As far as I can tell, this problem seem to impact stable/queens and master (Rocky) only. It does NOT seem to impact the older branches. My assessment was based on devstack with federation enabled. i.e.
# only enable the services we care about
disable_all_services
enable_plugin keystone git://git.openstack.org/openstack/keystone.git stable/pike
enable_service mysql rabbit keystone keystone-saml2-federation
I setup K2K federtation with the same instance acting as both IdP and SP. btw,
keystone-saml2-federation does not support this configuration so I had do some manual work. Devstack was deployed in a vagrant so each branch was deployed in a
fresh vagrant. So far I tested the following branches:
1. The problem does NOT impact the federated tokens. Using a federated token, /v3/OS-FEDERATION/projects API correctly return the 'federated_project' in the 'federated_domain' only. This is true for ALL the branches.
2. Using a local user token (i.e. demo/demo), /v3/OS-FEDERATION/projects API will return ALL the projects for all the domains in stable/queens and master only, regardless of user's group membership. stable/pike and older branches are NOT impacted. With those branches, user will get an HTTP 500 Internal Server Error from the API and something similar to this in the keystone logs.
Aug 1 11:18:27 ubuntu <email address hidden>[19553]: ERROR keystone.common.wsgi #033[01;35m#033[00m File "/opt/stack/keystone/keystone/federation/controllers.py", line 472, in list_projects_for_user
Aug 1 11:18:27 ubuntu <email address hidden>[19553]: ERROR keystone.common.wsgi #033[01;35m#033[00m request.auth_context['group_ids'])
Aug 1 11:18:27 ubuntu <email address hidden>[19553]: ERROR keystone.common.wsgi #033[01;35m#033[00mKeyError: 'group_ids'
As far as I can tell, this problem seem to impact stable/queens and master (Rocky) only. It does NOT seem to impact the older branches. My assessment was based on devstack with federation enabled. i.e.
# only enable the services we care about all_services openstack. org/openstack/ keystone. git stable/pike saml2-federatio n
disable_
enable_plugin keystone git://git.
enable_service mysql rabbit keystone keystone-
KEYSTONE_ ENABLE_ MOD_WSGI= True BRANCH= stable/ pike
KEYSTONE_
I setup K2K federtation with the same instance acting as both IdP and SP. btw, saml2-federatio n does not support this configuration so I had do some manual work. Devstack was deployed in a vagrant so each branch was deployed in a
keystone-
fresh vagrant. So far I tested the following branches:
newton-eol
stable/ocata
stable/pike
stable/queens
master
Here's what I found.
1. The problem does NOT impact the federated tokens. Using a federated token, /v3/OS- FEDERATION/ projects API correctly return the 'federated_project' in the 'federated_domain' only. This is true for ALL the branches.
2. Using a local user token (i.e. demo/demo), /v3/OS- FEDERATION/ projects API will return ALL the projects for all the domains in stable/queens and master only, regardless of user's group membership. stable/pike and older branches are NOT impacted. With those branches, user will get an HTTP 500 Internal Server Error from the API and something similar to this in the keystone logs.
Aug 1 11:18:27 ubuntu <email address hidden>[19553]: ERROR keystone. common. wsgi #033[01;35m#033[00m File "/opt/stack/ keystone/ keystone/ federation/ controllers. py", line 472, in list_projects_ for_user common. wsgi #033[01;35m#033[00m request. auth_context[ 'group_ ids']) common. wsgi #033[01; 35m#033[ 00mKeyError: 'group_ids'
Aug 1 11:18:27 ubuntu <email address hidden>[19553]: ERROR keystone.
Aug 1 11:18:27 ubuntu <email address hidden>[19553]: ERROR keystone.