OpenStack Identity (keystone)

Groups mapped to projects that do not exist in OpenStack breaks WebSSO

Bug #1789450 reported by Steven Relf
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Undecided
Vishakha Agarwal
OpenStack Identity (keystone) stein-1

Bug Description

I have come across an issue when using webSSO/Federation.

We are using keycloak as an SP, in which our users exist. These users have multiple groups some of which are open stack specific and some which are not.

These users and groups are being mapped as ephemeral users, and im using groups to match to projects.

The issue occurs if a user has a group that does not map to a project in OpenStack. at which point an exception is raised and the websso login blows up with a 500 message.

The offending line is line 347 in keystone/federation/utils.py

A quick fix would be to remove the exception from being raised, and just log to file.

Or filter the projects based on the groups passed in.

Steven Relf (srelf)
summary: - Groups that do not exist in the backend break webSSO
+ Groups mapped to projects that do not exist in OpenStack breaks WebSSO
Revision history for this message
Steven Relf (srelf) wrote :

Looks like this is a reversion. As it looks like it was fixed way back in 2015

https://bugs.launchpad.net/keystone/+bug/1429334

but it looks to have been reverted.

Vishakha Agarwal (vishakha.agarwal)
Changed in keystone:
assignee: nobody → Vishakha Agarwal (vishakha.agarwal)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/597992

Changed in keystone:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/597992
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ee46f735359cb5381024a7dfa3f2b297badc6247
Submitter: Zuul
Branch: master

commit ee46f735359cb5381024a7dfa3f2b297badc6247
Author: Vishakha Agarwal <email address hidden>
Date: Thu Aug 30 11:14:32 2018 +0530

    Mapped Groups don't exist breaks WebSSO

    The issue occurs if a user has a group that
    does not map to a project in OpenStack. At
    which point an exception is raised and the
    websso login blows up with a 500 message.
    This is because of the exception being raised
    when the group name not matches thus replacing
    that with a log.

    Change-Id: Ia7321705db118af28f3dc6e01d5b18e8650aa633
    Closes-Bug: #1789450

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/604829

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/604830

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/604861

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/rocky)

Reviewed: https://review.openstack.org/604829
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6bc81fec24f20da677c9979fcf380c777894df31
Submitter: Zuul
Branch: stable/rocky

commit 6bc81fec24f20da677c9979fcf380c777894df31
Author: Vishakha Agarwal <email address hidden>
Date: Thu Aug 30 11:14:32 2018 +0530

    Mapped Groups don't exist breaks WebSSO

    The issue occurs if a user has a group that
    does not map to a project in OpenStack. At
    which point an exception is raised and the
    websso login blows up with a 500 message.
    This is because of the exception being raised
    when the group name not matches thus replacing
    that with a log.

    Change-Id: Ia7321705db118af28f3dc6e01d5b18e8650aa633
    Closes-Bug: #1789450
    (cherry picked from commit ee46f735359cb5381024a7dfa3f2b297badc6247)

tags: added: in-stable-rocky
tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/queens)

Reviewed: https://review.openstack.org/604830
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c4e48ef3a149df81aa563d894cc6eb78f536edb8
Submitter: Zuul
Branch: stable/queens

commit c4e48ef3a149df81aa563d894cc6eb78f536edb8
Author: Vishakha Agarwal <email address hidden>
Date: Thu Aug 30 11:14:32 2018 +0530

    Mapped Groups don't exist breaks WebSSO

    The issue occurs if a user has a group that
    does not map to a project in OpenStack. At
    which point an exception is raised and the
    websso login blows up with a 500 message.
    This is because of the exception being raised
    when the group name not matches thus replacing
    that with a log.

    Change-Id: Ia7321705db118af28f3dc6e01d5b18e8650aa633
    Closes-Bug: #1789450
    (cherry picked from commit ee46f735359cb5381024a7dfa3f2b297badc6247)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/pike)

Reviewed: https://review.openstack.org/604861
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a09ba6906573432ec0b7bd4ec0522caf06dc3b8c
Submitter: Zuul
Branch: stable/pike

commit a09ba6906573432ec0b7bd4ec0522caf06dc3b8c
Author: Vishakha Agarwal <email address hidden>
Date: Thu Aug 30 11:14:32 2018 +0530

    Mapped Groups don't exist breaks WebSSO

    The issue occurs if a user has a group that
    does not map to a project in OpenStack. At
    which point an exception is raised and the
    websso login blows up with a 500 message.
    This is because of the exception being raised
    when the group name not matches thus replacing
    that with a log.

    Change-Id: Ia7321705db118af28f3dc6e01d5b18e8650aa633
    Closes-Bug: #1789450
    (cherry picked from commit ee46f735359cb5381024a7dfa3f2b297badc6247)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 13.0.2

This issue was fixed in the openstack/keystone 13.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 12.0.2

This issue was fixed in the openstack/keystone 12.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 14.0.1

This issue was fixed in the openstack/keystone 14.0.1 release.

Lance Bragstad (lbragstad)
Changed in keystone:
milestone: none → stein-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.