2016-08-30 14:50:16 |
Stanislav Kolenkin |
bug |
|
|
added bug |
2016-08-30 14:57:24 |
Serg Lystopad |
description |
MOS 9
To configure OpenID Connect identity provider for we should create mapping.
If mapping local property of mapping doesn't contain user element Kesytone fails with trace <Пример трейса выше> + приатач логфайл к кейсу
Привемер неработающего маппинга
If we use <пример работающего маппинга>
authentication succeed
expected result
If keystone expects user attribute in mapping and can't find it it must issu an error instead of silently fail with TRACE:
<11>Aug 29 18:21:02 node-1 keystone-public: 2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi [req-8dd2bec1-8fe8-4ae0-9f88-89a74fec1e2b - - - - -] 'name'
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi Traceback (most recent call last):
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 249, in __call__
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi result = method(context, **params)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/federation/controllers.py", line 325, in federated_sso_auth
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi protocol_id)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/federation/controllers.py", line 301, in federated_authentication
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi return self.authenticate_for_token(context, auth=auth)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 396, in authenticate_for_token
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi self.authenticate(context, auth_info, auth_context)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 520, in authenticate
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi auth_context)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 65, in authenticate
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi self.identity_api)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 149, in handle_unscoped_token
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi get_user_unique_id_and_display_name(context, mapped_prope
With this json mapping does not work authorization:
cat google_mapping.json
[
{
"local": [
{
"group": {
"id": "fbc6bd1e7c664a6c81db19ec71587ec5"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_ISS",
"any_one_of": [
"https://accounts.google.com"
]
}
]
}
]
With this json mapping work authorization:
cat google_mapping2.json
[
{
"local": [
{
"group": {
"id": "fbc6bd1e7c664a6c81db19ec71587ec5"
},
"user": {
"id": "{0}",
"name": "{1}",
"email": "{2}"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_SUB"
},
{
"type": "HTTP_OIDC_NAME"
},
{
"type": "HTTP_OIDC_EMAIL"
},
{
"type": "HTTP_OIDC_ISS",
"any_one_of": [
"https://accounts.google.com"
]
}
]
}
]
ii keystone 2:9.0.2-1~u14.04+mos3 all OpenStack identity service
ii python-keystone 2:9.0.2-1~u14.04+mos3 all OpenStack identity service - library
ii python-keystoneauth1 2.3.0-2~u14.04+mos1 all authentication library for OpenStack Identity - Python 2.7
ii python-keystoneclient 1:2.3.1-3~u14.04+mos2 all client library for the OpenStack Keystone API - Python 2.x
ii python-keystonemiddleware 4.4.1-1~u14.04+mos0 all Middleware for OpenStack Identity (Keystone) - Python 2.x |
MOS 9
To configure OpenID Connect identity provider for we should create mapping.
If local property of mapping doesn't contain user element, Keystone fails with trace
cat google_mapping.json
[
{
"local": [
{
"group": {
"id": "fbc6bd1e7c664a6c81db19ec71587ec5"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_ISS",
"any_one_of": [
"https://accounts.google.com"
]
}
]
}
]
<11>Aug 29 18:21:02 node-1 keystone-public: 2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi [req-8dd2bec1-8fe8-4ae0-9f88-89a74fec1e2b - - - - -] 'name'
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi Traceback (most recent call last):
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 249, in __call__
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi result = method(context, **params)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/federation/controllers.py", line 325, in federated_sso_auth
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi protocol_id)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/federation/controllers.py", line 301, in federated_authentication
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi return self.authenticate_for_token(context, auth=auth)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 396, in authenticate_for_token
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi self.authenticate(context, auth_info, auth_context)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 520, in authenticate
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi auth_context)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 65, in authenticate
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi self.identity_api)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 149, in handle_unscoped_token
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi get_user_unique_id_and_display_name(context, mapped_prope
If we use mapping with user property (as shown below) authentication succeed.
cat google_mapping2.json
[
{
"local": [
{
"group": {
"id": "fbc6bd1e7c664a6c81db19ec71587ec5"
},
"user": {
"id": "{0}",
"name": "{1}",
"email": "{2}"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_SUB"
},
{
"type": "HTTP_OIDC_NAME"
},
{
"type": "HTTP_OIDC_EMAIL"
},
{
"type": "HTTP_OIDC_ISS",
"any_one_of": [
"https://accounts.google.com"
]
}
]
}
]
EXPECTED RESULT:
If keystone expects user attribute in mapping and can't find it it must issue an error message instead of silently fail with TRACE:
ii keystone 2:9.0.2-1~u14.04+mos3 all OpenStack identity service
ii python-keystone 2:9.0.2-1~u14.04+mos3 all OpenStack identity service - library
ii python-keystoneauth1 2.3.0-2~u14.04+mos1 all authentication library for OpenStack Identity - Python 2.7
ii python-keystoneclient 1:2.3.1-3~u14.04+mos2 all client library for the OpenStack Keystone API - Python 2.x
ii python-keystonemiddleware 4.4.1-1~u14.04+mos0 all Middleware for OpenStack Identity (Keystone) - Python 2.x |
|
2016-08-30 14:58:00 |
Serg Lystopad |
description |
MOS 9
To configure OpenID Connect identity provider for we should create mapping.
If local property of mapping doesn't contain user element, Keystone fails with trace
cat google_mapping.json
[
{
"local": [
{
"group": {
"id": "fbc6bd1e7c664a6c81db19ec71587ec5"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_ISS",
"any_one_of": [
"https://accounts.google.com"
]
}
]
}
]
<11>Aug 29 18:21:02 node-1 keystone-public: 2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi [req-8dd2bec1-8fe8-4ae0-9f88-89a74fec1e2b - - - - -] 'name'
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi Traceback (most recent call last):
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 249, in __call__
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi result = method(context, **params)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/federation/controllers.py", line 325, in federated_sso_auth
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi protocol_id)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/federation/controllers.py", line 301, in federated_authentication
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi return self.authenticate_for_token(context, auth=auth)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 396, in authenticate_for_token
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi self.authenticate(context, auth_info, auth_context)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 520, in authenticate
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi auth_context)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 65, in authenticate
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi self.identity_api)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 149, in handle_unscoped_token
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi get_user_unique_id_and_display_name(context, mapped_prope
If we use mapping with user property (as shown below) authentication succeed.
cat google_mapping2.json
[
{
"local": [
{
"group": {
"id": "fbc6bd1e7c664a6c81db19ec71587ec5"
},
"user": {
"id": "{0}",
"name": "{1}",
"email": "{2}"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_SUB"
},
{
"type": "HTTP_OIDC_NAME"
},
{
"type": "HTTP_OIDC_EMAIL"
},
{
"type": "HTTP_OIDC_ISS",
"any_one_of": [
"https://accounts.google.com"
]
}
]
}
]
EXPECTED RESULT:
If keystone expects user attribute in mapping and can't find it it must issue an error message instead of silently fail with TRACE:
ii keystone 2:9.0.2-1~u14.04+mos3 all OpenStack identity service
ii python-keystone 2:9.0.2-1~u14.04+mos3 all OpenStack identity service - library
ii python-keystoneauth1 2.3.0-2~u14.04+mos1 all authentication library for OpenStack Identity - Python 2.7
ii python-keystoneclient 1:2.3.1-3~u14.04+mos2 all client library for the OpenStack Keystone API - Python 2.x
ii python-keystonemiddleware 4.4.1-1~u14.04+mos0 all Middleware for OpenStack Identity (Keystone) - Python 2.x |
MOS 9
To configure OpenID Connect identity provider for we should create mapping.
If local property of mapping doesn't contain user element, Keystone fails with trace
cat google_mapping.json
[
{
"local": [
{
"group": {
"id": "fbc6bd1e7c664a6c81db19ec71587ec5"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_ISS",
"any_one_of": [
"https://accounts.google.com"
]
}
]
}
]
<11>Aug 29 18:21:02 node-1 keystone-public: 2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi [req-8dd2bec1-8fe8-4ae0-9f88-89a74fec1e2b - - - - -] 'name'
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi Traceback (most recent call last):
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 249, in __call__
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi result = method(context, **params)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/federation/controllers.py", line 325, in federated_sso_auth
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi protocol_id)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/federation/controllers.py", line 301, in federated_authentication
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi return self.authenticate_for_token(context, auth=auth)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 396, in authenticate_for_token
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi self.authenticate(context, auth_info, auth_context)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 520, in authenticate
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi auth_context)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 65, in authenticate
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi self.identity_api)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 149, in handle_unscoped_token
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi get_user_unique_id_and_display_name(context, mapped_prope
If we use mapping with user property (as shown below) authentication succeed.
cat google_mapping2.json
[
{
"local": [
{
"group": {
"id": "fbc6bd1e7c664a6c81db19ec71587ec5"
},
"user": {
"id": "{0}",
"name": "{1}",
"email": "{2}"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_SUB"
},
{
"type": "HTTP_OIDC_NAME"
},
{
"type": "HTTP_OIDC_EMAIL"
},
{
"type": "HTTP_OIDC_ISS",
"any_one_of": [
"https://accounts.google.com"
]
}
]
}
]
EXPECTED RESULT:
If keystone expects user attribute in mapping and can't find it it must issue an error message instead of silently fail with TRACE.
PACKAGES USED:
ii keystone 2:9.0.2-1~u14.04+mos3 all OpenStack identity service
ii python-keystone 2:9.0.2-1~u14.04+mos3 all OpenStack identity service - library
ii python-keystoneauth1 2.3.0-2~u14.04+mos1 all authentication library for OpenStack Identity - Python 2.7
ii python-keystoneclient 1:2.3.1-3~u14.04+mos2 all client library for the OpenStack Keystone API - Python 2.x
ii python-keystonemiddleware 4.4.1-1~u14.04+mos0 all Middleware for OpenStack Identity (Keystone) - Python 2.x |
|
2016-08-30 14:58:13 |
Serg Lystopad |
summary |
Keystone OpenID Connect authentication fails if local property of mapping doesn't contain `user` element. |
[keystone] Keystone OpenID Connect authentication fails if local property of mapping doesn't contain `user` element. |
|
2016-08-30 15:01:15 |
Stanislav Kolenkin |
mos: assignee |
|
MOS Keystone (mos-keystone) |
|
2016-08-31 13:11:29 |
Vitaly Sedelnik |
mos: importance |
Undecided |
Medium |
|
2016-08-31 13:11:32 |
Vitaly Sedelnik |
mos: status |
New |
Confirmed |
|
2016-08-31 13:11:36 |
Vitaly Sedelnik |
mos: milestone |
|
9.2 |
|
2016-08-31 13:11:47 |
Vitaly Sedelnik |
tags |
|
area-keystone |
|
2017-02-03 11:44:18 |
Roman Vyalov |
mos/9.x: milestone |
9.2 |
9.x-updates |
|
2017-03-12 11:29:35 |
Andres Toomsalu |
bug |
|
|
added subscriber Andres Toomsalu |