OpenStack Keystone Charm

[19.04] using federation does not exclude 'external' authentication plugin

Bug #1828018 reported by Dmitrii Shcherbakov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Keystone Charm
Fix Released
High
David Ames
OpenStack Keystone Charm 19.07

Bug Description

As the doc to the "methods" Keystone option notes, using 'extenral' authentication method present in our templates by default with federation ('mapped' auth plugin) may cause conflicts.

https://opendev.org/openstack/keystone/src/branch/stable/queens/keystone/conf/auth.py#L21-L28
    help=utils.fmt("""
Allowed authentication methods. Note: You should disable the `external` auth
method if you are currently using federation. External auth and federation
both use the REMOTE_USER variable. Since both the mapped and external plugin
are being invoked to validate attributes in the request environment, it can
cause conflicts.
"""))

We should consider making usage of 'external' authentication plugin and federation mutually exclusive.

Note: at the time of writing usage of 'external' authentication plugin with charms is not technically possible (https://docs.openstack.org/keystone/queens/advanced-topics/external-auth.html) as it requires apache-level configuration.

Tags: cpe-onsite
Revision history for this message
David Ames (thedac) wrote :

TRIAGE:

For LP Bug #1828015 [0] and this one the solution is to create a auth methods context which does all the logic to correctly set auth_methods in keystone.conf

[0] https://bugs.launchpad.net/charm-keystone/+bug/1828015/comments/3

Changed in charm-keystone:
status: New → Triaged
importance: Undecided → High
milestone: none → 19.07
Revision history for this message
David Ames (thedac) wrote :

https://review.opendev.org/659393

Changed in charm-keystone:
assignee: nobody → David Ames (thedac)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-keystone (master)

Reviewed: https://review.opendev.org/659393
Committed: https://git.openstack.org/cgit/openstack/charm-keystone/commit/?id=a103c15e40612b4c2c801543896bda4bbd5396f0
Submitter: Zuul
Branch: master

commit a103c15e40612b4c2c801543896bda4bbd5396f0
Author: David Ames <email address hidden>
Date: Wed May 15 14:53:48 2019 -0700

    Use AuthMethod context

    Rather than use hard coded auth methods, use the protocal named passed
    over the keystone-fid-service-provider relation.

    Also, when using federation do not allow the "external" method as they
    are mutually exclusive.

    Change-Id: I08f0632630d7f0e8d2d7ddb057e02f9febf9ad6f
    Closes-Bug: #1828015
    Closes-Bug: #1828018

Changed in charm-keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-keystone (stable/19.04)

Fix proposed to branch: stable/19.04
Review: https://review.opendev.org/661537

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-keystone (stable/19.04)

Reviewed: https://review.opendev.org/661537
Committed: https://git.openstack.org/cgit/openstack/charm-keystone/commit/?id=84dac3c3626e1f434ccc9a88f8301d8b567bad4f
Submitter: Zuul
Branch: stable/19.04

commit 84dac3c3626e1f434ccc9a88f8301d8b567bad4f
Author: David Ames <email address hidden>
Date: Wed May 15 14:53:48 2019 -0700

    Use AuthMethod context

    Rather than use hard coded auth methods, use the protocal named passed
    over the keystone-fid-service-provider relation.

    Also, when using federation do not allow the "external" method as they
    are mutually exclusive.

    Change-Id: I08f0632630d7f0e8d2d7ddb057e02f9febf9ad6f
    Closes-Bug: #1828015
    Closes-Bug: #1828018
    (cherry picked from commit a103c15e40612b4c2c801543896bda4bbd5396f0)

David Ames (thedac)
Changed in charm-keystone:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.