OpenStack Identity (keystone)

REMOTE_USER as empty string results in authentication failure

Bug #1354315 reported by Matthieu Huin on 2014-08-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Matthieu Huin	OpenStack Identity (keystone) 2014.2 "juno"

Bug Description

On some federation setups (observed on Apache 2.4.7 + shibboleth 2.5.2, on Ubuntu 14.04) the REMOTE_USER environment variable is set to the empty string when performing a SAML-backed authentication, even though shibboleth is configured so that it doesn't populate REMOTE_USER with any assertion.
This causes the external auth method to take over the expected saml2 auth method, and results in a 401 failure since user '' cannot be found.
A workaround is to disable the external auth method in /etc/keystone/keystone.conf.

Tags:

Revision history for this message

Matthieu Huin (mhu-s) wrote on 2014-08-08:

https://review.openstack.org/#/c/111953

Changed in keystone:
assignee:	nobody → Matthieu Huin (mhu-s)
status:	New → In Progress

Brant Knudson (blk-u) on 2014-08-08

tags:

added: icehouse-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-08: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/111953
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c44778084dc2b16f7bab08efd47fb98df3231a2b
Submitter: Jenkins
Branch: master

commit c44778084dc2b16f7bab08efd47fb98df3231a2b
Author: Matthieu Huin <email address hidden>
Date: Tue Aug 5 10:37:02 2014 +0200

Check for empty string value in REMOTE_USER

    The external auth method shouldn't be used if REMOTE_USER is set
    to the empty string value. This happens in some setups of Apache
    and Shibboleth SP, leading to authentication failures with the
    saml2 auth method unless the external auth method is disabled.

    Closes-Bug: #1354315
    Change-Id: I3cb46ddffa76be3d4526a175257014ca7f1ab94a
    Co-Authored-By: Florent Flament <email address hidden>

Changed in keystone:
status:	In Progress → Fix Committed

Dolph Mathews (dolph) on 2014-08-08

Changed in keystone:
importance:	Undecided → Medium

Thierry Carrez (ttx) on 2014-09-04

Changed in keystone:
milestone:	none → juno-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in keystone:
milestone:	juno-3 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.