Mirantis OpenStack

Bug #1618499
Comment #0

Comment 0 for bug 1618499

Revision history for this message

Stanislav Kolenkin (skolenkin) wrote on 2016-08-30: Keystone OpenID Connect authentication fails if local property of mapping doesn't contain `user` element.

MOS 9

To configure OpenID Connect identity provider for we should create mapping.
If mapping local property of mapping doesn't contain user element Kesytone fails with trace <Пример трейса выше> + приатач логфайл к кейсу
Привемер неработающего маппинга

If we use <пример работающего маппинга>
authentication succeed

expected result
If keystone expects user attribute in mapping and can't find it it must issu an error instead of silently fail with TRACE:

<11>Aug 29 18:21:02 node-1 keystone-public: 2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi [req-8dd2bec1-8fe8-4ae0-9f88-89a74fec1e2b - - - - -] 'name'

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi Traceback (most recent call last):

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 249, in __call__

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi result = method(context, **params)

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/federation/controllers.py", line 325, in federated_sso_auth

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi protocol_id)

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/federation/controllers.py", line 301, in federated_authentication

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi return self.authenticate_for_token(context, auth=auth)

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 396, in authenticate_for_token

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi self.authenticate(context, auth_info, auth_context)

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 520, in authenticate

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi auth_context)

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 65, in authenticate

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi self.identity_api)

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 149, in handle_unscoped_token

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi get_user_unique_id_and_display_name(context, mapped_prope

With this json mapping does not work authorization:
cat google_mapping.json
[
  {
    "local": [
      {
        "group": {
          "id": "fbc6bd1e7c664a6c81db19ec71587ec5"
          }
        }
      ],
    "remote": [
        {
          "type": "HTTP_OIDC_ISS",
          "any_one_of": [
            "https://accounts.google.com"
            ]
          }
        ]
  }
]

With this json mapping work authorization:
cat google_mapping2.json
[
    {
        "local": [
            {
                "group": {
                    "id": "fbc6bd1e7c664a6c81db19ec71587ec5"
                },
                "user": {
                    "id": "{0}",
                    "name": "{1}",
                    "email": "{2}"
                }
            }
        ],
        "remote": [
            {
                "type": "HTTP_OIDC_SUB"
            },
            {
                "type": "HTTP_OIDC_NAME"
            },
            {
                "type": "HTTP_OIDC_EMAIL"
            },
            {
                "type": "HTTP_OIDC_ISS",
                "any_one_of": [
                    "https://accounts.google.com"
                ]
            }
        ]
    }
]

MOS 9

If we use <пример работающего маппинга>
authentication succeed

expected result
If keystone expects user attribute in mapping and can't find it it must issu an error instead of silently fail with TRACE:

<11>Aug 29 18:21:02 node-1 keystone-public: 2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi [req-8dd2bec1-8fe8-4ae0-9f88-89a74fec1e2b - - - - -] 'name'

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi Traceback (most recent call last):

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 249, in __call__

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi     result = method(context, **params)

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/federation/controllers.py", line 325, in federated_sso_auth

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi     protocol_id)

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/federation/controllers.py", line 301, in federated_authentication

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi     return self.authenticate_for_token(context, auth=auth)

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 396, in authenticate_for_token

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi     self.authenticate(context, auth_info, auth_context)

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 520, in authenticate

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi     auth_context)

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 65, in authenticate

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi     self.identity_api)

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 149, in handle_unscoped_token

2016-08-29 18:21:02.795 16916 ERROR keystone.common.wsgi     get_user_unique_id_and_display_name(context, mapped_prope

ii  keystone                             2:9.0.2-1~u14.04+mos3                  all          OpenStack identity service
ii  python-keystone                      2:9.0.2-1~u14.04+mos3                  all          OpenStack identity service - library
ii  python-keystoneauth1                 2.3.0-2~u14.04+mos1                    all          authentication library for OpenStack Identity - Python 2.7
ii  python-keystoneclient                1:2.3.1-3~u14.04+mos2                  all          client library for the OpenStack Keystone API - Python 2.x
ii  python-keystonemiddleware            4.4.1-1~u14.04+mos0                    all          Middleware for OpenStack Identity (Keystone) - Python 2.x