OpenStack Identity (keystone)

Unmatched Groups in Federation Mapping raise errors

Bug #1429334 reported by Adam Young on 2015-03-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Adam Young	OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

Mapping groups from REMOTE_USER_GROUPS (or comparable) via the rule:

"local": [
                    {
                        "group": {
                            "name": "{0}",
                            "domain": {"name": "Default"}
                        }
                    }
                ],
                "remote": [
                    {
                        "type": "REMOTE_USER_GROUPS"
                    }
                ]

{"error": {"message": "Group {0} returned by mapping kerberos_mapping was not found in the backend. (Disable debug mode to suppress these details.)", "code": 500, "title": "Internal Server Error"}}[

Will throw an error if a group in the assertion does not exist in the Groups list. This means that all groups from all user smust exist. Much more expected is for unmatched groups to be dropped.

This should not throw a 500 error.

Adam Young (ayoung) on 2015-03-07

Changed in keystone:
assignee:	nobody → Marek Denis (marek-denis)

Adam Young (ayoung) on 2015-03-07

Changed in keystone:
assignee:	Marek Denis (marek-denis) → Adam Young (ayoung)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-09: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/162788

Changed in keystone:
status:	New → In Progress

Steve Martinelli (stevemar) on 2015-03-14

Changed in keystone:
importance:	Undecided → Medium
milestone:	none → kilo-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-17: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/162788
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f4708ec55b7ffe252a21414346c1930da19af8b5
Submitter: Jenkins
Branch: master

commit f4708ec55b7ffe252a21414346c1930da19af8b5
Author: Adam Young <email address hidden>
Date: Mon Mar 9 18:43:41 2015 -0400

Ignore unknown groups in lists for Federation

    Ignore groups that don't match ones in the backend.
    For Federation this will be the norm;
    groups may pass the blacklist but Keystone doesn't know about them.
    Otherwise, any in additional groups sent by the external IdP will
    break the mapping

Change-Id: Ic1729da8606f50458db2fd163cd90bc5d89e24fa
Closes-Bug: 1429334

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-03-19

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-3 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.