An error in function get_user_unique_id_and_display_name()

Bug #1711883 reported by Lei Lei on 2017-08-20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Vishakha Agarwal

Bug Description

Firstly, see the code of function get_user_unique_id_and_display_name() of keystone/auth/plugins/

    # keystone/auth/plugins/

    def get_user_unique_id_and_display_name(request, mapped_properties):

        user = mapped_properties['user']

        user_id = user.get('id')
        user_name = user.get('name') or request.remote_user

        if not any([user_id, user_name]):
            msg = _("Could not map user while setting ephemeral user identity. "
                    "Either mapping rules must specify user id/name or "
                    "REMOTE_USER environment variable must be set.")
            raise exception.Unauthorized(msg)

        elif not user_name:
            user['name'] = user_id

        elif not user_id:
            user_id = user_name

        user['id'] = parse.quote(user_id)
        return (user['id'], user['name'])

There is an error inside above function.
If user.get('name') is None, but request.remote_user is not None, e.g. request.remote_user is "fed_user", then user_name will be "fed_user".
So, the execution path will not go into "elif not user_name". So, for last line "return (user['id'], user['name'])", user['name'] will raise KeyError exception.

Lance Bragstad (lbragstad) wrote :

Thanks for the bug report. Do you have inputs or steps to recreate this by interacting with keystone?

description: updated
Lei Lei (leilei) wrote :
Download full text (4.5 KiB)

Thanks for asking, Lance.
Yep. The steps are used to create SSO (Single Sign on) for using Google Account to login on OpenStack.
The steps seem not a few. They are as below.

[Environment] CentOS 7.3

1. Login on "Google Developers Console", and set up your own project, which is a "web application".
   1> After the project is created successfully, write down the "client ID" and "client secret". They will be used later.
   2> Set "" to "the authorized redirected URL"

2. Set up a PackStack.

3. Run the commands below in the PackStack:

   source ~/keystonerc_admin
   openstack group create --domain default --description "Federation User Group" federation_group
   openstack project create --domain default --description "Federation Demo Project" federation_demo_project
   openstack role add --domain default --group federation_group admin
   openstack role add --project federation_demo_project --group federation_group admin
   openstack identity provider create google --remote-id

   cat > /tmp/google-mapping-rules.json <<EOF
        "local": [
                "group": {
                    "id": "xxx" # Note, this is the group id created by the second command above

        "remote": [
                "type": "HTTP_OIDC_ISS",
                "any_one_of": [

   openstack mapping create google-idp-mapping --rules ./google-mapping-rules.json
   openstack federation protocol create oidc --identity-provider google --mapping google-idp-mapping

4. Append/Add the following to the proper section of /etc/keystone.conf

    # Allowed authentication methods. (list value)
    methods = external,password,token,oauth1,oidc
    oidc = keystone.auth.plugins.mapped.Mapped

    # Value to be used to obtain the entity ID of the Identity Provider from the
    # environment (e.g. if using the mod_shib plugin this value is `Shib-Identity-
    # Provider`). (string value)
    remote_id_attribute = HTTP_OIDC_ISS
    trusted_dashboard =

5. Install mod_auth_openidc module for Apache
   Commands are like below:


    yum localinstall -y ./cjose-0.5.1-1.el7.centos.x86_64.rpm
    yum localinstall -y ./hiredis-0.12.1-1.sdl6.x86_64.rpm
    yum localinstall -y ./mod_auth_openidc-2.3.0-1.el7.centos.x86_64.rpm

6. Add the following content to /etc/httpd/conf.d/10-keystone_wsgi_main.conf

    <VirtualHost *:5000>

        OIDCClaimPrefix "OIDC-"
        OIDCResponseType "id_token"
        OIDCScope "openid email profile"


Lei Lei (leilei) wrote :

The reproduced steps are complex. However, just from the code itself, I think the error is not hard to be found. The point is, if "request.remote_user" is not None but user.get('name') is None, then the last statement "return (user['id'], user['name'])" will raise a KeyError.

Lei Lei (leilei) on 2017-08-30
summary: - A logic error in function get_user_unique_id_and_display_name()
+ An error in function get_user_unique_id_and_display_name()
jiapei (jeremy.jia) on 2017-09-01
Changed in keystone:
status: New → Confirmed
Lei Lei (leilei) on 2017-09-01
Changed in keystone:
assignee: nobody → Lei Lei (leilei)
Changed in keystone:
importance: Undecided → Medium
Lance Bragstad (lbragstad) wrote :

Unassigning due to inactivity.

Changed in keystone:
assignee: Lei Lei (leilei) → nobody
Rajat Sharma (tajar29) on 2018-06-07
Changed in keystone:
assignee: nobody → Rajat Sharma (tajar29)
Changed in keystone:
assignee: Rajat Sharma (tajar29) → Vishakha Agarwal (vishakha.agarwal)

Fix proposed to branch: master

Changed in keystone:
status: Confirmed → In Progress

Submitter: Zuul
Branch: master

commit f4729795ecfbc53ae391204726fd441ce4b462ef
Author: Vishakha Agarwal <email address hidden>
Date: Tue Jun 19 14:21:46 2018 +0530

    Added check to avoid keyerror "user['name']"

    In get_user_unique_id_and_display_name() of
    keystone/auth/plugins/, the checking
    of user dict's key "name" is not very strict.
    So, we need to add more strict validation here.

    Change-Id: Ib147e90e4076c1c2ca7a9fd1cf8d17ce3ddc5e34
    Closes-Bug: #1711883

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers