yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #18063
[Bug 1346820] Re: Middeware auth_token fails with scoped federated saml token
If anything this is a bug against the keystonemiddleware package not
keystone.
** Also affects: keystonemiddleware
Importance: Undecided
Status: New
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1346820
Title:
Middeware auth_token fails with scoped federated saml token
Status in OpenStack Identity (Keystone):
Invalid
Status in OpenStack Identity (Keystone) Middleware:
New
Bug description:
Do the following steps
1) Set up keystone for federation.
2) Generated a unscoped federated token
3) Generate a scoped token using token in step 2
4) Set up nova/glance for using keystone v3 API.
5) Try an image list command using following request
Request
GET http://sp.machine:9292/v2/images
Headers:
Content-Type: application/json
Accept: application/json
X-Auth-Token: e92a49262a8d403db838d6494e4f9991
6) This will break the auth_token(middleware\auth_token.py) middleware
with key error at the following place
user = token['user']
user_domain_id = user['domain']['id']
user_domain_name = user['domain']['name']
in the function _build_user_headers.
This is because the token does not contain any domain id or name under
the user info, since federated tokens have no information about the
user
This can be fixed, simply by putting an if condition around the
problematic code. I have tested this fix and then able to get image
list and server list using glance and nova rest apis.
Example
vim "/usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py"
893 if 'domain' in user:
894 user_domain_id = user['domain']['id']
895 user_domain_name = user['domain']['name']
Following is the token information, not that there is no domain under users
{
"token": {
"methods": [
"saml2"
],
"roles": [
{
"id": "aad3b40ebb3b442f8fe85e88b21f3b4c",
"name": "admin"
}
],
"expires_at": "2014-07-22T10:15:05.367852Z",
"project": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "6e99b7d923bc437381fd1b2b4d890339",
"name": "admin"
},
"catalog": [
{
"endpoints": [
{
"url": "https://127.0.0.1/keystone/main/v3";,
"interface": "internal",
"region": "regionOne",
"id": "f5dad391109542cba959d2e27c5fe3a2"
},
{
"url": "https://172.20.15.103:8443/keystone/main/v3";,
"interface": "public",
"region": "regionOne",
"id": "4f76970e4ab5497d9149d56d455499ac"
},
{
"url": "https://172.20.15.103:8443/keystone/admin/v3";,
"interface": "admin",
"region": "regionOne",
"id": "b85e76ca32f640c4a4d84068c71d3bf2"
},
{
"url": "https://172.20.15.103:8443/keystone/admin/v2.0";,
"interface": "admin",
"region": "regionOne",
"id": "1ae909491d754aeb8c8b8a5c5fa6ad47"
},
{
"url": "https://127.0.0.1/keystone/main/v2.0";,
"interface": "internal",
"region": "regionOne",
"id": "daf4ce3876d04285a106d86e0fea9bd1"
},
{
"url": "https://172.20.15.103:8443/keystone/main/v2.0";,
"interface": "public",
"region": "regionOne",
"id": "f763c80100954bc4805cf51b3dddb84b"
}
],
"type": "identity",
"id": "0f79e21861a94fcd84b72cae3ebd79e5"
},
{
"endpoints": [
{
"url": "http://172.20.15.103:9292";,
"interface": "admin",
"region": "RegionOne",
"id": "16ffa8cebadd4d239744ea168efcd109"
},
{
"url": "http://172.20.15.103:9292";,
"interface": "internal",
"region": "RegionOne",
"id": "944adaa070f44f21aa8a73fab15f07bb"
},
{
"url": "http://127.0.0.1:9292";,
"interface": "public",
"region": "RegionOne",
"id": "cd945f6a5ee8410bbfe8d3572e23ee5d"
}
],
"type": "image",
"id": "fe5d67da897b4359810d95e2c591fe21"
},
{
"endpoints": [
{
"url": "http://172.20.15.103:8776/v1/6e99b7d923bc437381fd1b2b4d890339";,
"interface": "admin",
"region": "RegionOne",
"id": "6d93d29279a6483783298eb67159b5c6"
},
{
"url": "http://172.20.15.103:8776/v1/6e99b7d923bc437381fd1b2b4d890339";,
"interface": "internal",
"region": "RegionOne",
"id": "9416222ad31a411294718b8fe4988daf"
},
{
"url": "http://127.0.0.1:8776/v1/6e99b7d923bc437381fd1b2b4d890339";,
"interface": "public",
"region": "RegionOne",
"id": "4d924ad3cb1a442a929536f90a1612b6"
}
],
"type": "volume",
"id": "55ef917e57a540e9b0353f02dec22512"
},
{
"endpoints": [
{
"url": "http://172.20.15.103:9696";,
"interface": "admin",
"region": "RegionOne",
"id": "5fe8a0a8f6624e2cae2e2a8556919c2f"
},
{
"url": "http://172.20.15.103:9696";,
"interface": "internal",
"region": "RegionOne",
"id": "0b9f9b8ce304460689e373c1e2a08c27"
},
{
"url": "http://127.0.0.1:9696";,
"interface": "public",
"region": "RegionOne",
"id": "bcb231d9baab4345b9efed6374fc2a43"
}
],
"type": "network",
"id": "b8aaed7927834fd381f6621e678409c1"
},
{
"endpoints": [
{
"url": "http://172.20.15.103:8774/v2/6e99b7d923bc437381fd1b2b4d890339";,
"interface": "admin",
"region": "RegionOne",
"id": "55489ebf6793489289556a590f0c464f"
},
{
"url": "http://172.20.15.103:8774/v2/6e99b7d923bc437381fd1b2b4d890339";,
"interface": "internal",
"region": "RegionOne",
"id": "a9da7a6cf58e45be889ac6b88d071ae4"
},
{
"url": "http://127.0.0.1:8774/v2/6e99b7d923bc437381fd1b2b4d890339";,
"interface": "public",
"region": "RegionOne",
"id": "249a8f15a5034cfd956ed0136d62404b"
}
],
"type": "compute",
"id": "ef0ff2f7395f4523b3dd2197f3e243cf"
},
{
"endpoints": [
{
"url": "http://172.20.15.103:8777";,
"interface": "admin",
"region": "RegionOne",
"id": "95c930d0d593422092380bea899996b2"
},
{
"url": "http://172.20.15.103:8777";,
"interface": "internal",
"region": "RegionOne",
"id": "2ca7e0515143455eb385b8feb5de9d2d"
},
{
"url": "http://127.0.0.1:8777";,
"interface": "public",
"region": "RegionOne",
"id": "5b86fbfe14914ba9ba3a4ab600717ef7"
}
],
"type": "metering",
"id": "a028437e8c364bb78501bfb46619bd86"
}
],
"extras": {},
"user": {
"id": "admin",
"name": "admin"
},
"issued_at": "2014-07-22T09:15:05.367875Z"
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1346820/+subscriptions
References
