In the last line the code flow expects user_Ref to always have an options attribute and this is not present for LDAP users due to which we get the below and authentication fails
INFO keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] POST https://ip9-114-192-140.pok.stglabs.ibm.com:5000/v3/auth/tokens
ERROR keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] 'options'
ERROR keystone.common.wsgi Traceback (most recent call last):
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
ERROR keystone.common.wsgi result = method(req, **params)
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 132, in authenticate_for_token
ERROR keystone.common.wsgi auth_context['user_id'], method_names_set):
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/core.py", line 377, in check_auth_methods_against_rules
ERROR keystone.common.wsgi mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
ERROR keystone.common.wsgi KeyError: 'options'
dikonoor> dstanek:I am trying to understand if 'options' is a mandatory attribute in user_ref.
<dikonoor> dstanek: and how it gets populated
<dstanek> dikonoor: it appears that it is mandatory and that we only added it to the SQL model
<dstanek> i think maybe the LDAP model should always have an empty options dictionary as an attribute
<dstanek> morgan: ^ does that sound correct?
<dikonoor> dstanek:morgan: either an empty options attribute should be added or the MFA rule check code above must be modified to make it user_ref.get('options') ..Let me go ahead and open a defect for this
<dstanek> dikonoor: i prefer empty to the models look the same
I have a openstack master with LDAP server configured (fernet token provider). With the new changes around MFA rules (https:/ /blueprints. launchpad. net/keystone/ +spec/per- user-auth- plugin- reqs), I see that the authentication (POST /token) call fails at https:/ /github. com/openstack/ keystone/ blob/master/ keystone/ auth/core. py#L377
def check_auth_ methods_ against_ rules(self, user_id, auth_methods): api.get_ user(user_ id) 'options' ].get(ro. MFA_RULES_ OPT.option_ name, [])
user_ref = self.identity_
mfa_rules = user_ref[
In the last line the code flow expects user_Ref to always have an options attribute and this is not present for LDAP users due to which we get the below and authentication fails
INFO keystone. common. wsgi [req-279e9036- 6c6a-4fc8- 9dfe-1d21993119 5c - - - - -] POST https:/ /ip9-114- 192-140. pok.stglabs. ibm.com: 5000/v3/ auth/tokens common. wsgi [req-279e9036- 6c6a-4fc8- 9dfe-1d21993119 5c - - - - -] 'options' common. wsgi Traceback (most recent call last): common. wsgi File "/usr/lib/ python2. 7/site- packages/ keystone/ common/ wsgi.py" , line 228, in __call__ common. wsgi result = method(req, **params) common. wsgi File "/usr/lib/ python2. 7/site- packages/ keystone/ auth/controller s.py", line 132, in authenticate_ for_token common. wsgi auth_context[ 'user_id' ], method_names_set): common. wsgi File "/usr/lib/ python2. 7/site- packages/ keystone/ auth/core. py", line 377, in check_auth_ methods_ against_ rules common. wsgi mfa_rules = user_ref[ 'options' ].get(ro. MFA_RULES_ OPT.option_ name, []) common. wsgi KeyError: 'options'
ERROR keystone.
ERROR keystone.
ERROR keystone.
ERROR keystone.
ERROR keystone.
ERROR keystone.
ERROR keystone.
ERROR keystone.
ERROR keystone.
dikonoor> dstanek:I am trying to understand if 'options' is a mandatory attribute in user_ref. get('options' ) ..Let me go ahead and open a defect for this
<dikonoor> dstanek: and how it gets populated
<dstanek> dikonoor: it appears that it is mandatory and that we only added it to the SQL model
<dstanek> i think maybe the LDAP model should always have an empty options dictionary as an attribute
<dstanek> morgan: ^ does that sound correct?
<dikonoor> dstanek:morgan: either an empty options attribute should be added or the MFA rule check code above must be modified to make it user_ref.
<dstanek> dikonoor: i prefer empty to the models look the same