django-openstack-auth

Federated users cannot log in if they are not members of projects

Bug #1649101 reported by Colleen Murphy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
django-openstack-auth
Fix Released
High
Colleen Murphy

Bug Description

If a federated user has a role in one or more domains but no roles in any projects, horizon prevents them from logging in, returning the message "You are not authorized for any projects or domains." This is misleading because the user is authorized for at least one domain. Moreover, federated users should be allowed to log in even if they are not authorized for any projects, just as non-federated users can.

Steps to reproduce:

1. Follow http://docs.openstack.org/developer/keystone/federation/configure_federation.html to set up keystone and horizon with a federated identity backend such as testshib.org.
2. Create a mapping that maps federated users to some keystone group.
3. Assign the group a role in a domain (and no roles in any projects).
4. Attempt to log into horizon using the federated authentication mechanism

Expected behavior:

User is allowed to log in and is presented with their dashboard.

Actual behavior:

User is forbidden from logging in with the misleading message "You are not authorized for any projects or domains."

OpenStack Infra (hudson-openstack)
Changed in django-openstack-auth:
assignee: nobody → Colleen Murphy (krinkle)
status: New → In Progress
David Lyle (david-lyle)
Changed in django-openstack-auth:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to django_openstack_auth (master)

Reviewed: https://review.openstack.org/389337
Committed: https://git.openstack.org/cgit/openstack/django_openstack_auth/commit/?id=ca3166707b2b8d121d4bf75dcea32ddfd3a442f1
Submitter: Jenkins
Branch: master

commit ca3166707b2b8d121d4bf75dcea32ddfd3a442f1
Author: Colleen Murphy <email address hidden>
Date: Thu Oct 20 21:59:55 2016 +0200

    Allow federated users to auth with domain scope

    When a federated user logs in, openstack_auth receives an unscoped
    token and no user_domain_name parameter. Currently, if the federated
    user has a role in one or more domains, but no roles in any projects,
    openstack_auth prevents authorization and denies the user's login with
    the error "You are not authorized for any projects or domains." This is
    a problem because first, it's inaccurate, as the user is authorized for
    at least one domain, and second, a keystone administrator may want to
    give federated users access to a domain without any projects in it, for
    example so delegate the creation of projects to the federated users
    themselves. This patch allows federated users without project roles to
    log in by looking up domains as well as projects when attempting to
    scope the token. This lookup is skipped if the domain was passed as
    part of the request.

    This patch also slightly restructures the OpenStackAuthTestsWebSSO
    and OpenStackAuthTestsV3 tests because mox needs to simulate only one instance
    of the plugin but two instances of the client objects for every call to
    authenticate().

    Closes-bug: #1649101

    Change-Id: I151218ff28c0728898ed5315d63dd8122ce3b166

Changed in django-openstack-auth:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/django_openstack_auth 3.1.1

This issue was fixed in the openstack/django_openstack_auth 3.1.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.