OpenStack Identity (keystone)

Keystone client is unable to correctly look up names of federated users

Bug #1778989 reported by Lars Kellogg-Stedman
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Expired
Undecided
Unassigned

Bug Description

When looking up a user in a domain, one can generally do this:

    openstack user show --domain testdomain testuser

Unfortunately, if testuser is a federated user, the above command will fail. For example:

  $ openstack domain list -c ID -c Name
  +----------------------------------+----------------------------------+
  | ID | Name |
  +----------------------------------+----------------------------------+
  | 2b47931027ef4b9e914ab158ef77ae07 | testdomain |
  | 3cb3f05971c243f08ec4715f228876f1 | heat_stack |
  | 6657bdf192594898a1b9b846296c5141 | 6657bdf192594898a1b9b846296c5141 |
  | default | Default |
  +----------------------------------+----------------------------------+

In the above, 6657bdf192594898a1b9b846296c5141 is a domain for federated users that was auto-generated for an identity provider. There is one user in the domain:

  $ openstack user list --domain 6657bdf192594898a1b9b846296c5141
  +----------------------------------+--------+
  | ID | Name |
  +----------------------------------+--------+
  | 428641fc53664e3ba66bd52ff64ce37e | larsks |
  +----------------------------------+--------+

But the following command fails:

  $ openstack user show --domain 6657bdf192594898a1b9b846296c5141 larsks
  No user with a name or ID of 'larsks' exists.

See original description
Lars Kellogg-Stedman (larsks)
description: updated
Kristi Nikolla (knikolla)
Changed in keystone:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Lars Kellogg-Stedman (larsks) wrote :

The debug output for the failed request looks like:

  GET call to identity for https://example.com:13000/v3/users/larsks used request id req-e38c00a2-2429-4443-8ef7-6ea8193a8eef
  Request returned failure status: 404
  REQ: curl -g -i -X GET https://example.com:13000/v3/users?domain_id=6657bdf192594898a1b9b846296c5141&name=larsks -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}a5e664259619338463208b8baa268c118095eaf6"
  https://example.com:13000 "GET /v3/users?domain_id=6657bdf192594898a1b9b846296c5141&name=larsks HTTP/1.1" 200 159
  RESP: [200] Date: Wed, 27 Jun 2018 19:46:33 GMT Server: Apache Vary: X-Auth-Token,Accept-Encoding x-openstack-request-id: req-0d425ee0-e947-4cfe-b1ad-e4fe3e400263 Content-Encoding: gzip Content-Length: 159 Content-Type: application/json
  RESP BODY: {"users": [], "links": {"self": "https://example.com:13000/v3/users?domain_id=6657bdf192594898a1b9b846296c5141&name=larsks", "previous": null, "next": null}}

Revision history for this message
wangxiyuan (wangxiyuan) wrote :

I'm using master branch, deployed a k2k env, but can't reproduce, here is my step and env:

http://paste.openstack.org/show/724472/

Revision history for this message
Adam Young (ayoung) wrote :

K2K does not work through Federated mapping, so I would expect that to work. Try using SAML and an external IdP.

Revision history for this message
Lars Kellogg-Stedman (larsks) wrote :

A federated user has an entry in the 'federated_users' table and in the 'users' table. On the other hand, in keystone.identity.backends.sql.get_user_by_name we only look up names in the local_user table (https://github.com/openstack/keystone/blob/589152d094b248da81dc88db2449fb560985ae8b/keystone/identity/backends/sql.py#L191):

    def get_user_by_name(self, user_name, domain_id):
        with sql.session_for_read() as session:
            query = session.query(model.User).join(model.LocalUser)
            query = query.filter(sqlalchemy.and_(
                model.LocalUser.name == user_name,
                model.LocalUser.domain_id == domain_id))
            try:
                user_ref = query.one()
            except sql.NotFound:
                raise exception.UserNotFound(user_id=user_name)
            return base.filter_user(user_ref.to_dict())

This will never match for a federated user.

Revision history for this message
wangxiyuan (wangxiyuan) wrote :

@Adam, still can't reproduce using testshib as IdP : http://paste.openstack.org/show/724506/

@Lars, the request GET /v3/users?domain_id=6657bdf192594898a1b9b846296c5141&name=larsks won't go to the code you point.
It's here: https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L1061

I just remember I had a fix for "list users with name": https://review.openstack.org/#/c/529914 in Queens.
Does your keystone code contain this fix?

Kristi Nikolla (knikolla)
Changed in keystone:
status: Confirmed → Incomplete
importance: Medium → Undecided
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for OpenStack Identity (keystone) because there has been no activity for 60 days.]

Changed in keystone:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.