OpenStack Identity (keystone)

Bug #1814589
Comment #0

Comment 0 for bug 1814589

Revision history for this message

Guang Yee (guang-yee) wrote on 2019-02-04:

Using using an ephemeral user mapping for X.509 tokenless auth, Keystone service will return an HTTP 500 internal error and the we'll see a traceback similar to this in the logs.

Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi Traceback (most recent call last):
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 275, in _inner
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi return method(self, request)
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 164, in process_request
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi self.fill_context(request)
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 238, in fill_context
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi auth_context = self._build_tokenless_auth_context(request)
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 64, in _build_tokenless_auth_context
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi domain_id)
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/tokenless_auth.py", line 138, in get_mapped_user
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi self.identity_api, self.assignment_api))
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 412, in transform_to_group_ids
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi group['name'], resolve_domain(group['domain']))
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 405, in resolve_domain
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi resource_api.get_domain_by_name(
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/manager.py", line 200, in __getattr__
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi f = getattr(self.driver, name)
Feb 04 21:59:19 keystone-idp <email address hidden>[11401]: ERROR keystone.common.wsgi AttributeError: 'Assignment' object has no attribute 'get_domain_by_name'

Steps to reproduce the problem:

1) Setup X.509 tokenless auth per https://docs.openstack.org/keystone/pike/advanced-topics/configure_tokenless_x509.html

2) Create an ephemeral user mapping. i.e.

[
    {
        "local": [
            {
                "user": {
                    "name": "{0}",
                     "domain": {
                         "name": "{1}"
                     },
                     "type": "ephemeral"
                 },
   "group": {
                    "domain": {
                        "name": "Default"
                    },
                    "name": "admin"
                }
             }
         ],
         "remote": [
             {
                 "type": "SSL_CLIENT_S_DN_CN"
             },
             {
                 "type": "SSL_CLIENT_S_DN_O"
             }
        ]
    }
]

3. Use curl to test a keystone API. For example,

curl --cert user_cert.pem --key user_private_key.pem --cacert /etc/keystone/ca.pem -H 'X-Project-Name: admin' -H 'X-Project-Domain-Id: default' https://192.168.0.10/identity/v3/projects/75e168e8a575448f9fa878b4c4475075

Using using an ephemeral user mapping for X.509 tokenless auth, Keystone service will return an HTTP 500 internal error and the we'll see a traceback similar to this in the logs.

Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi Traceback (most recent call last):
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/common/wsgi.py", line 275, in _inner
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     return method(self, request)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/middleware/auth.py", line 164, in process_request
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     self.fill_context(request)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/middleware/auth.py", line 238, in fill_context
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     auth_context = self._build_tokenless_auth_context(request)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/middleware/auth.py", line 64, in _build_tokenless_auth_context
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     domain_id)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/common/tokenless_auth.py", line 138, in get_mapped_user
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     self.identity_api, self.assignment_api))
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/federation/utils.py", line 412, in transform_to_group_ids
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     group['name'], resolve_domain(group['domain']))
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/federation/utils.py", line 405, in resolve_domain
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     resource_api.get_domain_by_name(
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/common/manager.py", line 200, in __getattr__
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     f = getattr(self.driver, name)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi AttributeError: 'Assignment' object has no attribute 'get_domain_by_name'

Steps to reproduce the problem:

1) Setup X.509 tokenless auth per https://docs.openstack.org/keystone/pike/advanced-topics/configure_tokenless_x509.html

2) Create an ephemeral user mapping. i.e.

[
    {
        "local": [
            {
                "user": {
                    "name": "{0}",
                     "domain": {
                         "name": "{1}"
                     },
                     "type": "ephemeral"
                 },
		 "group": {
                    "domain": {
                        "name": "Default"
                    },
                    "name": "admin"
                }
             }
         ],
         "remote": [
             {
                 "type": "SSL_CLIENT_S_DN_CN"
             },
             {
                 "type": "SSL_CLIENT_S_DN_O"
             }
        ]
    }
]

3. Use curl to test a keystone API. For example,