usr/lib/python2.6/site-packages/keystone/trust/controllers.py", line 181, in list_trusts > self._fill_in_roles(context, trust, global_roles) > File "/usr/lib/python2.6/site-packages/keystone/trust/controllers.py", line 76, in _fill_in_roles > if x['id'] == trust_role['id']] > KeyError: 'id'
Discovered this as well today. It is only reproducable when using role_names not the ids.
Upstream bug was marked as a duplicate. Fix was commited in Reviewed: https://review.openstack.org/60301 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ab0e2c7667a9adc46fece742e1ee8160879b497b
Seems that now this bug applies to stable branches, not just master where it was fixed, so maybe it should be backported stable/havana?
successfully listed trusts in: openstack-keystone-2013.2.2-1.el6ost.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-0213.html