OpenStack Identity (keystone)

Internal Server Error: KeyError: 'domain'

Bug #1657978 reported by Eric Brown on 2017-01-20

This bug affects 1 person

	Status	Importance	Assigned to
OpenStack Identity (keystone)	Invalid	Undecided	Unassigned
Mitaka	Fix Released	Medium	Eric Brown
Newton	Fix Released	Medium	Eric Brown
Ocata	Invalid	Undecided	Unassigned

Bug Description

I get the following message in Horizon when trying to authenticate a federated user with a misconfigured mapping (in Mitaka)

{"error": {"message": "An unexpected error prevented the server from fulfilling your request: 'domain' (Disable insecure_debug mode to suppress these details.)", "code": 500, "title": "Internal Server Error"}}

This is my mapping.json. Notice no domain is part of the "group" parameter (even though there is one at one level higher).
[
    {
        "local": [
            {
                "domain": {
                    "name": "Default"
                },
                "group": {
                    "name": "Federated Users"
                },
                "user": {
                    "name": "{0}",
                    "email": "{1}"
                },
                "groups": "{2}"
            }
        ],
        "remote": [
            {
                "type": "REMOTE_USER"
            },
            {
                "type": "MELLON_userEmail"
            },
            {
                "type": "MELLON_groups"
            }
        ]
    }
]

This is the log output of the keyerror containing the assertion.

http://paste.openstack.org/show/595730/

Tags:

Eric Brown (ericwb) on 2017-01-20

Changed in keystone:
assignee:	nobody → Eric Brown (ericwb)

Revision history for this message

David Stanek (dstanek) wrote on 2017-01-20:

I think that this should be mostly solved via a better, more strict validation of the mapping JSON.

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-01-20:

Yeah - we should be able to fix this by amending the hot mess of jsonschema for mapping [0].

[0] https://github.com/openstack/keystone/blob/bc8a145de14e455a2a73824e8a84d92ac27aae1c/keystone/federation/utils.py#L101-L113

Changed in keystone:
importance:	Undecided → Medium

Revision history for this message

Eric Brown (ericwb) wrote on 2017-01-20:

I was able to resolve the issue by removing "external" from the authentication methods in keystone.conf.

methods = external,password,token,saml2
to
methods = password,token,saml2

I "think" this occurs because my mapping uses REMOTE_USER and if external is configured, it creates an AuthContext using the external method and then later attempts to set the user_id using the saml auth method, resulting in a dup.

Revision history for this message

Eric Brown (ericwb) wrote on 2017-01-20:

Note: this doc warns against external and federation: http://docs.openstack.org/developer/keystone/external-auth.html#configuration

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-21: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/423561

Revision history for this message

Eric Brown (ericwb) wrote on 2017-01-21:

Ignore last two comments. Wrong bug, sorry.

Revision history for this message

Eric Brown (ericwb) wrote on 2017-01-21:

This was fixed in Newton, but not Mitaka. Patch: https://review.openstack.org/#/c/313504/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-26: Fix merged to keystone (stable/mitaka)

Reviewed: https://review.openstack.org/423569
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f7a8a053f3a923a5e211c9e71c1abdb573555159
Submitter: Jenkins
Branch: stable/mitaka

commit f7a8a053f3a923a5e211c9e71c1abdb573555159
Author: Gyorgy Szombathelyi <email address hidden>
Date: Fri May 6 12:39:16 2016 +0200

Enhance federation group mapping validation

A group must be reffered either with an ID, or the name _and_ the
domain. Change the JSON validation schema to check this.

Closes-Bug: #1657978

Change-Id: I213876e30fc0521195848479278080bdac8387de
(cherry picked from commit a9d79e098732445efcd58a6b03148fe6c62e044a)

tags:

added: in-stable-mitaka

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-26: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/423561
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a551b94dd7abfd717c615daf6aa8767be06f1ff7
Submitter: Jenkins
Branch: master

commit a551b94dd7abfd717c615daf6aa8767be06f1ff7
Author: Eric Brown <email address hidden>
Date: Fri Jan 20 16:00:17 2017 -0800

Add warning about using `external` with federation

Using both the `external` authentication method and a federation
method (such as saml2, etc) can result in conflicts [1]

[1] http://docs.openstack.org/developer/keystone/external-auth.html#configuration

Change-Id: Ifb95d779d48c14a4fa24a26d016151edf409d760
Related-Bug: #1657978

Revision history for this message

Steve Martinelli (stevemar) wrote on 2017-01-26:

#10

Eric, per your comment in #7, i will mark this as fix released for Mitaka and Newton and invalid for Ocata. see https://review.openstack.org/#/q/I213876e30fc0521195848479278080bdac8387de,n,z for details.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-01: Fix included in openstack/keystone 9.3.0

#11

This issue was fixed in the openstack/keystone 9.3.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.