OpenStack Identity (keystone)

UUID (or any persistent) token providers unable to validate federation token

Bug #1758460 reported by Guang Yee on 2018-03-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Invalid	Low	Unassigned

Bug Description

With the UUID token provider and WebSSO enabled. A token obtain via WebSSO will not be able to validate in Keystone. In the Keystone log, you'll see something similar to these.

46386 (keystone.token.providers.common): 2018-03-23 20:24:09,581 DEBUG common _populate_roles User 7e93953eda38423f919d83da2544c683 has no access to project 8d344d1178964026b20be32438b484be
46386 (keystone.token.provider): 2018-03-23 20:24:09,581 DEBUG provider validate_token Unable to validate token: The request you have made requires authentication.
46386 (keystone.common.wsgi): 2018-03-23 20:24:09,583 WARNING wsgi __call__ Could not find token: {u'tenant': {u'domain': {u'id': u'6c30c2dba285403e8aa70de9ecb47d0d', u'name': u'websso-domain1'}, u'id': u'8d344d1178964026b20be32438b484be', u'name': u'websso-project1'}, u'is_domain': None, 'user_id': u'7e93953eda38423f919d83da2544c683', 'expires': datetime.datetime(2018, 3, 24, 0, 24, 8), u'token_data': {u'token': {u'is_domain': False, u'service_providers': [{u'sp_url': u'https://mytest:5000/Shibboleth.sso/SAML2/ECP', u'auth_url': u'https://mytest:5000/v3', u'id': u'ks-sp-server'}], u'methods': [u'token', u'saml2'], u'roles': [{u'domain_id': None, u'id': u'9fe2ff9ee4384b1894a90878d3e92bab', u'name': u'_member_'}], u'is_admin_project': False, u'project': {u'domain': {u'id': u'6c30c2dba285403e8aa70de9ecb47d0d', u'name': u'websso-domain1'}, u'id': u'8d344d1178964026b20be32438b484be', u'name': u'websso-project1'},
...

Looking at the code, it appears we never rebuild federated token roles for UUID (persistence) tokens.

https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L610

We only do that for Fernet (non-persistence) tokens.

https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L635

Consequently, when we try to glue the token data together, the roles are being rebuilt as if the token is a regular token which result in role assignment not found.

https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L649
https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L418
https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L344

Step to reproduce:

1. Follow the Keystone Doc to setup WebSSO and use UUID token provider.
2. Login from Horizon
3. After successfully logged in, you'll see all kinds of "Unable to retrieve ..." messages from
Horizon. Basically, Horizon is unable to use the federated token to retrieve users resources (i.e. compute, network, etc)

Revision history for this message

Guang Yee (guang-yee) wrote on 2018-03-23:

I presume this bug impact Queens and older releases as UUID token provider is a goner for master.

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2018-03-27:

Yeah - the UUID token provider has already been removed for Rocky [0], per it's deprecation cycle. We could propose a patch to stable/queens, but that'd require an exception for stable I think.

I suppose the workaround would be to use fernet.

[0] https://review.openstack.org/#/c/543060/

Changed in keystone:
importance:	Undecided → Low

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2018-04-04:

This was hit by another operator who came to us in IRC [0].

[0] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-04-04.log.html#t2018-04-04T12:32:57

Changed in keystone:
status:	New → Confirmed

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2018-06-20:

Marking this as invalid since there isn't anything we can do in master short of revert the removal of UUID, issue a fix, backport it, then remove the UUID token provider again. We also can't issue a fix directly to stable branches according to stable policy.

I think the work-around is the best option given the fact a fix would only be used for a short period of time before needing to switch anyway since Rocky won't include UUID tokens regardless.

Changed in keystone:
status:	Confirmed → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.