OpenStack Identity (keystone)

Returning federated user fails to authenticate with HTTP 500

Bug #1566282 reported by Boris Bobrov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Critical
Boris Bobrov
OpenStack Identity (keystone) newton-1 "n1"
Mitaka
Fix Released
Critical
Boris Bobrov
OpenStack Identity (keystone) mitaka-rc3 "RC3"
Newton
Fix Released
Critical
Boris Bobrov
OpenStack Identity (keystone) newton-1 "n1"

Bug Description

I've set up stable/mitaka keystone with AD FS and it worked. After some time, i decided to test the set up again and after trying to authenicate i've got HTTP 500.

In keystone logs, there is this: http://paste.openstack.org/show/492968/ (the logs are the same as below).

This happens because self.update_federated_user_display_name is called in identity_api.shadow_federated_user. Since no update_federated_user_display_name is defined in identity_api, __getattr__ tries to lookup the name in the driver. The driver used for identity_api hasn't update_federated_user_display_name, and AttributeError is raised.

The issue seems to exist on both stable/mitaka and master (6f9f390).

2016-04-05 11:53:56.173 2100 DEBUG keystone.federation.utils [req-fe431d33-f850-4a49-87b6-abad9290e638 - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7fef82155850> _update_local_mapping /opt/stack/keystone/keystone/federation/utils.py:691
2016-04-05 11:53:56.173 2100 DEBUG keystone.federation.utils [req-fe431d33-f850-4a49-87b6-abad9290e638 - - - - -] local: {u'id': u'f7567142a8024543ab678de7be553dbf'} _update_local_mapping /opt/stack/keystone/keystone/federation/utils.py:692
2016-04-05 11:53:56.173 2100 DEBUG keystone.federation.utils [req-fe431d33-f850-4a49-87b6-abad9290e638 - - - - -] identity_values: [{u'user': {u'domain': {u'name': u'Default'}, u'name': <email address hidden>'}}, {u'group': {u'id': u'f7567142a8024543ab678de7be553dbf'}}] proc
ess /opt/stack/keystone/keystone/federation/utils.py:535
2016-04-05 11:53:56.174 2100 DEBUG keystone.federation.utils [req-fe431d33-f850-4a49-87b6-abad9290e638 - - - - -] mapped_properties: {'group_ids': [u'f7567142a8024543ab678de7be553dbf'], 'user': {u'domain': {'id': 'Federated'}, 'type': 'ephemeral', u'name': u'breton@winad
.org'}, 'group_names': []} process /opt/stack/keystone/keystone/federation/utils.py:537
2016-04-05 11:53:56.273 2100 ERROR keystone.common.wsgi [req-fe431d33-f850-4a49-87b6-abad9290e638 - - - - -] 'Identity' object has no attribute 'update_federated_user_display_name'
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi Traceback (most recent call last):
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 249, in __call__
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi result = method(context, **params)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/controllers.py", line 320, in federated_sso_auth
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi protocol_id)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/controllers.py", line 302, in federated_authentication
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi return self.authenticate_for_token(context, auth=auth)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/controllers.py", line 396, in authenticate_for_token
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi self.authenticate(context, auth_info, auth_context)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/controllers.py", line 520, in authenticate
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi auth_context)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/plugins/mapped.py", line 65, in authenticate
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi self.identity_api)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/plugins/mapped.py", line 153, in handle_unscoped_token
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi display_name)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/common/manager.py", line 124, in wrapped
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi __ret_val = __f(*args, **kwargs)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 1053, in decorate
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi should_cache_fn)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 657, in get_or_create
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi async_creator) as value:
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 158, in __enter__
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi return self._enter()
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 98, in _enter
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi generated = self._enter_create(createdtime)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 149, in _enter_create
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi created = self.creator()
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 625, in gen_value
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi created_value = creator()
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 1049, in creator
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi return fn(*arg, **kw)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/identity/core.py", line 1242, in shadow_federated_user
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi self.update_federated_user_display_name(idp_id, protocol_id,
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/common/manager.py", line 187, in __getattr__
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi f = getattr(self.driver, name)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi AttributeError: 'Identity' object has no attribute 'update_federated_user_display_name'
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi

Boris Bobrov (bbobrov)
Changed in keystone:
assignee: nobody → Boris Bobrov (bbobrov)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/301795

Changed in keystone:
status: New → In Progress
Boris Bobrov (bbobrov)
tags: added: mitaka-rc-potential
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Boris Bobrov (bbobrov) → Dolph Mathews (dolph)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/301878

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/301795
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7ad4f8728cce354617b5facefe5076d65af311c6
Submitter: Jenkins
Branch: master

commit 7ad4f8728cce354617b5facefe5076d65af311c6
Author: Boris Bobrov <email address hidden>
Date: Tue Apr 5 18:50:48 2016 +0300

    Update federated user display name with shadow_users_api

    When a user comes to the cloud for the first time, a shadow user is
    created. When the user authenticates again, this shadow user is
    fetched and returned. Before it is returned, its display name should
    be updated. But the call to update the display name fails because
    neither identity manager nor identity drivers have the required
    method. However, the required method exists in shadow_users_api.

    The issue was hidden because method shadow_federated_user was
    cached and while the cache lived, the user could authenticate.

    Use the method of shadow_user_api instead of identity_api to update
    federated user display name.

    Change-Id: I58e65bdf3a953f3ded485003939b81f908738e1e
    Closes-Bug: 1566282

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/mitaka)

Reviewed: https://review.openstack.org/301878
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3e5fca06c6b7dd6060721faa39428b133edd10f0
Submitter: Jenkins
Branch: stable/mitaka

commit 3e5fca06c6b7dd6060721faa39428b133edd10f0
Author: Boris Bobrov <email address hidden>
Date: Tue Apr 5 18:50:48 2016 +0300

    Update federated user display name with shadow_users_api

    When a user comes to the cloud for the first time, a shadow user is
    created. When the user authenticates again, this shadow user is
    fetched and returned. Before it is returned, its display name should
    be updated. But the call to update the display name fails because
    neither identity manager nor identity drivers have the required
    method. However, the required method exists in shadow_users_api.

    The issue was hidden because method shadow_federated_user was
    cached and while the cache lived, the user could authenticate.

    Use the method of shadow_user_api instead of identity_api to update
    federated user display name.

    Change-Id: I58e65bdf3a953f3ded485003939b81f908738e1e
    Closes-Bug: 1566282
    (cherry picked from commit 7ad4f8728cce354617b5facefe5076d65af311c6)

tags: added: in-stable-mitaka
Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote : Fix included in openstack/keystone 9.0.0.0rc3

This issue was fixed in the openstack/keystone 9.0.0.0rc3 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/302567

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)
Download full text (7.8 KiB)

Reviewed: https://review.openstack.org/302567
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a78623a456fc0a657a01aa5a887641f0b73d64a8
Submitter: Jenkins
Branch: master

commit 3e5fca06c6b7dd6060721faa39428b133edd10f0
Author: Boris Bobrov <email address hidden>
Date: Tue Apr 5 18:50:48 2016 +0300

    Update federated user display name with shadow_users_api

    When a user comes to the cloud for the first time, a shadow user is
    created. When the user authenticates again, this shadow user is
    fetched and returned. Before it is returned, its display name should
    be updated. But the call to update the display name fails because
    neither identity manager nor identity drivers have the required
    method. However, the required method exists in shadow_users_api.

    The issue was hidden because method shadow_federated_user was
    cached and while the cache lived, the user could authenticate.

    Use the method of shadow_user_api instead of identity_api to update
    federated user display name.

    Change-Id: I58e65bdf3a953f3ded485003939b81f908738e1e
    Closes-Bug: 1566282
    (cherry picked from commit 7ad4f8728cce354617b5facefe5076d65af311c6)

commit dba04cdd232ab72704df58cff791d52c1c99bc90
Author: Morgan Fainberg <email address hidden>
Date: Mon Mar 28 10:50:12 2016 -0700

    Correct `role_name` constraint dropping

    The `role_name` constraint was not properly dropped in some cases
    because the unique constraint was not consistently named. In all
    cases we must search for the constraint expected, not assume the
    name of the constraint will be consistent (especially from older
    installs that have been moved forward in releases).

    This change fixes migration 88, updates 96 (for backport to
    stable/mitaka) This is being overly cautious, but specifically
    is to handle the case where someone performed the upgrade and
    manually fixed the migration resulting in duplicated constraints
    in the role_table. Note that migration 100 was not backported since
    it was a placeholder migration.

    Conflicts:
        keystone/tests/unit/test_sql_upgrade.py

    Co-Authored-By: "Matthew Thode" <email address hidden>
    Change-Id: Ie0dc3d2449bace57d3e9323b281a2abd2ad0c983
    closes-bug: #1562934
    (cherry picked from commit 276e57e2083dcad8cbabf9aa9b3bd06c6079c415)

commit cf1fd9dad7d89d50a10ab204aa487663ea258988
Author: OpenStack Proposal Bot <email address hidden>
Date: Wed Mar 30 06:16:27 2016 +0000

    Imported Translations from Zanata

    For more information about this automatic import see:
    https://wiki.openstack.org/wiki/Translations/Infrastructure

    Change-Id: Iff9556deb5ebb465c7124c120e7806774c517472

commit c4b08ed2522ee771331d53f153bda5098c9fb9f4
Author: OpenStack Proposal Bot <email address hidden>
Date: Tue Mar 29 06:52:52 2016 +0000

    Imported Translations from Zanata

    For more information about this automatic import see:
    https://wiki.openstack.org/wiki/Translations/Infrastructure

    Change-Id: I1e81320c932549e38bade5ef8d885ef426990f40

commit dd38543bdc2a11...

Read more...

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/keystone 10.0.0.0b1

This issue was fixed in the openstack/keystone 10.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.