[keystone] Keystone OpenID Connect authentication fails if local property of mapping doesn't contain `user` element.

Bug #1618499 reported by Stanislav Kolenkin
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Confirmed
Medium
MOS Keystone
9.x
Confirmed
Medium
MOS Keystone

Bug Description

MOS 9

To configure OpenID Connect identity provider for we should create mapping.

If local property of mapping doesn't contain user element, Keystone fails with trace

cat google_mapping.json
[
  {
    "local": [
      {
        "group": {
          "id": "fbc6bd1e7c664a6c81db19ec71587ec5"
          }
        }
      ],
    "remote": [
        {
          "type": "HTTP_OIDC_ISS",
          "any_one_of": [
            "https://accounts.google.com"
            ]
          }
        ]
  }
]

<11>Aug 29 18:21:02 node-1 keystone-public: 2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi [req-8dd2bec1-8fe8-4ae0-9f88-89a74fec1e2b - - - - -] 'name'
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi Traceback (most recent call last):
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 249, in __call__
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi result = method(context, **params)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/federation/controllers.py", line 325, in federated_sso_auth
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi protocol_id)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/federation/controllers.py", line 301, in federated_authentication
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi return self.authenticate_for_token(context, auth=auth)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 396, in authenticate_for_token
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi self.authenticate(context, auth_info, auth_context)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 520, in authenticate
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi auth_context)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 65, in authenticate
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi self.identity_api)
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 149, in handle_unscoped_token
2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi get_user_unique_id_and_display_name(context, mapped_prope

If we use mapping with user property (as shown below) authentication succeed.

cat google_mapping2.json
[
    {
        "local": [
            {
                "group": {
                    "id": "fbc6bd1e7c664a6c81db19ec71587ec5"
                },
                "user": {
                    "id": "{0}",
                    "name": "{1}",
                    "email": "{2}"
                }
            }
        ],
        "remote": [
            {
                "type": "HTTP_OIDC_SUB"
            },
            {
                "type": "HTTP_OIDC_NAME"
            },
            {
                "type": "HTTP_OIDC_EMAIL"
            },
            {
                "type": "HTTP_OIDC_ISS",
                "any_one_of": [
                    "https://accounts.google.com"
                ]
            }
        ]
    }
]

EXPECTED RESULT:
If keystone expects user attribute in mapping and can't find it it must issue an error message instead of silently fail with TRACE.

PACKAGES USED:
ii keystone 2:9.0.2-1~u14.04+mos3 all OpenStack identity service
ii python-keystone 2:9.0.2-1~u14.04+mos3 all OpenStack identity service - library
ii python-keystoneauth1 2.3.0-2~u14.04+mos1 all authentication library for OpenStack Identity - Python 2.7
ii python-keystoneclient 1:2.3.1-3~u14.04+mos2 all client library for the OpenStack Keystone API - Python 2.x
ii python-keystonemiddleware 4.4.1-1~u14.04+mos0 all Middleware for OpenStack Identity (Keystone) - Python 2.x

description: updated
description: updated
summary: - Keystone OpenID Connect authentication fails if local property of
- mapping doesn't contain `user` element.
+ [keystone] Keystone OpenID Connect authentication fails if local
+ property of mapping doesn't contain `user` element.
Changed in mos:
assignee: nobody → MOS Keystone (mos-keystone)
Changed in mos:
importance: Undecided → Medium
status: New → Confirmed
milestone: none → 9.2
tags: added: area-keystone
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.