mapping yield no valid identity result in HTTP 500 error
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned |
Bug Description
New entry for the Fix Released bug https:/
I got a meaningful 401 in M release.
In N release with same config (ADFS federation with saml2) I get this generic error message with code 500, it forced me to dig into Keystone code to trace the origin from the error and found this change [1] which is responsible.
If I revert the change to just write to the log then an unscoped token with no group is returned. From my point of view this is the correct behavior right? I just found out that federation is not limited to group membership anymore which is great, so why raising an exception if no group can be mapped ? Is it because the mappings try to map remote properties to local group ? I find pretty handy that a rule trying to map both user and groups can still yield a token even if there is no group matching in Keystone.
As an aside, I would be immensely grateful for anyone telling me how to get the stack trace directly when such exception appears in the browser agent, tracing it manually was painfull ;-( (OTOH I learnt a bit more about the code).
The exception is thrown even when there are matching groups defined in Keystone.
Here is my mapping rule:
[
{
"local": [
{
"user": {
"name": "{0}"
},
"domain": {
"name": "our_default_
}
},
{
"groups": "{1}",
"domain": {
"name": "our_default_
}
}
],
"remote": [
{
"type": "UPN"
},
{
"type": "GROUPS"
}
]
}
]
Result if I let the exception to be raised:
{"error": {"message": "An unexpected error prevented the server from fulfilling your request.", "code": 500, "title": "Internal Server Error"}}
Result if I comment it:
{"token": {"issued_at": "2016-11-
tags: | removed: mappings |
If the behavior regressed and it is a bug we should reopen bug 1557238 and continue tracking work there instead of filing it in a new report.