Tokenless authentication is broken
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Guang Yee |
Bug Description
When trying to use tokenless authentication, authentication fails with the following traceback:
http://
git bisect shows this is the commit that introduced the bug: 0dc5c4edabd5cb0
Steps to reproduce:
(Can start out with configuring devstack with the tls-proxy service to have devstack generate a root CA but then you need to remove the default proxy configuration in /etc/apache2/
Configure keystone behind Apache with mod_ssl and the following mod_ssl options:
<VirtualHost *:443>
SSLEngine On
SSLCertific
SSLCACertif
SSLOptions +StdEnvVars
SSLVerifyClient optional
SSLUserName SSL_CLIENT_S_DN_CN
SetEnv REMOTE_DOMAIN openstack
</Virtualhost>
In keystone.conf set up external authentication and tokenless auth:
[tokenless_auth]
trusted_issuer = CN=Root CA,OU=DevStack Certificate Authority,
[auth]
methods = password,
external = Domain
Create a client certificate with the example user values from the tokenless auth docs, signed by the root CA:
$ openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
$ openssl x509 -req -in CSR.csr -CA /opt/stack/
Create the IdP, mapping and protocol:
$ openstack identity provider create ad9b5af1ba36ffc
$ openstack mapping create x509map --rules rules.json
$ openstack federation protocol create x509 --mapping x509map --identity-provider ad9b5af1ba36ffc
Create a local user with role assignments:
$ openstack domain create openstack
$ openstack user create john --domain openstack
$ openstack role add --user john --user-domain openstack --project demo member
Get a token for the user:
$ curl -v -k -s -X POST --cert john.pem --key privateKey.key -H "x-project-name: demo" -H "x-project-
Try to validate the token with tokenless auth (as in the documented example):
$ curl -v -k -s -X GET --cert /home/devuser/
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: x509 |
Changed in keystone: | |
assignee: | nobody → Guang Yee (guang-yee) |
Changed in keystone: | |
status: | Triaged → In Progress |
Changed in keystone: | |
milestone: | none → stein-3 |
I was able to verify this locally. The only difference I noticed was in the second to last step, where you're able to get what appears to be a scoped token using a certificate. When I do this, I always get back an unscoped token regardless of the headers I pass in [0] (e.g., x-project-id or x-project-name + x-project- domain- id). This could be a separate issue though and something I was talking to gyee about today in IRC [1].
Otherwise - when I try and validate the unscoped token from the last step, I do see the 500.
[0] https:/ /pasted. tech/pastes/ c79647db136625e a6a2ad38c767162 e7fcd2d831. raw eavesdrop. openstack. org/irclogs/ %23openstack- keystone/ %23openstack- keystone. 2019-01- 23.log. html#t2019- 01-23T21: 32:29
[1] http://