OpenStack Identity (keystone)

Bug #1589993
Comment #10

Comment 10 for bug 1589993

Revision history for this message

György Szombathelyi (gyurco) wrote on 2016-10-03: Re: Murano cannot deploy with federated user

#10

Ok, progressed further:

Seems it still doesn't work with the current method of assigning the role through a pre-created group, and assigning this group to the federated users.
So did a direct role assignment to the federated users, since it is possible now.
However still there are some issues:

1. Because this user doesn't exist until she/he tries to log in, one cannot provision user roles beforehand.

2. Still there's an issue with the trust creation (logs from keystone follows):

2016-10-03 13:16:11.411 26415 DEBUG keystone.middleware.auth [req-5f45f373-0097-4325-87f2-7dca317b71b8 6a299f31021c417bb15e0de347d0528f cb6344592c4e4fb99a15ccef715ada25 - Federated default] RBAC: auth_context: {'is_delegated_auth': False,
'access_token_id': None, 'user_id': '6a299f31021c417bb15e0de347d0528f', 'roles': [u'_member_', u'_member_'], 'user_domain_id': 'Federated', 'consumer_id': None, 'trustee_id': None, 'is_domain': False, 'trustor_id': None, 'token': <Keysto
neToken (audit_id=ZZsqGTjjRACs_Hny2yXXIg, audit_chain_id=ZZsqGTjjRACs_Hny2yXXIg) at 0x7f6b37da0e30>, 'group_ids': [], 'project_id': u'cb6344592c4e4fb99a15ccef715ada25', 'trust_id': None, 'project_domain_id': u'default'} fill_context /usr/
lib/python2.7/dist-packages/keystone/middleware/auth.py:243
2016-10-03 13:16:11.414 26415 INFO keystone.common.wsgi [req-5f45f373-0097-4325-87f2-7dca317b71b8 6a299f31021c417bb15e0de347d0528f cb6344592c4e4fb99a15ccef715ada25 - Federated default] POST http://cloudtest.duodecadits.com:35357/v3/OS-TRU
ST/trusts
2016-10-03 13:16:11.415 26415 DEBUG keystone.common.controller [req-5f45f373-0097-4325-87f2-7dca317b71b8 6a299f31021c417bb15e0de347d0528f cb6344592c4e4fb99a15ccef715ada25 - Federated default] RBAC: Authorizing identity:create_trust(trust=
{u'impersonation': True, u'project_id': u'cb6344592c4e4fb99a15ccef715ada25', u'trustor_user_id': u'6a299f31021c417bb15e0de347d0528f', u'roles': [{u'name': u'_member_'}, {u'name': u'_member_'}], u'trustee_user_id': u'1345a05dcf2a442592fb77
0d53c114a0'}) _build_policy_check_credentials /usr/lib/python2.7/dist-packages/keystone/common/controller.py:80
2016-10-03 13:16:11.417 26415 DEBUG keystone.policy.backends.rules [req-5f45f373-0097-4325-87f2-7dca317b71b8 6a299f31021c417bb15e0de347d0528f cb6344592c4e4fb99a15ccef715ada25 - Federated default] enforce identity:create_trust: {'is_delega
ted_auth': False, 'access_token_id': None, 'user_id': '6a299f31021c417bb15e0de347d0528f', 'roles': [u'_member_', u'_member_'], 'user_domain_id': 'Federated', 'consumer_id': None, 'trustee_id': None, 'is_domain': False, 'trustor_id': None,
'token': <KeystoneToken (audit_id=ZZsqGTjjRACs_Hny2yXXIg, audit_chain_id=ZZsqGTjjRACs_Hny2yXXIg) at 0x7f6b37da0e30>, 'group_ids': [], 'project_id': u'cb6344592c4e4fb99a15ccef715ada25', 'trust_id': None, 'project_domain_id': u'default'} e
nforce /usr/lib/python2.7/dist-packages/keystone/policy/backends/rules.py:76
2016-10-03 13:16:11.418 26415 DEBUG keystone.common.controller [req-5f45f373-0097-4325-87f2-7dca317b71b8 6a299f31021c417bb15e0de347d0528f cb6344592c4e4fb99a15ccef715ada25 - Federated default] RBAC: Authorization granted inner /usr/lib/pyt
hon2.7/dist-packages/keystone/common/controller.py:163
2016-10-03 13:16:11.476 26415 DEBUG keystone.common.sql.core [req-5f45f373-0097-4325-87f2-7dca317b71b8 6a299f31021c417bb15e0de347d0528f cb6344592c4e4fb99a15ccef715ada25 - Federated default] Conflict trust: (pymysql.err.IntegrityError) (1062, u"Duplicate entry 'c4a1d781b4d9418c9b747a6d8277340c-9fe2ff9ee4384b1894a90878d3e92ba' for key 'PRIMARY'") [SQL: u'INSERT INTO trust_role (trust_id, role_id) VALUES (%(trust_id)s, %(role_id)s)'] [parameters: ({'trust_id': 'c4a1d781b4d9418c9b747a6d8277340c', 'role_id': u'9fe2ff9ee4384b1894a90878d3e92bab'}, {'trust_id': 'c4a1d781b4d9418c9b747a6d8277340c', 'role_id': u'9fe2ff9ee4384b1894a90878d3e92bab'})] wrapper /usr/lib/python2.7/dist-packages/keystone/common/sql/core.py:435
2016-10-03 13:16:11.477 26415 WARNING keystone.common.wsgi [req-5f45f373-0097-4325-87f2-7dca317b71b8 6a299f31021c417bb15e0de347d0528f cb6344592c4e4fb99a15ccef715ada25 - Federated default] Conflict occurred attempting to store trust - Duplicate Entry

Note that the 'roles': [u'_member_', u'_member_'], the role is duplicated for some reason.

Ok, progressed further:

1. Because this user doesn't exist until she/he tries to log in, one cannot provision user roles beforehand.

2. Still there's an issue with the trust creation (logs from keystone follows):

2016-10-03 13:16:11.411 26415 DEBUG keystone.middleware.auth [req-5f45f373-0097-4325-87f2-7dca317b71b8 6a299f31021c417bb15e0de347d0528f cb6344592c4e4fb99a15ccef715ada25 - Federated default] RBAC: auth_context: {'is_delegated_auth': False,
 'access_token_id': None, 'user_id': '6a299f31021c417bb15e0de347d0528f', 'roles': [u'_member_', u'_member_'], 'user_domain_id': 'Federated', 'consumer_id': None, 'trustee_id': None, 'is_domain': False, 'trustor_id': None, 'token': <Keysto
neToken (audit_id=ZZsqGTjjRACs_Hny2yXXIg, audit_chain_id=ZZsqGTjjRACs_Hny2yXXIg) at 0x7f6b37da0e30>, 'group_ids': [], 'project_id': u'cb6344592c4e4fb99a15ccef715ada25', 'trust_id': None, 'project_domain_id': u'default'} fill_context /usr/
lib/python2.7/dist-packages/keystone/middleware/auth.py:243
2016-10-03 13:16:11.414 26415 INFO keystone.common.wsgi [req-5f45f373-0097-4325-87f2-7dca317b71b8 6a299f31021c417bb15e0de347d0528f cb6344592c4e4fb99a15ccef715ada25 - Federated default] POST http://cloudtest.duodecadits.com:35357/v3/OS-TRU
ST/trusts
2016-10-03 13:16:11.415 26415 DEBUG keystone.common.controller [req-5f45f373-0097-4325-87f2-7dca317b71b8 6a299f31021c417bb15e0de347d0528f cb6344592c4e4fb99a15ccef715ada25 - Federated default] RBAC: Authorizing identity:create_trust(trust=
{u'impersonation': True, u'project_id': u'cb6344592c4e4fb99a15ccef715ada25', u'trustor_user_id': u'6a299f31021c417bb15e0de347d0528f', u'roles': [{u'name': u'_member_'}, {u'name': u'_member_'}], u'trustee_user_id': u'1345a05dcf2a442592fb77
0d53c114a0'}) _build_policy_check_credentials /usr/lib/python2.7/dist-packages/keystone/common/controller.py:80
2016-10-03 13:16:11.417 26415 DEBUG keystone.policy.backends.rules [req-5f45f373-0097-4325-87f2-7dca317b71b8 6a299f31021c417bb15e0de347d0528f cb6344592c4e4fb99a15ccef715ada25 - Federated default] enforce identity:create_trust: {'is_delega
ted_auth': False, 'access_token_id': None, 'user_id': '6a299f31021c417bb15e0de347d0528f', 'roles': [u'_member_', u'_member_'], 'user_domain_id': 'Federated', 'consumer_id': None, 'trustee_id': None, 'is_domain': False, 'trustor_id': None,
 'token': <KeystoneToken (audit_id=ZZsqGTjjRACs_Hny2yXXIg, audit_chain_id=ZZsqGTjjRACs_Hny2yXXIg) at 0x7f6b37da0e30>, 'group_ids': [], 'project_id': u'cb6344592c4e4fb99a15ccef715ada25', 'trust_id': None, 'project_domain_id': u'default'} e
nforce /usr/lib/python2.7/dist-packages/keystone/policy/backends/rules.py:76
2016-10-03 13:16:11.418 26415 DEBUG keystone.common.controller [req-5f45f373-0097-4325-87f2-7dca317b71b8 6a299f31021c417bb15e0de347d0528f cb6344592c4e4fb99a15ccef715ada25 - Federated default] RBAC: Authorization granted inner /usr/lib/pyt
hon2.7/dist-packages/keystone/common/controller.py:163
2016-10-03 13:16:11.476 26415 DEBUG keystone.common.sql.core [req-5f45f373-0097-4325-87f2-7dca317b71b8 6a299f31021c417bb15e0de347d0528f cb6344592c4e4fb99a15ccef715ada25 - Federated default] Conflict trust: (pymysql.err.IntegrityError) (1062, u"Duplicate entry 'c4a1d781b4d9418c9b747a6d8277340c-9fe2ff9ee4384b1894a90878d3e92ba' for key 'PRIMARY'") [SQL: u'INSERT INTO trust_role (trust_id, role_id) VALUES (%(trust_id)s, %(role_id)s)'] [parameters: ({'trust_id': 'c4a1d781b4d9418c9b747a6d8277340c', 'role_id': u'9fe2ff9ee4384b1894a90878d3e92bab'}, {'trust_id': 'c4a1d781b4d9418c9b747a6d8277340c', 'role_id': u'9fe2ff9ee4384b1894a90878d3e92bab'})] wrapper /usr/lib/python2.7/dist-packages/keystone/common/sql/core.py:435
2016-10-03 13:16:11.477 26415 WARNING keystone.common.wsgi [req-5f45f373-0097-4325-87f2-7dca317b71b8 6a299f31021c417bb15e0de347d0528f cb6344592c4e4fb99a15ccef715ada25 - Federated default] Conflict occurred attempting to store trust - Duplicate Entry

Note that the 'roles': [u'_member_', u'_member_'], the role is duplicated for some reason.