OpenStack Identity (keystone)

Scoped OS-FEDERATION token not working

Bug #1541657 reported by Bogdan on 2016-02-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Invalid	Undecided	Unassigned
	Kilo	Won't Fix	Medium	Steve Martinelli

Bug Description

I have implemented Keystone Federation scenario with Kilo against a non-Keystone IdP.

Following the flow described at https://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html I successfully went through SAML2 authentication and I ended up with an unscoped token which is working just fine.

When I then request a scoped token out of the unscoped token I get a token which differs from the documentation:
docs says that user will have groups:

"user": {
    "domain": {
        "id": "Federated"
    },
    "id": "username%40example.com",
    "name": "<email address hidden>",
    "OS-FEDERATION": {
        "identity_provider": "ACME",
        "protocol": "SAML",
        "groups": [
            {"id": "abc123"},
            {"id": "bcd234"}
        ]
    }
}

while in my implementation I get user with no groups (in contrast my unscoped token has the groups in user) :
"user": {
   "domain": {
       "id": "Federated",
       "name": "Federated"
   },
   "id": "myUser",
   "name": "myUser"
   "OS-FEDERATION": {
      "identity_provider": {
         "id": "myIdP"
      },
      "protocol": {"id": "saml2"}
   }
}

If I try to use the scoped token I get the error message:
# openstack --os-token 3e68789050944e9296f1e366f63a31a8 --os-auth-url https://host:5000/v3 --os-identity-api-version 3 --os-cacert /etc/pki/trust/anchors/ca.pem --os-project-name Project1 server list
ERROR: openstack Unable to find valid groups while using mapping saml_mapping (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-eb23e61c-6f1f-4259-8ff0-92063f60b5f0)

And this is no surprise if we debug the code for token creation and see that **_handle_mapped_tokens** in /usr/lib/python2.7/site-packages/keystone/token/providers/common.py says:

if project_id or domain_id:
    roles = self.v3_token_data_helper._populate_roles_for_groups(
        group_ids, project_id, domain_id, user_id)
    token_data.update({'roles': roles})
else:
    token_data['user'][federation.FEDERATION].update({
        'groups': [{'id': x} for x in group_ids]
    })
return token_data

So, the only way to get our groups added to the scoped token is to NOT use domain or project scoping, but if we do not scope the token for domain or project then we will simply get yet another unscoped token ;).

What am I missing? How am I supposed to create a scoped token which works?

Thanks in advance!

Steve Martinelli (stevemar) on 2016-02-04

Changed in keystone:
milestone:	none → mitaka-3

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2016-02-08:

Hi Bogdan,

Would you be able to provide any more information about the saml_mapping? How was it created?

Revision history for this message

Bogdan (bogdan-vatkov) wrote on 2016-02-08:

Here is how I created it:

Add the IdP:
~~~
# curl -k -H "X-Auth-Token: $OS_TOKEN" -X PUT https://myhost:5000/v3/OS-FEDERATION/identity_providers/my.idp.com -H "Content-Type: application/json" -d '{ "identity_provider": { "description": "My IDS","remote_ids": ["my.idp.com"],"enabled": true }}'
~~~

Add protocol for the my.idp.com provider:
~~~
# curl -k -H "X-Auth-Token: $OS_TOKEN" -X PUT https://myhost:5000/v3/OS-FEDERATION/identity_providers/my.idp.com/protocols/saml2 -H "Content-Type: application/json" -d '{"protocol": { "mapping_id": "saml_mapping"}}'
~~~

Create a group:
~~~
# openstack group create samlusers
~~~

Create a role assignment for a role + project + group combination:
~~~
# openstack role add --project MY_PROJECT --group samlusers _member_
~~~

Obtain the group id:
~~~
# group_id=`openstack group list|grep samlusers|awk '{print $2}'`
~~~

Prepare federation mapping rules configuration:
~~~
# cat > add-mapping.json
[
  {
    "local": [
      {
        "user": {
          "name": "{0}",
          "domain": {"name": "Default"}
        }
      },
      {
        "group": {
          "id": "GROUP_ID"
        }
      }
    ],
    "remote": [
      {
        "type": "REMOTE_USER"
      }
    ]
  }
]
(Press CTRL+D)
~~~

Add the group id to the mapping config:
~~~
# cat add-mapping.json|sed s^GROUP_ID^$group_id^ > /tmp/mapping.json
~~~

Create the federation mapping:
~~~
# openstack mapping create --rules /tmp/mapping.json saml_mapping
~~~

Create the federation protocol with the proper mapping:
~~~
# openstack federation protocol create --identity-provider my.idp.com --mapping saml_mapping saml2
~~~

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-02-14:

Sorry it took so long to follow up on this issue, but it was fixed in Liberty:

see commit: https://github.com/openstack/keystone/commit/31a2f67de4b26ea9e193d94c2cdfddb91afb8098 and patch: https://review.openstack.org/#/c/207167/

Changed in keystone:
status:	New → Triaged
milestone:	mitaka-3 → none

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-02-14:

according to http://releases.openstack.org/ Kilo is still support for security fixes until 2016-05-02. i'll see if someone is interested in backporting this to kilo.

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-02-14:

I put up a patch here: https://review.openstack.org/#/c/279922/

Changed in keystone:
status:	Triaged → Invalid

Revision history for this message

Bogdan (bogdan-vatkov) wrote on 2016-02-16:

I tested the Kilo patch on my installation and it worked like a charm :)
Thanks Steve!

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-02-16:

thanks for confirming bogdan, we'll get this into the next kilo scheduled release

Changed in keystone:
status:	Invalid → In Progress

Steve Martinelli (stevemar) on 2016-02-21

Changed in keystone:
status:	In Progress → Invalid

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-02: Change abandoned on keystone (stable/kilo)

Change abandoned by Steve Martinelli (<email address hidden>) on branch: stable/kilo
Review: https://review.openstack.org/279922
Reason: thanks for the policy update brant

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-03-02:

Will not be backporting this change to kilo as it doesn't meet the policy for kilo now.. we only backport security fixes for n-2 versions

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.