OpenStack Identity (keystone)

federated login fails after user is removed from group

Bug #1629446 reported by Nithya Renganathan on 2016-09-30

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
OpenStack Identity (keystone)	Fix Released	Medium	Eric Brown	OpenStack Identity (keystone) ocata-3 "o3"
Mitaka	Fix Released	Medium	Eric Brown
Newton	Fix Released	Medium	Eric Brown

Bug Description

A user part of a group in auth0 tries to login in using the mapping below just fine

[
    {
        "local": [
            {
                "user": {
                    "name": "{1}::{0}"
                }
            },
            {
                "domain": {
                    "id": "default"
                },
                "groups": "{1}"
            }
        ],
        "remote": [
            {
                "type": "HTTP_OIDC_CLAIM_EMAIL"
            },
            {
                "type": "HTTP_OIDC_CLAIM_GROUPS"
            }
        ]
    }
]

Once the user is removed from the group in auth0 and tries to login :

Expected Result:
Failed to log on to horizon as federation user using OpenID Connect protocol and got 401 code:

{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

Actual Result:
Got 500 instead of 401

{"error": {"message": "An unexpected error prevented the server from fulfilling your request.", "code": 500, "title": "Internal Server Error"}}

error in keystone-all.logs:

2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi [req-f5f27f59-788b-494b-9719-bcdbb6b628c0 - - - - -] unexpected EOF while parsing (<unknown>, line 0)
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi Traceback (most recent call last):
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/common/wsgi.py", line 249, in __call__
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi result = method(context, **params)
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/federation/controllers.py", line 329, in federated_idp_specific_sso_auth
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi res = self.federated_authentication(context, idp_id, protocol_id)
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/federation/controllers.py", line 302, in federated_authentication
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi return self.authenticate_for_token(context, auth=auth)
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/auth/controllers.py", line 396, in authenticate_for_token
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi self.authenticate(context, auth_info, auth_context)
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/auth/controllers.py", line 520, in authenticate
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi auth_context)
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 65, in authenticate
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi self.identity_api)
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 141, in handle_unscoped_token
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi federation_api, identity_api)
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 194, in apply_mapping_filter
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi identity_provider, protocol, assertion)
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/common/manager.py", line 124, in wrapped
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi __ret_val = __f(*args, **kwargs)
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/federation/core.py", line 98, in evaluate
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi mapped_properties = rule_processor.process(assertion_data)
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/federation/utils.py", line 544, in process
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi mapped_properties = self._transform(identity_values)
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/federation/utils.py", line 647, in _transform
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi identity_value['groups'])
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi File "/usr/lib/python2.7/ast.py", line 49, in literal_eval
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi node_or_string = parse(node_or_string, mode='eval')
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi File "/usr/lib/python2.7/ast.py", line 37, in parse
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi return compile(source, filename, mode, PyCF_ONLY_AST)
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi File "<unknown>", line 0
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi ^
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi SyntaxError: unexpected EOF while parsing
2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi

Tags:

Steve Martinelli (stevemar) on 2016-09-30

summary:

- 500 when a user logins in using federation
+ federated login fails after user is removed from group

Lance Bragstad (lbragstad) on 2016-10-03

tags:

added: federation

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2016-10-03:

Looks like this is blowing up here - https://github.com/openstack/keystone/blob/cd23e776b7631d2f7b9465ef29789fd354f7d66a/keystone/federation/utils.py#L615-L616

One way we could possibly fix this is by adding some validation to the _transform() method, making sure the identity_values['groups'] is actually a list.

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2016-10-03:

Also - when the user is removed from the group, are we talking about the keystone group, or the group from the assertion?

Revision history for this message

Nithya Renganathan (narengan) wrote on 2016-10-03:

group from the assertion.

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2016-10-03:

So this only happens after you've removed the user from the group using the IDP? Which results in a empty list of groups in the assertion?

Revision history for this message

Nithya Renganathan (narengan) wrote on 2016-11-07:

Yes this only happens when you remove the user form the group using the IDP.

Revision history for this message

Nithya Renganathan (narengan) wrote on 2016-11-30:

It works now! the group is a list and isn't causing an internal error in keystone.

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2016-11-30:

So this is no longer a bug? I assume this can be closed if there is no longer an issue.

Revision history for this message

Eric Brown (ericwb) wrote on 2017-01-18:

I just ran into the same internal server error. I didn't remove the user from a group, just try to login with a federated user that has group membership.

{"error": {"message": "An unexpected error prevented the server from fulfilling your request: unexpected EOF while parsing (<unknown>, line 1) (Disable insecure_debug mode to suppress these details.)", "code": 500, "title": "Internal Server Error"}}

Federation mapping:
http://paste.openstack.org/show/595302/

Log:
http://paste.openstack.org/show/595301/

Eric Brown (ericwb) on 2017-01-18

Changed in keystone:
assignee:	nobody → Eric Brown (ericwb)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-18: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/421616

Changed in keystone:
status:	New → In Progress

Steve Martinelli (stevemar) on 2017-01-18

Changed in keystone:
importance:	Undecided → Medium

Steve Martinelli (stevemar) on 2017-01-25

Changed in keystone:
milestone:	none → ocata-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-26: Fix merged to keystone (master)

#10

Reviewed: https://review.openstack.org/421616
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9e1e2c2156f365078085db54dfbbfff50e2c2b84
Submitter: Jenkins
Branch: master

commit 9e1e2c2156f365078085db54dfbbfff50e2c2b84
Author: Eric Brown <email address hidden>
Date: Tue Jan 17 17:42:52 2017 -0800

Catch potential SyntaxError in federation mapping

    When using the 'groups' keyword in a federation mapping, the value
    passed in the assertion map be a simple string with a space. For
    example, "ALL USERS". This results in ast.literal_eval() raising
    a SyntaxError and not ValueError, which bubbles up to the API as
    an uncaught 500 Internal Server Error.

Change-Id: I61f93a6c54b62ba8719d2603f93dc18c33b581ce
Closes-Bug: #1629446

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-26: Fix proposed to keystone (stable/newton)

#11

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/425762

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-26: Fix proposed to keystone (stable/mitaka)

#12

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/425763

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-26: Fix included in openstack/keystone 11.0.0.0b3

#13

This issue was fixed in the openstack/keystone 11.0.0.0b3 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-28: Fix merged to keystone (stable/mitaka)

#14

Reviewed: https://review.openstack.org/425763
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a1cc77e72dbad29a14313965df73eab439c705ee
Submitter: Jenkins
Branch: stable/mitaka

commit a1cc77e72dbad29a14313965df73eab439c705ee
Author: Eric Brown <email address hidden>
Date: Tue Jan 17 17:42:52 2017 -0800

Catch potential SyntaxError in federation mapping

    Change-Id: I61f93a6c54b62ba8719d2603f93dc18c33b581ce
    Closes-Bug: #1629446
    (cherry picked from commit 9e1e2c2156f365078085db54dfbbfff50e2c2b84)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-28: Fix merged to keystone (stable/newton)

#15

Reviewed: https://review.openstack.org/425762
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0f6e92ccd18e2d93dc2ecee79e57ee344ea09941
Submitter: Jenkins
Branch: stable/newton

commit 0f6e92ccd18e2d93dc2ecee79e57ee344ea09941
Author: Eric Brown <email address hidden>
Date: Tue Jan 17 17:42:52 2017 -0800

Catch potential SyntaxError in federation mapping

    Change-Id: I61f93a6c54b62ba8719d2603f93dc18c33b581ce
    Closes-Bug: #1629446
    (cherry picked from commit 9e1e2c2156f365078085db54dfbbfff50e2c2b84)