Groups mapped to projects that do not exist in OpenStack breaks WebSSO

Bug #1789450 reported by Steven Relf on 2018-08-28
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Undecided
Vishakha Agarwal

Bug Description

I have come across an issue when using webSSO/Federation.

We are using keycloak as an SP, in which our users exist. These users have multiple groups some of which are open stack specific and some which are not.

These users and groups are being mapped as ephemeral users, and im using groups to match to projects.

The issue occurs if a user has a group that does not map to a project in OpenStack. at which point an exception is raised and the websso login blows up with a 500 message.

The offending line is line 347 in keystone/federation/utils.py

A quick fix would be to remove the exception from being raised, and just log to file.

Or filter the projects based on the groups passed in.

Steven Relf (srelf) on 2018-08-28
summary: - Groups that do not exist in the backend break webSSO
+ Groups mapped to projects that do not exist in OpenStack breaks WebSSO
Steven Relf (srelf) wrote :

Looks like this is a reversion. As it looks like it was fixed way back in 2015

https://bugs.launchpad.net/keystone/+bug/1429334

but it looks to have been reverted.

Changed in keystone:
assignee: nobody → Vishakha Agarwal (vishakha.agarwal)

Fix proposed to branch: master
Review: https://review.openstack.org/597992

Changed in keystone:
status: New → In Progress

Reviewed: https://review.openstack.org/597992
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ee46f735359cb5381024a7dfa3f2b297badc6247
Submitter: Zuul
Branch: master

commit ee46f735359cb5381024a7dfa3f2b297badc6247
Author: Vishakha Agarwal <email address hidden>
Date: Thu Aug 30 11:14:32 2018 +0530

    Mapped Groups don't exist breaks WebSSO

    The issue occurs if a user has a group that
    does not map to a project in OpenStack. At
    which point an exception is raised and the
    websso login blows up with a 500 message.
    This is because of the exception being raised
    when the group name not matches thus replacing
    that with a log.

    Change-Id: Ia7321705db118af28f3dc6e01d5b18e8650aa633
    Closes-Bug: #1789450

Changed in keystone:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/604829
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6bc81fec24f20da677c9979fcf380c777894df31
Submitter: Zuul
Branch: stable/rocky

commit 6bc81fec24f20da677c9979fcf380c777894df31
Author: Vishakha Agarwal <email address hidden>
Date: Thu Aug 30 11:14:32 2018 +0530

    Mapped Groups don't exist breaks WebSSO

    The issue occurs if a user has a group that
    does not map to a project in OpenStack. At
    which point an exception is raised and the
    websso login blows up with a 500 message.
    This is because of the exception being raised
    when the group name not matches thus replacing
    that with a log.

    Change-Id: Ia7321705db118af28f3dc6e01d5b18e8650aa633
    Closes-Bug: #1789450
    (cherry picked from commit ee46f735359cb5381024a7dfa3f2b297badc6247)

tags: added: in-stable-rocky
tags: added: in-stable-queens

Reviewed: https://review.openstack.org/604830
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c4e48ef3a149df81aa563d894cc6eb78f536edb8
Submitter: Zuul
Branch: stable/queens

commit c4e48ef3a149df81aa563d894cc6eb78f536edb8
Author: Vishakha Agarwal <email address hidden>
Date: Thu Aug 30 11:14:32 2018 +0530

    Mapped Groups don't exist breaks WebSSO

    The issue occurs if a user has a group that
    does not map to a project in OpenStack. At
    which point an exception is raised and the
    websso login blows up with a 500 message.
    This is because of the exception being raised
    when the group name not matches thus replacing
    that with a log.

    Change-Id: Ia7321705db118af28f3dc6e01d5b18e8650aa633
    Closes-Bug: #1789450
    (cherry picked from commit ee46f735359cb5381024a7dfa3f2b297badc6247)

tags: added: in-stable-pike

Reviewed: https://review.openstack.org/604861
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a09ba6906573432ec0b7bd4ec0522caf06dc3b8c
Submitter: Zuul
Branch: stable/pike

commit a09ba6906573432ec0b7bd4ec0522caf06dc3b8c
Author: Vishakha Agarwal <email address hidden>
Date: Thu Aug 30 11:14:32 2018 +0530

    Mapped Groups don't exist breaks WebSSO

    The issue occurs if a user has a group that
    does not map to a project in OpenStack. At
    which point an exception is raised and the
    websso login blows up with a 500 message.
    This is because of the exception being raised
    when the group name not matches thus replacing
    that with a log.

    Change-Id: Ia7321705db118af28f3dc6e01d5b18e8650aa633
    Closes-Bug: #1789450
    (cherry picked from commit ee46f735359cb5381024a7dfa3f2b297badc6247)

This issue was fixed in the openstack/keystone 13.0.2 release.

This issue was fixed in the openstack/keystone 12.0.2 release.

This issue was fixed in the openstack/keystone 14.0.1 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers