Internal Server Error: KeyError: 'domain'

Bug #1657978 reported by Eric Brown
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Undecided
Unassigned
Mitaka
Fix Released
Medium
Eric Brown
Newton
Fix Released
Medium
Eric Brown
Ocata
Invalid
Undecided
Unassigned

Bug Description

I get the following message in Horizon when trying to authenticate a federated user with a misconfigured mapping (in Mitaka)

{"error": {"message": "An unexpected error prevented the server from fulfilling your request: 'domain' (Disable insecure_debug mode to suppress these details.)", "code": 500, "title": "Internal Server Error"}}

This is my mapping.json. Notice no domain is part of the "group" parameter (even though there is one at one level higher).
[
    {
        "local": [
            {
                "domain": {
                    "name": "Default"
                },
                "group": {
                    "name": "Federated Users"
                },
                "user": {
                    "name": "{0}",
                    "email": "{1}"
                },
                "groups": "{2}"
            }
        ],
        "remote": [
            {
                "type": "REMOTE_USER"
            },
            {
                "type": "MELLON_userEmail"
            },
            {
                "type": "MELLON_groups"
            }
        ]
    }
]

This is the log output of the keyerror containing the assertion.

http://paste.openstack.org/show/595730/

Eric Brown (ericwb)
Changed in keystone:
assignee: nobody → Eric Brown (ericwb)
Revision history for this message
David Stanek (dstanek) wrote :

I think that this should be mostly solved via a better, more strict validation of the mapping JSON.

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Yeah - we should be able to fix this by amending the hot mess of jsonschema for mapping [0].

[0] https://github.com/openstack/keystone/blob/bc8a145de14e455a2a73824e8a84d92ac27aae1c/keystone/federation/utils.py#L101-L113

Changed in keystone:
importance: Undecided → Medium
Revision history for this message
Eric Brown (ericwb) wrote :

I was able to resolve the issue by removing "external" from the authentication methods in keystone.conf.

methods = external,password,token,saml2
  to
methods = password,token,saml2

I "think" this occurs because my mapping uses REMOTE_USER and if external is configured, it creates an AuthContext using the external method and then later attempts to set the user_id using the saml auth method, resulting in a dup.

Revision history for this message
Eric Brown (ericwb) wrote :

Note: this doc warns against external and federation: http://docs.openstack.org/developer/keystone/external-auth.html#configuration

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/423561

Revision history for this message
Eric Brown (ericwb) wrote :

Ignore last two comments. Wrong bug, sorry.

Revision history for this message
Eric Brown (ericwb) wrote :

This was fixed in Newton, but not Mitaka. Patch: https://review.openstack.org/#/c/313504/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/mitaka)

Reviewed: https://review.openstack.org/423569
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f7a8a053f3a923a5e211c9e71c1abdb573555159
Submitter: Jenkins
Branch: stable/mitaka

commit f7a8a053f3a923a5e211c9e71c1abdb573555159
Author: Gyorgy Szombathelyi <email address hidden>
Date: Fri May 6 12:39:16 2016 +0200

    Enhance federation group mapping validation

    A group must be reffered either with an ID, or the name _and_ the
    domain. Change the JSON validation schema to check this.

    Closes-Bug: #1657978

    Change-Id: I213876e30fc0521195848479278080bdac8387de
    (cherry picked from commit a9d79e098732445efcd58a6b03148fe6c62e044a)

tags: added: in-stable-mitaka
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/423561
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a551b94dd7abfd717c615daf6aa8767be06f1ff7
Submitter: Jenkins
Branch: master

commit a551b94dd7abfd717c615daf6aa8767be06f1ff7
Author: Eric Brown <email address hidden>
Date: Fri Jan 20 16:00:17 2017 -0800

    Add warning about using `external` with federation

    Using both the `external` authentication method and a federation
    method (such as saml2, etc) can result in conflicts [1]

    [1] http://docs.openstack.org/developer/keystone/external-auth.html#configuration

    Change-Id: Ifb95d779d48c14a4fa24a26d016151edf409d760
    Related-Bug: #1657978

Revision history for this message
Steve Martinelli (stevemar) wrote :

Eric, per your comment in #7, i will mark this as fix released for Mitaka and Newton and invalid for Ocata. see https://review.openstack.org/#/q/I213876e30fc0521195848479278080bdac8387de,n,z for details.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 9.3.0

This issue was fixed in the openstack/keystone 9.3.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.