2017-02-08 05:15:09 |
Divya K Konoor |
bug |
|
|
added bug |
2017-02-08 14:56:42 |
Lance Bragstad |
description |
I have a openstack master with LDAP server configured (fernet token provider). With the new changes around MFA rules (https://blueprints.launchpad.net/keystone/+spec/per-user-auth-plugin-reqs), I see that the authentication (POST /token) call fails at https://github.com/openstack/keystone/blob/master/keystone/auth/core.py#L377
def check_auth_methods_against_rules(self, user_id, auth_methods):
user_ref = self.identity_api.get_user(user_id)
mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
In the last line the code flow expects user_Ref to always have an options attribute and this is not present for LDAP users due to which we get the below and authentication fails
INFO keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] POST https://ip9-114-192-140.pok.stglabs.ibm.com:5000/v3/auth/tokens
ERROR keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] 'options'
ERROR keystone.common.wsgi Traceback (most recent call last):
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
ERROR keystone.common.wsgi result = method(req, **params)
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 132, in authenticate_for_token
ERROR keystone.common.wsgi auth_context['user_id'], method_names_set):
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/core.py", line 377, in check_auth_methods_against_rules
ERROR keystone.common.wsgi mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
ERROR keystone.common.wsgi KeyError: 'options'
dikonoor> dstanek:I am trying to understand if 'options' is a mandatory attribute in user_ref.
<dikonoor> dstanek: and how it gets populated
<dstanek> dikonoor: it appears that it is mandatory and that we only added it to the SQL model
<dstanek> i think maybe the LDAP model should always have an empty options dictionary as an attribute
<dstanek> morgan: ^ does that sound correct?
<dikonoor> dstanek:morgan: either an empty options attribute should be added or the MFA rule check code above must be modified to make it user_ref.get('options') ..Let me go ahead and open a defect for this
<dstanek> dikonoor: i prefer empty to the models look the same |
I have a openstack master with LDAP server configured (fernet token provider). With the new changes around MFA rules (https://blueprints.launchpad.net/keystone/+spec/per-user-auth-plugin-reqs), I see that the authentication (POST /token) call fails at https://github.com/openstack/keystone/blob/029476272fb869c6413aa4e70f4cae6f890e598f/keystone/auth/core.py#L377
def check_auth_methods_against_rules(self, user_id, auth_methods):
user_ref = self.identity_api.get_user(user_id)
mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
In the last line the code flow expects user_Ref to always have an options attribute and this is not present for LDAP users due to which we get the below and authentication fails
INFO keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] POST https://ip9-114-192-140.pok.stglabs.ibm.com:5000/v3/auth/tokens
ERROR keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] 'options'
ERROR keystone.common.wsgi Traceback (most recent call last):
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
ERROR keystone.common.wsgi result = method(req, **params)
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 132, in authenticate_for_token
ERROR keystone.common.wsgi auth_context['user_id'], method_names_set):
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/core.py", line 377, in check_auth_methods_against_rules
ERROR keystone.common.wsgi mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
ERROR keystone.common.wsgi KeyError: 'options'
dikonoor> dstanek:I am trying to understand if 'options' is a mandatory attribute in user_ref.
<dikonoor> dstanek: and how it gets populated
<dstanek> dikonoor: it appears that it is mandatory and that we only added it to the SQL model
<dstanek> i think maybe the LDAP model should always have an empty options dictionary as an attribute
<dstanek> morgan: ^ does that sound correct?
<dikonoor> dstanek:morgan: either an empty options attribute should be added or the MFA rule check code above must be modified to make it user_ref.get('options') ..Let me go ahead and open a defect for this
<dstanek> dikonoor: i prefer empty to the models look the same |
|
2017-02-08 14:58:28 |
Lance Bragstad |
description |
I have a openstack master with LDAP server configured (fernet token provider). With the new changes around MFA rules (https://blueprints.launchpad.net/keystone/+spec/per-user-auth-plugin-reqs), I see that the authentication (POST /token) call fails at https://github.com/openstack/keystone/blob/029476272fb869c6413aa4e70f4cae6f890e598f/keystone/auth/core.py#L377
def check_auth_methods_against_rules(self, user_id, auth_methods):
user_ref = self.identity_api.get_user(user_id)
mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
In the last line the code flow expects user_Ref to always have an options attribute and this is not present for LDAP users due to which we get the below and authentication fails
INFO keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] POST https://ip9-114-192-140.pok.stglabs.ibm.com:5000/v3/auth/tokens
ERROR keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] 'options'
ERROR keystone.common.wsgi Traceback (most recent call last):
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
ERROR keystone.common.wsgi result = method(req, **params)
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 132, in authenticate_for_token
ERROR keystone.common.wsgi auth_context['user_id'], method_names_set):
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/core.py", line 377, in check_auth_methods_against_rules
ERROR keystone.common.wsgi mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
ERROR keystone.common.wsgi KeyError: 'options'
dikonoor> dstanek:I am trying to understand if 'options' is a mandatory attribute in user_ref.
<dikonoor> dstanek: and how it gets populated
<dstanek> dikonoor: it appears that it is mandatory and that we only added it to the SQL model
<dstanek> i think maybe the LDAP model should always have an empty options dictionary as an attribute
<dstanek> morgan: ^ does that sound correct?
<dikonoor> dstanek:morgan: either an empty options attribute should be added or the MFA rule check code above must be modified to make it user_ref.get('options') ..Let me go ahead and open a defect for this
<dstanek> dikonoor: i prefer empty to the models look the same |
I have a openstack master with LDAP server configured (fernet token provider). With the new changes around MFA rules (https://blueprints.launchpad.net/keystone/+spec/per-user-auth-plugin-reqs), I see that the authentication (POST /token) call fails at https://github.com/openstack/keystone/blob/029476272fb869c6413aa4e70f4cae6f890e598f/keystone/auth/core.py#L377
def check_auth_methods_against_rules(self, user_id, auth_methods):
user_ref = self.identity_api.get_user(user_id)
mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
In the last line the code flow expects user_Ref to always have an options attribute and this is not present for LDAP users due to which we get the below and authentication fails
INFO keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] POST https://ip9-114-192-140.pok.stglabs.ibm.com:5000/v3/auth/tokens
ERROR keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] 'options'
ERROR keystone.common.wsgi Traceback (most recent call last):
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
ERROR keystone.common.wsgi result = method(req, **params)
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 132, in authenticate_for_token
ERROR keystone.common.wsgi auth_context['user_id'], method_names_set):
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/core.py", line 377, in check_auth_methods_against_rules
ERROR keystone.common.wsgi mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
ERROR keystone.common.wsgi KeyError: 'options'
Conversation from #openstack-keystone on Freenode:
http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-02-07.log.html#t2017-02-07T14:01:09 |
|
2017-02-08 14:58:34 |
Lance Bragstad |
tags |
|
ldap |
|
2017-02-08 14:58:40 |
Lance Bragstad |
keystone: status |
New |
Triaged |
|
2017-02-08 14:58:43 |
Lance Bragstad |
keystone: importance |
Undecided |
High |
|
2017-02-08 14:59:08 |
Lance Bragstad |
nominated for series |
|
keystone/ocata |
|
2017-02-08 14:59:08 |
Lance Bragstad |
bug task added |
|
keystone/ocata |
|
2017-02-08 14:59:18 |
Lance Bragstad |
keystone/ocata: status |
New |
Triaged |
|
2017-02-08 14:59:21 |
Lance Bragstad |
keystone/ocata: importance |
Undecided |
High |
|
2017-02-22 21:40:31 |
Matthew Edmonds |
keystone: assignee |
|
Matthew Edmonds (edmondsw) |
|
2017-02-22 21:40:37 |
Matthew Edmonds |
keystone/ocata: assignee |
|
Matthew Edmonds (edmondsw) |
|
2017-02-23 14:32:35 |
OpenStack Infra |
keystone: status |
Triaged |
In Progress |
|
2017-02-24 15:27:24 |
OpenStack Infra |
keystone: status |
In Progress |
Fix Released |
|
2017-02-24 17:02:51 |
OpenStack Infra |
keystone/ocata: status |
Triaged |
In Progress |
|
2017-02-28 02:29:52 |
OpenStack Infra |
keystone/ocata: status |
In Progress |
Fix Committed |
|
2017-03-01 22:35:55 |
Lance Bragstad |
keystone: milestone |
|
pike-1 |
|
2017-04-20 07:33:54 |
Gregory Orange |
bug |
|
|
added subscriber Pawsey Supercomputing Centre |
2017-05-16 21:09:09 |
Lance Bragstad |
keystone/ocata: status |
Fix Committed |
Fix Released |
|
2017-07-18 10:55:38 |
GREMIAUX Florian |
bug |
|
|
added subscriber GREMIAUX Florian |