Authentication for LDAP user fails at MFA rule check

Bug #1662762 reported by Divya K Konoor on 2017-02-08
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Matthew Edmonds
Ocata
High
Matthew Edmonds

Bug Description

I have a openstack master with LDAP server configured (fernet token provider). With the new changes around MFA rules (https://blueprints.launchpad.net/keystone/+spec/per-user-auth-plugin-reqs), I see that the authentication (POST /token) call fails at https://github.com/openstack/keystone/blob/029476272fb869c6413aa4e70f4cae6f890e598f/keystone/auth/core.py#L377

    def check_auth_methods_against_rules(self, user_id, auth_methods):
        user_ref = self.identity_api.get_user(user_id)
        mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])

In the last line the code flow expects user_Ref to always have an options attribute and this is not present for LDAP users due to which we get the below and authentication fails

INFO keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] POST https://ip9-114-192-140.pok.stglabs.ibm.com:5000/v3/auth/tokens
ERROR keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] 'options'
ERROR keystone.common.wsgi Traceback (most recent call last):
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
ERROR keystone.common.wsgi result = method(req, **params)
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 132, in authenticate_for_token
ERROR keystone.common.wsgi auth_context['user_id'], method_names_set):
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/core.py", line 377, in check_auth_methods_against_rules
ERROR keystone.common.wsgi mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
ERROR keystone.common.wsgi KeyError: 'options'

Conversation from #openstack-keystone on Freenode:
http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-02-07.log.html#t2017-02-07T14:01:09

description: updated
description: updated
tags: added: ldap
Changed in keystone:
status: New → Triaged
importance: Undecided → High
Divya K Konoor (dikonoor) wrote :

Lance Bragstad, thanks for cleaning up my description. It looks so much better now.

Lance Bragstad (lbragstad) wrote :

Divya, no problem! Launchpad can sometime mangle the simplest stack traces or code snippets.

Changed in keystone:
assignee: nobody → Matthew Edmonds (edmondsw)

Fix proposed to branch: master
Review: https://review.openstack.org/437402

Changed in keystone:
status: Triaged → In Progress

Reviewed: https://review.openstack.org/437402
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4e0029455ab45e3b9a15fe9fc151c14c502b7bdd
Submitter: Jenkins
Branch: master

commit 4e0029455ab45e3b9a15fe9fc151c14c502b7bdd
Author: Matthew Edmonds <email address hidden>
Date: Fri Feb 24 00:41:11 2017 -0500

    Fix MFA rule checks for LDAP auth

    LDAP authentication was broken by the addition of MFA rule checking.
    This patch fixes that.

    Change-Id: I4efe4b1b90c93110509cd599f9dd047c313dade3
    Closes-Bug: #1662762

Changed in keystone:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/437998
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=95160d1812104d90ff096cb2d32390b065bfeaae
Submitter: Jenkins
Branch: stable/ocata

commit 95160d1812104d90ff096cb2d32390b065bfeaae
Author: Matthew Edmonds <email address hidden>
Date: Fri Feb 24 00:41:11 2017 -0500

    Fix MFA rule checks for LDAP auth

    LDAP authentication was broken by the addition of MFA rule checking.
    This patch fixes that.

    Change-Id: I4efe4b1b90c93110509cd599f9dd047c313dade3
    Closes-Bug: #1662762
    (cherry picked from commit 4e0029455ab45e3b9a15fe9fc151c14c502b7bdd)

Changed in keystone:
milestone: none → pike-1

This issue was fixed in the openstack/keystone 12.0.0.0b1 development milestone.

Gregory Orange (gregoryo2017) wrote :

I've manually applied the change to /usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap/core.py on our Fuel-deployed Ocata (UCA repositories) and made it work - LDAP authentication no longer fails. When will this fix be released there, so we don't have to hack in the change? I'm concerned that in doing so we might cause other problems with later code changes.

Luca Cervigni (cervigni) wrote :

Any news about the fix release for Ocata?

This issue was fixed in the openstack/keystone 11.0.1 release.

Lance Bragstad (lbragstad) wrote :

Now that we've have a new stable/ocata release post RC [0], this should be available.

[0] https://review.openstack.org/#/c/463004/

Saverio Proto (zioproto) wrote :

Hello,

I am testing the upgrade Newton to Ocata. I dont have LDAP backend. I see the following in the log file:

2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi [req-f3f731ec-80ab-4f4b-b72e-438c508b567e - - - - -] 'options'
2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi Traceback (most recent call last):
2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 228, in __call__
2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi result = method(req, **params)
2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 132, in authenticate_for_token
2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi auth_context['user_id'], method_names_set):
2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/core.py", line 377, in check_auth_methods_against_rules
2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi KeyError: 'options'
2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi

Could be that part of this problem is already there ? I am using mysql backend.

thanks

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers