federated users cannot use heat

keystone mitaka

I'm not entirely sure what is happening here, keystone is set up for federation with a SAML2 idp,
all federated users can use all services with the exception of heat.

this gets a little bit complicated because first I ran into this bug (heat cannot find federated users role)
https://bugs.launchpad.net/murano/+bug/1589993

for which the workaround is to grant the federated user the heat_stack_owner role

Once the role is granted directly to the federated user (e.g. not to the users group)
the previous error goes away - keystone now throws this error when using heat
object of type 'NoneType' has no len()

I think heat might be looking for a userid in the default sql domain perhaps

>Sep 23 10:48:06 node-30 keystone-admin: 2016-09-23 10:48:06.420 10012 INFO keystone.token.providers.fernet.utils [req-dd5cc8a6-7c57-4166-931d-6a5ebf8a91f0 283c6248ff874714a4a5d69471ef2fad f653c7eb3d244f09b37f69cdd1ef4e82 - default default] Loaded 2 encryption keys (max_active_keys=3) from: /etc/keystone/fernet-keys
<14>Sep 23 10:48:06 node-30 keystone-admin: 2016-09-23 10:48:06.480 10013 INFO keystone.common.wsgi [req-6998992e-83b7-4743-9ac5-036c2aed28ff - - - - -] GET http://172.25.60.5:35357/
<15>Sep 23 10:48:06 node-30 keystone-admin: 2016-09-23 10:48:06.492 10011 DEBUG keystone.middleware.auth [req-298ebc90-2aec-4dc9-b0af-00ef2c14c5f0 - - - - -] There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. _build_auth_context /usr/lib/python2.7/dist-packages/keystone/middleware/auth.py:71
<14>Sep 23 10:48:06 node-30 keystone-admin: 2016-09-23 10:48:06.494 10011 INFO keystone.common.wsgi [req-298ebc90-2aec-4dc9-b0af-00ef2c14c5f0 - - - - -] POST http://172.25.60.5:35357/v3/auth/tokens
<15>Sep 23 10:48:06 node-30 keystone-admin: 2016-09-23 10:48:06.559 10011 DEBUG oslo_messaging._drivers.amqpdriver [req-298ebc90-2aec-4dc9-b0af-00ef2c14c5f0 - - - - -] CAST unique_id: bed1de3722504cb9b5e84b7ed3e7e4af size: 906 NOTIFY exchange: keystone topic: notifications.info _send /usr/lib/python2.7/dist-packages/oslo_messaging/_drivers/amqpdriver.py:480
<15>Sep 23 10:48:06 node-30 keystone-admin: 2016-09-23 10:48:06.569 10011 DEBUG dogpile.core.dogpile [req-298ebc90-2aec-4dc9-b0af-00ef2c14c5f0 - - - - -] NeedRegenerationException _enter /usr/lib/python2.7/dist-packages/dogpile/core/dogpile.py:94
<15>Sep 23 10:48:06 node-30 keystone-admin: 2016-09-23 10:48:06.570 10011 DEBUG dogpile.core.dogpile [req-298ebc90-2aec-4dc9-b0af-00ef2c14c5f0 - - - - -] no value, waiting for create lock _enter_create /usr/lib/python2.7/dist-packages/dogpile/core/dogpile.py:127
<15>Sep 23 10:48:06 node-30 keystone-admin: 2016-09-23 10:48:06.570 10011 DEBUG dogpile.core.dogpile [req-298ebc90-2aec-4dc9-b0af-00ef2c14c5f0 - - - - -] value creation lock <dogpile.cache.region._LockWrapper object at 0x7f116ead6cd0> acquired _enter_create /usr/lib/python2.7/dist-packages/dogpile/core/dogpile.py:131
<15>Sep 23 10:48:06 node-30 keystone-admin: 2016-09-23 10:48:06.571 10011 DEBUG dogpile.core.dogpile [req-298ebc90-2aec-4dc9-b0af-00ef2c14c5f0 - - - - -] Calling creation function _enter_create /usr/lib/python2.7/dist-packages/dogpile/core/dogpile.py:148
<15>Sep 23 10:48:06 node-30 keystone-admin: 2016-09-23 10:48:06.579 10011 DEBUG dogpile.core.dogpile [req-298ebc90-2aec-4dc9-b0af-00ef2c14c5f0 - - - - -] Released creation lock _enter_create /usr/lib/python2.7/dist-packages/dogpile/core/dogpile.py:154
<11>Sep 23 10:48:06 node-30 keystone-admin: 2016-09-23 10:48:06.580 10011 ERROR keystone.common.wsgi [req-298ebc90-2aec-4dc9-b0af-00ef2c14c5f0 - - - - -] object of type 'NoneType' has no len()
2016-09-23 10:48:06.580 10011 ERROR keystone.common.wsgi Traceback (most recent call last):
2016-09-23 10:48:06.580 10011 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 249, in __call__
2016-09-23 10:48:06.580 10011 ERROR keystone.common.wsgi result = method(context, **params)
2016-09-23 10:48:06.580 10011 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 416, in authenticate_for_token
2016-09-23 10:48:06.580 10011 ERROR keystone.common.wsgi parent_audit_id=token_audit_id)
2016-09-23 10:48:06.580 10011 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 124, in wrapped
2016-09-23 10:48:06.580 10011 ERROR keystone.common.wsgi __ret_val = __f(*args, **kwargs)
2016-09-23 10:48:06.580 10011 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 384, in issue_v3_token
2016-09-23 10:48:06.580 10011 ERROR keystone.common.wsgi parent_audit_id)
2016-09-23 10:48:06.580 10011 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/providers/fernet/core.py", line 44, in issue_v3_token
2016-09-23 10:48:06.580 10011 ERROR keystone.common.wsgi *args, **kwargs)
2016-09-23 10:48:06.580 10011 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/providers/common.py", line 621, in issue_v3_token
2016-09-23 10:48:06.580 10011 ERROR keystone.common.wsgi audit_info=parent_audit_id)
2016-09-23 10:48:06.580 10011 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/providers/common.py", line 519, in get_token_data
2016-09-23 10:48:06.580 10011 ERROR keystone.common.wsgi self._populate_user(token_data, user_id, trust)
2016-09-23 10:48:06.580 100
<15>Sep 23 10:48:07 node-30 keystone-admin: 2016-09-23 10:48:07.258 10014 DEBUG keystone.middleware.auth [req-b765bdb6-2843-4ade-92d6-11db786b38f6 - - - - -] There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. _build_auth_context /usr/lib/python2.7/dist-packages/keystone/middleware/auth.py:71