(see the User Scenario section below for a description of the environment)
When no direct role assignments to federated users are done and only federated group role assignments are present, application credential creation via Horizon fails with the following errors:
horizon apache2 error.log:
[Sat Jun 08 14:27:59.153479 2019] [wsgi:error] [pid 150327:tid 139962773473024] [remote 10.232.46.207:35898] Recoverable error: Invalid application credential: Could not find role assignment with role: 91afa82fab85426fa741370dabad80bf, user or group: 794d430997c64060854bf77f2e7e6e16, project, domain, or system: 7de76f768cb84149b8b2d693d1d21f45. (HTTP 400) (Request-ID: req-da2e3322-2f6f-468f-bd0d-b08855f9893b)
keystone.log:
(keystone.common.wsgi): 2019-06-08 14:30:55,933 WARNING Invalid application credential: Could not find role assignment with role: 91afa82fab85426fa741370dabad80bf, us
er or group: 794d430997c64060854bf77f2e7e6e16, project, domain, or system: 7de76f768cb84149b8b2d693d1d21f45.
(keystone.middleware.auth): 2019-06-08 14:31:00,940 DEBUG Authenticating user token
82 def _require_user_has_role_in_project(self, roles, user_id, project_id):
83 user_roles = self._get_user_roles(user_id, project_id)
84 -> for role in roles:
85 if role['id'] not in user_roles:
86 raise exception.RoleAssignmentNotFound(role_id=role['id'],
87 actor_id=user_id,
88 target_id=project_id)
[Possible Solution]
Group membership details obtained dynamically during federated authentication and embedded into a fernet token (first an unscoped token, then a project-scoped token) need to be used in addition to querying the database for user to group membership.
[User Scenario]
Federated authentication via SAML with the following mapping (i.e. no direct role assignment to a user on a project - only federated group-based role assignment):
openstack mapping show adfs_mapping
+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | adfs_mapping |
| rules | [{'remote': [{'type': 'MELLON_NAME_ID'}, {'type': 'MELLON_groups'}], 'local': [{'domain': {'id': 'e834e57943714e058c203d4f544ea946'}, 'user': {'name': '{0}'}, 'groups': '{1}'}]}] |
+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
# a federated user
openstack user list --domain adfs
+----------------------------------+------------------------+
| ID | Name |
+----------------------------------+------------------------+
| 794d430997c64060854bf77f2e7e6e16 | intranet\Administrator |
+----------------------------------+------------------------+
# a group that that exists both on the IdP and Keystone (SP) side
openstack group list --domain adfs
+----------------------------------+------------+
| ID | Name |
+----------------------------------+------------+
| 701f70e7549d4de28cecd60127a1a444 | adfs_users |
+----------------------------------+------------+
# grouptest is a project that adfs_users group members get a Member role assignment on
openstack project list --domain adfs
+----------------------------------+-----------+
| ID | Name |
+----------------------------------+-----------+
| 7de76f768cb84149b8b2d693d1d21f45 | grouptest |
| 6a0657cf98684a62af99dc7b71a383dd | test |
+----------------------------------+-----------+
# same as above - no direct role assignments
openstack role assignment list --names --user 794d430997c64060854bf77f2e7e6e16 ; echo $?
0
# role assignments for the adfs_users group (domain and project level although only the project-level one is needed)
openstack role assignment list --names --group adfs_users --group-domain adfs
+--------+------+-----------------+----------------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+------+-----------------+----------------+--------+--------+-----------+
| Member | | adfs_users@adfs | grouptest@adfs | | | False |
| Member | | adfs_users@adfs | | adfs | | False |
+--------+------+-----------------+----------------+--------+--------+-----------+
[Version]
Rocky (UCA)
[Problem Description]
(see the User Scenario section below for a description of the environment)
When no direct role assignments to federated users are done and only federated group role assignments are present, application credential creation via Horizon fails with the following errors:
horizon apache2 error.log:
[Sat Jun 08 14:27:59.153479 2019] [wsgi:error] [pid 150327:tid 139962773473024] [remote 10.232. 46.207: 35898] Recoverable error: Invalid application credential: Could not find role assignment with role: 91afa82fab85426 fa741370dabad80 bf, user or group: 794d430997c6406 0854bf77f2e7e6e 16, project, domain, or system: 7de76f768cb8414 9b8b2d693d1d21f 45. (HTTP 400) (Request-ID: req-da2e3322- 2f6f-468f- bd0d-b08855f989 3b)
keystone.log:
(keystone. common. wsgi): 2019-06-08 14:30:55,933 WARNING Invalid application credential: Could not find role assignment with role: 91afa82fab85426 fa741370dabad80 bf, us 0854bf77f2e7e6e 16, project, domain, or system: 7de76f768cb8414 9b8b2d693d1d21f 45. middleware. auth): 2019-06-08 14:31:00,940 DEBUG Authenticating user token
er or group: 794d430997c6406
(keystone.
Code-path:
create_ application_ credential -> _require_ user_has_ role_in_ project -> _get_user_roles -> _get_user_roles -> list_role_ assignments -> _list_effective _role_assignmen ts -> _get_group_ ids_for_ user_id -> list_groups_ for_user -> _get_group_ ids_for_ user_id
A detailed rpdb trace: paste.openstack .org/show/ 752652/
http://
82 def _require_ user_has_ role_in_ project( self, roles, user_id, project_id): user_roles( user_id, project_id) RoleAssignmentN otFound( role_id= role['id' ], id=project_ id)
83 user_roles = self._get_
84 -> for role in roles:
85 if role['id'] not in user_roles:
86 raise exception.
87 actor_id=user_id,
88 target_
[Possible Solution]
Group membership details obtained dynamically during federated authentication and embedded into a fernet token (first an unscoped token, then a project-scoped token) need to be used in addition to querying the database for user to group membership.
[User Scenario]
Federated authentication via SAML with the following mapping (i.e. no direct role assignment to a user on a project - only federated group-based role assignment):
openstack mapping show adfs_mapping -+----- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- + -+----- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- + 058c203d4f544ea 946'}, 'user': {'name': '{0}'}, 'groups': '{1}'}]}] | -+----- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- +
+------
| Field | Value |
+------
| id | adfs_mapping |
| rules | [{'remote': [{'type': 'MELLON_NAME_ID'}, {'type': 'MELLON_groups'}], 'local': [{'domain': {'id': 'e834e57943714e
+------
# a federated user ------- ------- ------- ------- +------ ------- ------- ----+ ------- ------- ------- ------- +------ ------- ------- ----+ 0854bf77f2e7e6e 16 | intranet\ Administrator | ------- ------- ------- ------- +------ ------- ------- ----+
openstack user list --domain adfs
+------
| ID | Name |
+------
| 794d430997c6406
+------
# a group that that exists both on the IdP and Keystone (SP) side ------- ------- ------- ------- +------ ------+ ------- ------- ------- ------- +------ ------+ 28cecd60127a1a4 44 | adfs_users | ------- ------- ------- ------- +------ ------+
openstack group list --domain adfs
+------
| ID | Name |
+------
| 701f70e7549d4de
+------
# grouptest is a project that adfs_users group members get a Member role assignment on ------- ------- ------- ------- +------ -----+ ------- ------- ------- ------- +------ -----+ 9b8b2d693d1d21f 45 | grouptest | 2af99dc7b71a383 dd | test | ------- ------- ------- ------- +------ -----+
openstack project list --domain adfs
+------
| ID | Name |
+------
| 7de76f768cb8414
| 6a0657cf98684a6
+------
# no direct Member role assignments for federated users --+---- ------- ------- ------- ------- --+---- ------- ------+ ------- ------- ------- ----+-- ------- -----+- ------- +------ -----+ --+---- ------- ------- ------- ------- --+---- ------- ------+ ------- ------- ------- ----+-- ------- -----+- ------- +------ -----+ service_ domain | | services@ service_ domain | | | False | default | | services@default | | | False | service_ domain | | services@ service_ domain | | | False | domain | | services@ service_ domain | | | False | domain | | services@ service_ domain | | | False | cinderv3@ default | | services@default | | | False | service_ domain | | services@ service_ domain | | | False | cinderv3@ service_ domain | | services@ service_ domain | | | False | service_ domain | | services@ service_ domain | | | False | service_ domain | | services@ service_ domain | | | False | default | | services@default | | | False | --+---- ------- ------- ------- ------- --+---- ------- ------+ ------- ------- ------- ----+-- ------- -----+- ------- +------ -----+
openstack role assignment list --names
+------
| Role | User | Group | Project | Domain | System | Inherited |
+------
| Admin | neutron@
| Admin | designate@default | | services@default | | | False |
| Admin | image-stream@
| Admin | nova_placement@
| Member | admin@admin_domain | | admin@admin_domain | | | False |
| Admin | admin@admin_domain | | admin@admin_domain | | | False |
| Admin | admin@admin_domain | | | admin_domain | | False |
| Member | swift@service_
| Admin | swift@service_
| Admin | cinderv2_
| Member | | adfs_users@adfs | grouptest@adfs | | | False |
| Member | | adfs_users@adfs | | adfs | | False |
| Admin | neutron@default | | services@default | | | False |
| Admin | glance@default | | services@default | | | False |
| Admin | image-stream@
| Admin | cinderv2_
| Admin | glance@
| Admin | designate@
| Member | swift@default | | services@default | | | False |
| Admin | swift@default | | services@default | | | False |
| Admin | nova_placement@
+------
# same as above - no direct role assignments 0854bf77f2e7e6e 16 ; echo $?
openstack role assignment list --names --user 794d430997c6406
0
# role assignments for the adfs_users group (domain and project level although only the project-level one is needed) --+---- --+---- ------- ------+ ------- ------- --+---- ----+-- ------+ ------- ----+ --+---- --+---- ------- ------+ ------- ------- --+---- ----+-- ------+ ------- ----+ --+---- --+---- ------- ------+ ------- ------- --+---- ----+-- ------+ ------- ----+
openstack role assignment list --names --group adfs_users --group-domain adfs
+------
| Role | User | Group | Project | Domain | System | Inherited |
+------
| Member | | adfs_users@adfs | grouptest@adfs | | | False |
| Member | | adfs_users@adfs | | adfs | | False |
+------