mapping yield no valid identity result in HTTP 500 error
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Guang Yee |
Bug Description
A mapping which yield no valid identity (i.e. no local user or group) will result in HTTP 500 instead of 401. There are two issues.
1. We automatically return a default ephemeral user mapped_properties when mapping yield no valid local identity or groups.
2. In the mapped auth plugin, we assume the mapped_properties contains a valid local identity or group.
To reproduce the problem:
1. Set up WebSSO or K2K.
2. Create a mapping rule for the given IdP and protocol which yield neither local identity or group. For example,
[
{
],
]
}
]
3. do the federation dance and you'll get a HTTP 500 and a traceback as pretty as this one.
2016-03-14 17:16:05.536 12497 DEBUG keystone.
2016-03-14 17:16:05.536 12497 DEBUG keystone.
2016-03-14 17:16:05.536 12497 DEBUG keystone.
2016-03-14 17:16:05.620 12497 ERROR keystone.
2016-03-14 17:16:05.620 12497 TRACE keystone.
2016-03-14 17:16:05.620 12497 TRACE keystone.
2016-03-14 17:16:05.620 12497 TRACE keystone.
2016-03-14 17:16:05.620 12497 TRACE keystone.
2016-03-14 17:16:05.620 12497 TRACE keystone.
2016-03-14 17:16:05.620 12497 TRACE keystone.
2016-03-14 17:16:05.620 12497 TRACE keystone.
2016-03-14 17:16:05.620 12497 TRACE keystone.
2016-03-14 17:16:05.620 12497 TRACE keystone.
2016-03-14 17:16:05.620 12497 TRACE keystone.
2016-03-14 17:16:05.620 12497 TRACE keystone.
2016-03-14 17:16:05.620 12497 TRACE keystone.
2016-03-14 17:16:05.620 12497 TRACE keystone.
2016-03-14 17:16:05.620 12497 TRACE keystone.
2016-03-14 17:16:05.620 12497 TRACE keystone.
2016-03-14 17:16:05.620 12497 TRACE keystone.
Changed in keystone: | |
importance: | Undecided → High |
Changed in keystone: | |
milestone: | none → mitaka-rc1 |
Changed in keystone: | |
assignee: | Guang Yee (guang-yee) → Steve Martinelli (stevemar) |
Changed in keystone: | |
assignee: | Steve Martinelli (stevemar) → Guang Yee (guang-yee) |
Fix proposed to branch: master /review. openstack. org/293184
Review: https:/