Groups mapped to projects that do not exist in OpenStack breaks WebSSO
Bug #1789450 reported by
Steven Relf
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Undecided
|
Vishakha Agarwal |
Bug Description
I have come across an issue when using webSSO/Federation.
We are using keycloak as an SP, in which our users exist. These users have multiple groups some of which are open stack specific and some which are not.
These users and groups are being mapped as ephemeral users, and im using groups to match to projects.
The issue occurs if a user has a group that does not map to a project in OpenStack. at which point an exception is raised and the websso login blows up with a 500 message.
The offending line is line 347 in keystone/
A quick fix would be to remove the exception from being raised, and just log to file.
Or filter the projects based on the groups passed in.
summary: |
- Groups that do not exist in the backend break webSSO + Groups mapped to projects that do not exist in OpenStack breaks WebSSO |
Changed in keystone: | |
assignee: | nobody → Vishakha Agarwal (vishakha.agarwal) |
Changed in keystone: | |
milestone: | none → stein-1 |
To post a comment you must log in.
Looks like this is a reversion. As it looks like it was fixed way back in 2015
https:/ /bugs.launchpad .net/keystone/ +bug/1429334
but it looks to have been reverted.