OpenStack Identity (keystone)

  1. Bug #1814589
  2. Activity log

Activity log for bug #1814589

Date Who What changed Old value New value Message
2019-02-04 21:12:50 Guang Yee bug added bug
2019-02-04 21:13:11 Guang Yee tags x509
2019-02-04 21:40:21 OpenStack Infra keystone: status New In Progress
2019-02-04 21:40:21 OpenStack Infra keystone: assignee Guang Yee (guang-yee)
2019-02-04 21:49:44 Lance Bragstad description Using using an ephemeral user mapping for X.509 tokenless auth, Keystone service will return an HTTP 500 internal error and the we'll see a traceback similar to this in the logs. Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi Traceback (most recent call last): Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 275, in _inner Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi return method(self, request) Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 164, in process_request Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi self.fill_context(request) Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 238, in fill_context Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi auth_context = self._build_tokenless_auth_context(request) Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 64, in _build_tokenless_auth_context Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi domain_id) Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/tokenless_auth.py", line 138, in get_mapped_user Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi self.identity_api, self.assignment_api)) Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 412, in transform_to_group_ids Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi group['name'], resolve_domain(group['domain'])) Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 405, in resolve_domain Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi resource_api.get_domain_by_name( Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/manager.py", line 200, in __getattr__ Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi f = getattr(self.driver, name) Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi AttributeError: 'Assignment' object has no attribute 'get_domain_by_name' Steps to reproduce the problem: 1) Setup X.509 tokenless auth per https://docs.openstack.org/keystone/pike/advanced-topics/configure_tokenless_x509.html 2) Create an ephemeral user mapping. i.e. [ { "local": [ { "user": { "name": "{0}", "domain": { "name": "{1}" }, "type": "ephemeral" }, "group": { "domain": { "name": "Default" }, "name": "admin" } } ], "remote": [ { "type": "SSL_CLIENT_S_DN_CN" }, { "type": "SSL_CLIENT_S_DN_O" } ] } ] 3. Use curl to test a keystone API. For example, curl --cert user_cert.pem --key user_private_key.pem --cacert /etc/keystone/ca.pem -H 'X-Project-Name: admin' -H 'X-Project-Domain-Id: default' https://192.168.0.10/identity/v3/projects/75e168e8a575448f9fa878b4c4475075 Using an ephemeral user mapping for X.509 tokenless auth, Keystone service will return an HTTP 500 internal error and then we'll see a traceback similar to this in the logs. Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi Traceback (most recent call last): Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 275, in _inner Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi return method(self, request) Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 164, in process_request Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi self.fill_context(request) Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 238, in fill_context Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi auth_context = self._build_tokenless_auth_context(request) Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 64, in _build_tokenless_auth_context Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi domain_id) Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/tokenless_auth.py", line 138, in get_mapped_user Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi self.identity_api, self.assignment_api)) Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 412, in transform_to_group_ids Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi group['name'], resolve_domain(group['domain'])) Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 405, in resolve_domain Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi resource_api.get_domain_by_name( Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/manager.py", line 200, in __getattr__ Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi f = getattr(self.driver, name) Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi AttributeError: 'Assignment' object has no attribute 'get_domain_by_name' Steps to reproduce the problem: 1) Setup X.509 tokenless auth per https://docs.openstack.org/keystone/pike/advanced-topics/configure_tokenless_x509.html 2) Create an ephemeral user mapping. i.e. [     {         "local": [             {                 "user": {                     "name": "{0}",                      "domain": {                          "name": "{1}"                      },                      "type": "ephemeral"                  },    "group": {                     "domain": {                         "name": "Default"                     },                     "name": "admin"                 }              }          ],          "remote": [              {                  "type": "SSL_CLIENT_S_DN_CN"              },              {                  "type": "SSL_CLIENT_S_DN_O"              }         ]     } ] 3. Use curl to test a keystone API. For example, curl --cert user_cert.pem --key user_private_key.pem --cacert /etc/keystone/ca.pem -H 'X-Project-Name: admin' -H 'X-Project-Domain-Id: default' https://192.168.0.10/identity/v3/projects/75e168e8a575448f9fa878b4c4475075
2019-02-05 18:47:30 Lance Bragstad keystone: importance Undecided High
2019-02-15 23:06:44 OpenStack Infra keystone: status In Progress Fix Released
2019-02-16 12:18:09 Colleen Murphy keystone: milestone stein-3