Middeware auth_token fails with scoped federated saml token

Bug #1346820 reported by Mahesh Sawaiker on 2014-07-22
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-keystoneclient
Medium
Steve Martinelli

Bug Description

Do the following steps
1) Set up keystone for federation.
2) Generated a unscoped federated token
3) Generate a scoped token using token in step 2
4) Set up nova/glance for using keystone v3 API.
5) Try an image list command using following request

Request

GET http://sp.machine:9292/v2/images
Headers:
    Content-Type: application/json
    Accept: application/json
    X-Auth-Token: e92a49262a8d403db838d6494e4f9991

6) This will break the auth_token(middleware\auth_token.py) middleware with key error at the following place

            user = token['user']
            user_domain_id = user['domain']['id']
            user_domain_name = user['domain']['name']
in the function _build_user_headers.

This is because the token does not contain any domain id or name under the user info, since federated tokens have no information about the user

This can be fixed, simply by putting an if condition around the problematic code. I have tested this fix and then able to get image list and server list using glance and nova rest apis.

Example
vim "/usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py"

 893 if 'domain' in user:
 894 user_domain_id = user['domain']['id']
 895 user_domain_name = user['domain']['name']

Following is the token information, not that there is no domain under users

{
  "token": {
    "methods": [
      "saml2"
    ],
    "roles": [
      {
        "id": "aad3b40ebb3b442f8fe85e88b21f3b4c",
        "name": "admin"
      }
    ],
    "expires_at": "2014-07-22T10:15:05.367852Z",
    "project": {
      "domain": {
        "id": "default",
        "name": "Default"
      },
      "id": "6e99b7d923bc437381fd1b2b4d890339",
      "name": "admin"
    },
    "catalog": [
      {
        "endpoints": [
          {
            "url": "https://127.0.0.1/keystone/main/v3",
            "interface": "internal",
            "region": "regionOne",
            "id": "f5dad391109542cba959d2e27c5fe3a2"
          },
          {
            "url": "https://172.20.15.103:8443/keystone/main/v3",
            "interface": "public",
            "region": "regionOne",
            "id": "4f76970e4ab5497d9149d56d455499ac"
          },
          {
            "url": "https://172.20.15.103:8443/keystone/admin/v3",
            "interface": "admin",
            "region": "regionOne",
            "id": "b85e76ca32f640c4a4d84068c71d3bf2"
          },
          {
            "url": "https://172.20.15.103:8443/keystone/admin/v2.0",
            "interface": "admin",
            "region": "regionOne",
            "id": "1ae909491d754aeb8c8b8a5c5fa6ad47"
          },
          {
            "url": "https://127.0.0.1/keystone/main/v2.0",
            "interface": "internal",
            "region": "regionOne",
            "id": "daf4ce3876d04285a106d86e0fea9bd1"
          },
          {
            "url": "https://172.20.15.103:8443/keystone/main/v2.0",
            "interface": "public",
            "region": "regionOne",
            "id": "f763c80100954bc4805cf51b3dddb84b"
          }
        ],
        "type": "identity",
        "id": "0f79e21861a94fcd84b72cae3ebd79e5"
      },
      {
        "endpoints": [
          {
            "url": "http://172.20.15.103:9292",
            "interface": "admin",
            "region": "RegionOne",
            "id": "16ffa8cebadd4d239744ea168efcd109"
          },
          {
            "url": "http://172.20.15.103:9292",
            "interface": "internal",
            "region": "RegionOne",
            "id": "944adaa070f44f21aa8a73fab15f07bb"
          },
          {
            "url": "http://127.0.0.1:9292",
            "interface": "public",
            "region": "RegionOne",
            "id": "cd945f6a5ee8410bbfe8d3572e23ee5d"
          }
        ],
        "type": "image",
        "id": "fe5d67da897b4359810d95e2c591fe21"
      },
      {
        "endpoints": [
          {
            "url": "http://172.20.15.103:8776/v1/6e99b7d923bc437381fd1b2b4d890339",
            "interface": "admin",
            "region": "RegionOne",
            "id": "6d93d29279a6483783298eb67159b5c6"
          },
          {
            "url": "http://172.20.15.103:8776/v1/6e99b7d923bc437381fd1b2b4d890339",
            "interface": "internal",
            "region": "RegionOne",
            "id": "9416222ad31a411294718b8fe4988daf"
          },
          {
            "url": "http://127.0.0.1:8776/v1/6e99b7d923bc437381fd1b2b4d890339",
            "interface": "public",
            "region": "RegionOne",
            "id": "4d924ad3cb1a442a929536f90a1612b6"
          }
        ],
        "type": "volume",
        "id": "55ef917e57a540e9b0353f02dec22512"
      },
      {
        "endpoints": [
          {
            "url": "http://172.20.15.103:9696",
            "interface": "admin",
            "region": "RegionOne",
            "id": "5fe8a0a8f6624e2cae2e2a8556919c2f"
          },
          {
            "url": "http://172.20.15.103:9696",
            "interface": "internal",
            "region": "RegionOne",
            "id": "0b9f9b8ce304460689e373c1e2a08c27"
          },
          {
            "url": "http://127.0.0.1:9696",
            "interface": "public",
            "region": "RegionOne",
            "id": "bcb231d9baab4345b9efed6374fc2a43"
          }
        ],
        "type": "network",
        "id": "b8aaed7927834fd381f6621e678409c1"
      },
      {
        "endpoints": [
          {
            "url": "http://172.20.15.103:8774/v2/6e99b7d923bc437381fd1b2b4d890339",
            "interface": "admin",
            "region": "RegionOne",
            "id": "55489ebf6793489289556a590f0c464f"
          },
          {
            "url": "http://172.20.15.103:8774/v2/6e99b7d923bc437381fd1b2b4d890339",
            "interface": "internal",
            "region": "RegionOne",
            "id": "a9da7a6cf58e45be889ac6b88d071ae4"
          },
          {
            "url": "http://127.0.0.1:8774/v2/6e99b7d923bc437381fd1b2b4d890339",
            "interface": "public",
            "region": "RegionOne",
            "id": "249a8f15a5034cfd956ed0136d62404b"
          }
        ],
        "type": "compute",
        "id": "ef0ff2f7395f4523b3dd2197f3e243cf"
      },
      {
        "endpoints": [
          {
            "url": "http://172.20.15.103:8777",
            "interface": "admin",
            "region": "RegionOne",
            "id": "95c930d0d593422092380bea899996b2"
          },
          {
            "url": "http://172.20.15.103:8777",
            "interface": "internal",
            "region": "RegionOne",
            "id": "2ca7e0515143455eb385b8feb5de9d2d"
          },
          {
            "url": "http://127.0.0.1:8777",
            "interface": "public",
            "region": "RegionOne",
            "id": "5b86fbfe14914ba9ba3a4ab600717ef7"
          }
        ],
        "type": "metering",
        "id": "a028437e8c364bb78501bfb46619bd86"
      }
    ],
    "extras": {},
    "user": {
      "id": "admin",
      "name": "admin"
    },
    "issued_at": "2014-07-22T09:15:05.367875Z"
  }
}

description: updated
Morgan Fainberg (mdrnstm) wrote :

If anything this is a bug against the keystonemiddleware package not keystone.

Changed in keystone:
status: New → Invalid

Agree, and thanks for moving this, I was not aware that the middleware is a different project.

Dolph Mathews (dolph) on 2014-07-30
no longer affects: keystone
Changed in keystonemiddleware:
importance: Undecided → Wishlist
status: New → Triaged
Steve Martinelli (stevemar) wrote :

I think it's worth adding the conditional that Mahesh pointed out for the time being.
I know Morgan is thinking that user's should always have a domain, and in the federation case, it should be the IdP value. (which would negate the previous work), but nonetheless, I think it's easy enough to temporarily fix.

Changed in keystonemiddleware:
importance: Wishlist → Medium
Steve Martinelli (stevemar) wrote :

_build_user_headers now uses an auth_ref, and we can try to default user_domain_id and user_domain_name to None in the case of a federated token.

Changed in python-keystoneclient:
importance: Undecided → Medium
Changed in python-keystoneclient:
assignee: nobody → Steve Martinelli (stevemar)
status: New → In Progress
Changed in keystonemiddleware:
status: Triaged → Invalid
Changed in python-keystoneclient:
assignee: Steve Martinelli (stevemar) → Marek Denis (marek-denis)
Changed in python-keystoneclient:
assignee: Marek Denis (marek-denis) → Steve Martinelli (stevemar)

Reviewed: https://review.openstack.org/121146
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=7006f9b0088eb1828f4da24b62e306b37eef79d2
Submitter: Jenkins
Branch: master

commit 7006f9b0088eb1828f4da24b62e306b37eef79d2
Author: Marek Denis <email address hidden>
Date: Fri Sep 12 17:24:59 2014 +0200

    Handle federated tokens

    Federated tokens don't include domains in the user object.
    Keystoneclient should be able to estimate whether the token is a
    federated one and, if so, don't expect user domain information.
    In case of the federated token keystoneclient returns None in response
    to user_domain_name and user_domain_id calls.

    Co-Authored-By: Steve Martinelli <email address hidden>

    Closes-Bug: #1346820
    Change-Id: I3453275fa1b0a41b1c015b0c3a92895a77d69a41

Changed in python-keystoneclient:
status: In Progress → Fix Committed
David Stanek (dstanek) on 2014-09-18
Changed in python-keystoneclient:
milestone: none → 0.11.0

Thanks all :)

no longer affects: keystonemiddleware
Dolph Mathews (dolph) on 2014-09-21
Changed in python-keystoneclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers