Using using an ephemeral user mapping for X.509 tokenless auth, Keystone service will return an HTTP 500 internal error and the we'll see a traceback similar to this in the logs.
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi Traceback (most recent call last):
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 275, in _inner
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi return method(self, request)
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 164, in process_request
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi self.fill_context(request)
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 238, in fill_context
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi auth_context = self._build_tokenless_auth_context(request)
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 64, in _build_tokenless_auth_context
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi domain_id)
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/tokenless_auth.py", line 138, in get_mapped_user
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi self.identity_api, self.assignment_api))
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 412, in transform_to_group_ids
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi group['name'], resolve_domain(group['domain']))
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 405, in resolve_domain
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi resource_api.get_domain_by_name(
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/manager.py", line 200, in __getattr__
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi f = getattr(self.driver, name)
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi AttributeError: 'Assignment' object has no attribute 'get_domain_by_name'
Using using an ephemeral user mapping for X.509 tokenless auth, Keystone service will return an HTTP 500 internal error and the we'll see a traceback similar to this in the logs.
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone. common. wsgi Traceback (most recent call last): common. wsgi File "/opt/stack/ keystone/ keystone/ common/ wsgi.py" , line 275, in _inner common. wsgi return method(self, request) common. wsgi File "/opt/stack/ keystone/ keystone/ middleware/ auth.py" , line 164, in process_request common. wsgi self.fill_ context( request) common. wsgi File "/opt/stack/ keystone/ keystone/ middleware/ auth.py" , line 238, in fill_context common. wsgi auth_context = self._build_ tokenless_ auth_context( request) common. wsgi File "/opt/stack/ keystone/ keystone/ middleware/ auth.py" , line 64, in _build_ tokenless_ auth_context common. wsgi domain_id) common. wsgi File "/opt/stack/ keystone/ keystone/ common/ tokenless_ auth.py" , line 138, in get_mapped_user common. wsgi self.identity_api, self.assignment _api)) common. wsgi File "/opt/stack/ keystone/ keystone/ federation/ utils.py" , line 412, in transform_ to_group_ ids common. wsgi group['name'], resolve_ domain( group[' domain' ])) common. wsgi File "/opt/stack/ keystone/ keystone/ federation/ utils.py" , line 405, in resolve_domain common. wsgi resource_ api.get_ domain_ by_name( common. wsgi File "/opt/stack/ keystone/ keystone/ common/ manager. py", line 200, in __getattr__ common. wsgi f = getattr( self.driver, name) common. wsgi AttributeError: 'Assignment' object has no attribute 'get_domain_ by_name'
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.
Steps to reproduce the problem:
1) Setup X.509 tokenless auth per https:/ /docs.openstack .org/keystone/ pike/advanced- topics/ configure_ tokenless_ x509.html
2) Create an ephemeral user mapping. i.e.
[
"user" : {
" name": "{0}",
"domain" : {
"name" : "{1}"
},
"type": "ephemeral"
" domain" : {
"name" : "Default"
} ,
" name": "admin"
"type" : "SSL_CLIENT_ S_DN_CN"
"type" : "SSL_CLIENT_S_DN_O"
{
"local": [
{
},
"group": {
}
}
],
"remote": [
{
},
{
}
]
}
]
3. Use curl to test a keystone API. For example,
curl --cert user_cert.pem --key user_private_ key.pem --cacert /etc/keystone/ ca.pem -H 'X-Project-Name: admin' -H 'X-Project- Domain- Id: default' https:/ /192.168. 0.10/identity/ v3/projects/ 75e168e8a575448 f9fa878b4c44750 75