OpenStack Identity (keystone)

Authentication for LDAP user fails at MFA rule check

Bug #1662762 reported by Divya K Konoor on 2017-02-08

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Matthew Edmonds	OpenStack Identity (keystone) pike-1 "pike-1"
	Ocata	Fix Released	High	Matthew Edmonds

Bug Description

I have a openstack master with LDAP server configured (fernet token provider). With the new changes around MFA rules (https://blueprints.launchpad.net/keystone/+spec/per-user-auth-plugin-reqs), I see that the authentication (POST /token) call fails at https://github.com/openstack/keystone/blob/029476272fb869c6413aa4e70f4cae6f890e598f/keystone/auth/core.py#L377

    def check_auth_methods_against_rules(self, user_id, auth_methods):
        user_ref = self.identity_api.get_user(user_id)
        mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])

In the last line the code flow expects user_Ref to always have an options attribute and this is not present for LDAP users due to which we get the below and authentication fails

INFO keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] POST https://ip9-114-192-140.pok.stglabs.ibm.com:5000/v3/auth/tokens
ERROR keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] 'options'
ERROR keystone.common.wsgi Traceback (most recent call last):
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
ERROR keystone.common.wsgi result = method(req, **params)
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 132, in authenticate_for_token
ERROR keystone.common.wsgi auth_context['user_id'], method_names_set):
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/core.py", line 377, in check_auth_methods_against_rules
ERROR keystone.common.wsgi mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
ERROR keystone.common.wsgi KeyError: 'options'

Conversation from #openstack-keystone on Freenode:
http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-02-07.log.html#t2017-02-07T14:01:09

See original description

Tags:

Lance Bragstad (lbragstad) on 2017-02-08

description:	updated
description:	updated
tags:	added: ldap
Changed in keystone:
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

Divya K Konoor (dikonoor) wrote on 2017-02-08:

Lance Bragstad, thanks for cleaning up my description. It looks so much better now.

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-02-08:

Divya, no problem! Launchpad can sometime mangle the simplest stack traces or code snippets.

Matthew Edmonds (edmondsw) on 2017-02-22

Changed in keystone:
assignee:	nobody → Matthew Edmonds (edmondsw)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-23: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/437402

Changed in keystone:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-24: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/437402
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4e0029455ab45e3b9a15fe9fc151c14c502b7bdd
Submitter: Jenkins
Branch: master

commit 4e0029455ab45e3b9a15fe9fc151c14c502b7bdd
Author: Matthew Edmonds <email address hidden>
Date: Fri Feb 24 00:41:11 2017 -0500

Fix MFA rule checks for LDAP auth

LDAP authentication was broken by the addition of MFA rule checking.
This patch fixes that.

Change-Id: I4efe4b1b90c93110509cd599f9dd047c313dade3
Closes-Bug: #1662762

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-24: Fix proposed to keystone (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/437998

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-28: Fix merged to keystone (stable/ocata)

Reviewed: https://review.openstack.org/437998
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=95160d1812104d90ff096cb2d32390b065bfeaae
Submitter: Jenkins
Branch: stable/ocata

commit 95160d1812104d90ff096cb2d32390b065bfeaae
Author: Matthew Edmonds <email address hidden>
Date: Fri Feb 24 00:41:11 2017 -0500

Fix MFA rule checks for LDAP auth

LDAP authentication was broken by the addition of MFA rule checking.
This patch fixes that.

    Change-Id: I4efe4b1b90c93110509cd599f9dd047c313dade3
    Closes-Bug: #1662762
    (cherry picked from commit 4e0029455ab45e3b9a15fe9fc151c14c502b7bdd)

Lance Bragstad (lbragstad) on 2017-03-01

Changed in keystone:
milestone:	none → pike-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-12: Fix included in openstack/keystone 12.0.0.0b1

This issue was fixed in the openstack/keystone 12.0.0.0b1 development milestone.

Revision history for this message

Gregory Orange (gregoryo2017) wrote on 2017-04-24:

I've manually applied the change to /usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap/core.py on our Fuel-deployed Ocata (UCA repositories) and made it work - LDAP authentication no longer fails. When will this fix be released there, so we don't have to hack in the change? I'm concerned that in doing so we might cause other problems with later code changes.

Revision history for this message

Luca Cervigni (cervigni) wrote on 2017-05-01:

Any news about the fix release for Ocata?

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-08: Fix included in openstack/keystone 11.0.1

#10

This issue was fixed in the openstack/keystone 11.0.1 release.

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-05-16:

#11

Now that we've have a new stable/ocata release post RC [0], this should be available.

[0] https://review.openstack.org/#/c/463004/

Revision history for this message

Saverio Proto (zioproto) wrote on 2018-07-27:

#12

Hello,

I am testing the upgrade Newton to Ocata. I dont have LDAP backend. I see the following in the log file:

2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi [req-f3f731ec-80ab-4f4b-b72e-438c508b567e - - - - -] 'options'
2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi Traceback (most recent call last):
2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 228, in __call__
2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi result = method(req, **params)
2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 132, in authenticate_for_token
2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi auth_context['user_id'], method_names_set):
2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/core.py", line 377, in check_auth_methods_against_rules
2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi KeyError: 'options'
2018-07-27 13:38:29.134 44 ERROR keystone.common.wsgi

Could be that part of this problem is already there ? I am using mysql backend.

thanks

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1672425

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.