UUID (or any persistent) token providers unable to validate federation token

Bug #1758460 reported by Guang Yee on 2018-03-23
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Low
Unassigned

Bug Description

With the UUID token provider and WebSSO enabled. A token obtain via WebSSO will not be able to validate in Keystone. In the Keystone log, you'll see something similar to these.

46386 (keystone.token.providers.common): 2018-03-23 20:24:09,581 DEBUG common _populate_roles User 7e93953eda38423f919d83da2544c683 has no access to project 8d344d1178964026b20be32438b484be
46386 (keystone.token.provider): 2018-03-23 20:24:09,581 DEBUG provider validate_token Unable to validate token: The request you have made requires authentication.
46386 (keystone.common.wsgi): 2018-03-23 20:24:09,583 WARNING wsgi __call__ Could not find token: {u'tenant': {u'domain': {u'id': u'6c30c2dba285403e8aa70de9ecb47d0d', u'name': u'websso-domain1'}, u'id': u'8d344d1178964026b20be32438b484be', u'name': u'websso-project1'}, u'is_domain': None, 'user_id': u'7e93953eda38423f919d83da2544c683', 'expires': datetime.datetime(2018, 3, 24, 0, 24, 8), u'token_data': {u'token': {u'is_domain': False, u'service_providers': [{u'sp_url': u'https://mytest:5000/Shibboleth.sso/SAML2/ECP', u'auth_url': u'https://mytest:5000/v3', u'id': u'ks-sp-server'}], u'methods': [u'token', u'saml2'], u'roles': [{u'domain_id': None, u'id': u'9fe2ff9ee4384b1894a90878d3e92bab', u'name': u'_member_'}], u'is_admin_project': False, u'project': {u'domain': {u'id': u'6c30c2dba285403e8aa70de9ecb47d0d', u'name': u'websso-domain1'}, u'id': u'8d344d1178964026b20be32438b484be', u'name': u'websso-project1'},
...

Looking at the code, it appears we never rebuild federated token roles for UUID (persistence) tokens.

https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L610

We only do that for Fernet (non-persistence) tokens.

https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L635

Consequently, when we try to glue the token data together, the roles are being rebuilt as if the token is a regular token which result in role assignment not found.

https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L649
https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L418
https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L344

Step to reproduce:

1. Follow the Keystone Doc to setup WebSSO and use UUID token provider.
2. Login from Horizon
3. After successfully logged in, you'll see all kinds of "Unable to retrieve ..." messages from
Horizon. Basically, Horizon is unable to use the federated token to retrieve users resources (i.e. compute, network, etc)

Guang Yee (guang-yee) wrote :

I presume this bug impact Queens and older releases as UUID token provider is a goner for master.

Lance Bragstad (lbragstad) wrote :

Yeah - the UUID token provider has already been removed for Rocky [0], per it's deprecation cycle. We could propose a patch to stable/queens, but that'd require an exception for stable I think.

I suppose the workaround would be to use fernet.

[0] https://review.openstack.org/#/c/543060/

Changed in keystone:
importance: Undecided → Low
Lance Bragstad (lbragstad) wrote :
Changed in keystone:
status: New → Confirmed
Lance Bragstad (lbragstad) wrote :

Marking this as invalid since there isn't anything we can do in master short of revert the removal of UUID, issue a fix, backport it, then remove the UUID token provider again. We also can't issue a fix directly to stable branches according to stable policy.

I think the work-around is the best option given the fact a fix would only be used for a short period of time before needing to switch anyway since Rocky won't include UUID tokens regardless.

Changed in keystone:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers