2019-02-04 21:49:44 |
Lance Bragstad |
description |
Using using an ephemeral user mapping for X.509 tokenless auth, Keystone service will return an HTTP 500 internal error and the we'll see a traceback similar to this in the logs.
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi Traceback (most recent call last):
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 275, in _inner
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi return method(self, request)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 164, in process_request
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi self.fill_context(request)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 238, in fill_context
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi auth_context = self._build_tokenless_auth_context(request)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 64, in _build_tokenless_auth_context
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi domain_id)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/tokenless_auth.py", line 138, in get_mapped_user
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi self.identity_api, self.assignment_api))
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 412, in transform_to_group_ids
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi group['name'], resolve_domain(group['domain']))
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 405, in resolve_domain
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi resource_api.get_domain_by_name(
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/manager.py", line 200, in __getattr__
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi f = getattr(self.driver, name)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi AttributeError: 'Assignment' object has no attribute 'get_domain_by_name'
Steps to reproduce the problem:
1) Setup X.509 tokenless auth per https://docs.openstack.org/keystone/pike/advanced-topics/configure_tokenless_x509.html
2) Create an ephemeral user mapping. i.e.
[
{
"local": [
{
"user": {
"name": "{0}",
"domain": {
"name": "{1}"
},
"type": "ephemeral"
},
"group": {
"domain": {
"name": "Default"
},
"name": "admin"
}
}
],
"remote": [
{
"type": "SSL_CLIENT_S_DN_CN"
},
{
"type": "SSL_CLIENT_S_DN_O"
}
]
}
]
3. Use curl to test a keystone API. For example,
curl --cert user_cert.pem --key user_private_key.pem --cacert /etc/keystone/ca.pem -H 'X-Project-Name: admin' -H 'X-Project-Domain-Id: default' https://192.168.0.10/identity/v3/projects/75e168e8a575448f9fa878b4c4475075 |
Using an ephemeral user mapping for X.509 tokenless auth, Keystone service will return an HTTP 500 internal error and then we'll see a traceback similar to this in the logs.
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi Traceback (most recent call last):
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 275, in _inner
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi return method(self, request)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 164, in process_request
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi self.fill_context(request)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 238, in fill_context
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi auth_context = self._build_tokenless_auth_context(request)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 64, in _build_tokenless_auth_context
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi domain_id)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/tokenless_auth.py", line 138, in get_mapped_user
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi self.identity_api, self.assignment_api))
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 412, in transform_to_group_ids
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi group['name'], resolve_domain(group['domain']))
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 405, in resolve_domain
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi resource_api.get_domain_by_name(
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/manager.py", line 200, in __getattr__
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi f = getattr(self.driver, name)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi AttributeError: 'Assignment' object has no attribute 'get_domain_by_name'
Steps to reproduce the problem:
1) Setup X.509 tokenless auth per https://docs.openstack.org/keystone/pike/advanced-topics/configure_tokenless_x509.html
2) Create an ephemeral user mapping. i.e.
[
{
"local": [
{
"user": {
"name": "{0}",
"domain": {
"name": "{1}"
},
"type": "ephemeral"
},
"group": {
"domain": {
"name": "Default"
},
"name": "admin"
}
}
],
"remote": [
{
"type": "SSL_CLIENT_S_DN_CN"
},
{
"type": "SSL_CLIENT_S_DN_O"
}
]
}
]
3. Use curl to test a keystone API. For example,
curl --cert user_cert.pem --key user_private_key.pem --cacert /etc/keystone/ca.pem -H 'X-Project-Name: admin' -H 'X-Project-Domain-Id: default' https://192.168.0.10/identity/v3/projects/75e168e8a575448f9fa878b4c4475075 |
|