Tokenless auth: ephemeral user mapping is broken

Bug #1814589 reported by Guang Yee on 2019-02-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Guang Yee

Bug Description

Using an ephemeral user mapping for X.509 tokenless auth, Keystone service will return an HTTP 500 internal error and then we'll see a traceback similar to this in the logs.

Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi Traceback (most recent call last):
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 275, in _inner
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi return method(self, request)
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 164, in process_request
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi self.fill_context(request)
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 238, in fill_context
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi auth_context = self._build_tokenless_auth_context(request)
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 64, in _build_tokenless_auth_context
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi domain_id)
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/tokenless_auth.py", line 138, in get_mapped_user
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi self.identity_api, self.assignment_api))
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 412, in transform_to_group_ids
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi group['name'], resolve_domain(group['domain']))
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 405, in resolve_domain
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi resource_api.get_domain_by_name(
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/manager.py", line 200, in __getattr__
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi f = getattr(self.driver, name)
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi AttributeError: 'Assignment' object has no attribute 'get_domain_by_name'

Steps to reproduce the problem:

1) Setup X.509 tokenless auth per https://docs.openstack.org/keystone/pike/advanced-topics/configure_tokenless_x509.html

2) Create an ephemeral user mapping. i.e.

[
    {
        "local": [
            {
                "user": {
                    "name": "{0}",
                     "domain": {
                         "name": "{1}"
                     },
                     "type": "ephemeral"
                 },
   "group": {
                    "domain": {
                        "name": "Default"
                    },
                    "name": "admin"
                }
             }
         ],
         "remote": [
             {
                 "type": "SSL_CLIENT_S_DN_CN"
             },
             {
                 "type": "SSL_CLIENT_S_DN_O"
             }
        ]
    }
]

3. Use curl to test a keystone API. For example,

curl --cert user_cert.pem --key user_private_key.pem --cacert /etc/keystone/ca.pem -H 'X-Project-Name: admin' -H 'X-Project-Domain-Id: default' https://192.168.0.10/identity/v3/projects/75e168e8a575448f9fa878b4c4475075

Guang Yee (guang-yee) on 2019-02-04
tags: added: x509

Fix proposed to branch: master
Review: https://review.openstack.org/634816

Changed in keystone:
assignee: nobody → Guang Yee (guang-yee)
status: New → In Progress
description: updated
Guang Yee (guang-yee) wrote :

This problem only occurs when we use group name in the local user mapping.

Guang Yee (guang-yee) wrote :

Correction: the problem only occurs when we use domain name for the group in the mapping. i.e.

...
'local': [
                {
                    'user': {
                        'name': '{0}',
                        'type': 'ephemeral'
                    },
                    'group': {
                        'name': 'foo',
                        'domain': {
                            'name': 'bar'
                        }
                    }
                }
            ],
...

Changed in keystone:
importance: Undecided → High

Reviewed: https://review.openstack.org/634816
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=505fe204795330c12bc00fce3510902a5b59457d
Submitter: Zuul
Branch: master

commit 505fe204795330c12bc00fce3510902a5b59457d
Author: Guang Yee <email address hidden>
Date: Mon Feb 4 13:27:05 2019 -0800

    Fixes incorrect params

    Fixes incorrect parameters passed into
    keystone.federation.utils.transform_to_group_ids() which resulted
    in HTTP 500 internal error.

    Added an additional test case to test mapping with group domain name
    in it as this scenario was never tested before.

    Change-Id: I4112e5968cd0d52444b686a3777da56203ae95ad
    Closes-Bug: 1814589

Changed in keystone:
status: In Progress → Fix Released
Colleen Murphy (krinkle) on 2019-02-16
Changed in keystone:
milestone: none → stein-3

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers