← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1346820] Re: Middeware auth_token fails with scoped federated saml token

 

If anything this is a bug against the keystonemiddleware package not
keystone.

** Also affects: keystonemiddleware
   Importance: Undecided
       Status: New

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1346820

Title:
  Middeware auth_token fails with scoped federated saml token

Status in OpenStack Identity (Keystone):
  Invalid
Status in OpenStack Identity  (Keystone) Middleware:
  New

Bug description:
  Do the following steps
  1) Set up keystone for federation.
  2) Generated a unscoped federated token
  3) Generate a scoped token using token in step 2
  4) Set up nova/glance for using keystone v3 API.
  5) Try an image list command using following request

  Request

  GET http://sp.machine:9292/v2/images
  Headers:
      Content-Type: application/json
      Accept: application/json
      X-Auth-Token: e92a49262a8d403db838d6494e4f9991

  6) This will break the auth_token(middleware\auth_token.py) middleware
  with key error at the following place

              user = token['user']
              user_domain_id = user['domain']['id']
              user_domain_name = user['domain']['name']
  in the function _build_user_headers.

  This is because the token does not contain any domain id or name under
  the user info, since federated tokens have no information about the
  user

  This can be fixed, simply by putting an if condition around the
  problematic code. I have tested this fix and then able to get image
  list and server list using glance and nova rest apis.

  Example
  vim "/usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py"

  
   893             if 'domain' in user:
   894                 user_domain_id = user['domain']['id']
   895                 user_domain_name = user['domain']['name']

  
  Following is the token information, not that there is no domain under users

  {
    "token": {
      "methods": [
        "saml2"
      ],
      "roles": [
        {
          "id": "aad3b40ebb3b442f8fe85e88b21f3b4c",
          "name": "admin"
        }
      ],
      "expires_at": "2014-07-22T10:15:05.367852Z",
      "project": {
        "domain": {
          "id": "default",
          "name": "Default"
        },
        "id": "6e99b7d923bc437381fd1b2b4d890339",
        "name": "admin"
      },
      "catalog": [
        {
          "endpoints": [
            {
              "url": "https://127.0.0.1/keystone/main/v3";,
              "interface": "internal",
              "region": "regionOne",
              "id": "f5dad391109542cba959d2e27c5fe3a2"
            },
            {
              "url": "https://172.20.15.103:8443/keystone/main/v3";,
              "interface": "public",
              "region": "regionOne",
              "id": "4f76970e4ab5497d9149d56d455499ac"
            },
            {
              "url": "https://172.20.15.103:8443/keystone/admin/v3";,
              "interface": "admin",
              "region": "regionOne",
              "id": "b85e76ca32f640c4a4d84068c71d3bf2"
            },
            {
              "url": "https://172.20.15.103:8443/keystone/admin/v2.0";,
              "interface": "admin",
              "region": "regionOne",
              "id": "1ae909491d754aeb8c8b8a5c5fa6ad47"
            },
            {
              "url": "https://127.0.0.1/keystone/main/v2.0";,
              "interface": "internal",
              "region": "regionOne",
              "id": "daf4ce3876d04285a106d86e0fea9bd1"
            },
            {
              "url": "https://172.20.15.103:8443/keystone/main/v2.0";,
              "interface": "public",
              "region": "regionOne",
              "id": "f763c80100954bc4805cf51b3dddb84b"
            }
          ],
          "type": "identity",
          "id": "0f79e21861a94fcd84b72cae3ebd79e5"
        },
        {
          "endpoints": [
            {
              "url": "http://172.20.15.103:9292";,
              "interface": "admin",
              "region": "RegionOne",
              "id": "16ffa8cebadd4d239744ea168efcd109"
            },
            {
              "url": "http://172.20.15.103:9292";,
              "interface": "internal",
              "region": "RegionOne",
              "id": "944adaa070f44f21aa8a73fab15f07bb"
            },
            {
              "url": "http://127.0.0.1:9292";,
              "interface": "public",
              "region": "RegionOne",
              "id": "cd945f6a5ee8410bbfe8d3572e23ee5d"
            }
          ],
          "type": "image",
          "id": "fe5d67da897b4359810d95e2c591fe21"
        },
        {
          "endpoints": [
            {
              "url": "http://172.20.15.103:8776/v1/6e99b7d923bc437381fd1b2b4d890339";,
              "interface": "admin",
              "region": "RegionOne",
              "id": "6d93d29279a6483783298eb67159b5c6"
            },
            {
              "url": "http://172.20.15.103:8776/v1/6e99b7d923bc437381fd1b2b4d890339";,
              "interface": "internal",
              "region": "RegionOne",
              "id": "9416222ad31a411294718b8fe4988daf"
            },
            {
              "url": "http://127.0.0.1:8776/v1/6e99b7d923bc437381fd1b2b4d890339";,
              "interface": "public",
              "region": "RegionOne",
              "id": "4d924ad3cb1a442a929536f90a1612b6"
            }
          ],
          "type": "volume",
          "id": "55ef917e57a540e9b0353f02dec22512"
        },
        {
          "endpoints": [
            {
              "url": "http://172.20.15.103:9696";,
              "interface": "admin",
              "region": "RegionOne",
              "id": "5fe8a0a8f6624e2cae2e2a8556919c2f"
            },
            {
              "url": "http://172.20.15.103:9696";,
              "interface": "internal",
              "region": "RegionOne",
              "id": "0b9f9b8ce304460689e373c1e2a08c27"
            },
            {
              "url": "http://127.0.0.1:9696";,
              "interface": "public",
              "region": "RegionOne",
              "id": "bcb231d9baab4345b9efed6374fc2a43"
            }
          ],
          "type": "network",
          "id": "b8aaed7927834fd381f6621e678409c1"
        },
        {
          "endpoints": [
            {
              "url": "http://172.20.15.103:8774/v2/6e99b7d923bc437381fd1b2b4d890339";,
              "interface": "admin",
              "region": "RegionOne",
              "id": "55489ebf6793489289556a590f0c464f"
            },
            {
              "url": "http://172.20.15.103:8774/v2/6e99b7d923bc437381fd1b2b4d890339";,
              "interface": "internal",
              "region": "RegionOne",
              "id": "a9da7a6cf58e45be889ac6b88d071ae4"
            },
            {
              "url": "http://127.0.0.1:8774/v2/6e99b7d923bc437381fd1b2b4d890339";,
              "interface": "public",
              "region": "RegionOne",
              "id": "249a8f15a5034cfd956ed0136d62404b"
            }
          ],
          "type": "compute",
          "id": "ef0ff2f7395f4523b3dd2197f3e243cf"
        },
        {
          "endpoints": [
            {
              "url": "http://172.20.15.103:8777";,
              "interface": "admin",
              "region": "RegionOne",
              "id": "95c930d0d593422092380bea899996b2"
            },
            {
              "url": "http://172.20.15.103:8777";,
              "interface": "internal",
              "region": "RegionOne",
              "id": "2ca7e0515143455eb385b8feb5de9d2d"
            },
            {
              "url": "http://127.0.0.1:8777";,
              "interface": "public",
              "region": "RegionOne",
              "id": "5b86fbfe14914ba9ba3a4ab600717ef7"
            }
          ],
          "type": "metering",
          "id": "a028437e8c364bb78501bfb46619bd86"
        }
      ],
      "extras": {},
      "user": {
        "id": "admin",
        "name": "admin"
      },
      "issued_at": "2014-07-22T09:15:05.367875Z"
    }
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1346820/+subscriptions


References