yahoo-eng-team team mailing list archive

[Miguel Grinberg <miguel.grinberg@xxxxxxxxx>]

Public bug reported:

While trying to implement federation, I was getting code 500 errors when
trying to get a SAML assertion from a Keystone instance configured as
identity provider. This is what the Keystone log showed:

    2015-06-24 21:54:46.454 13569 INFO keystone.common.wsgi [-] POST http://172.29.236.100:5000/v3/auth/OS-FEDERATION/saml2/ecp
    2015-06-24 21:54:46.482 13569 ERROR keystone.contrib.federation.idp [-] Error when signing assertion, reason: Command '['xmlsec1', '--sign', '--privkey-pem', '/etc/ssl/private/signing_key.pem,/etc/ssl/
certs/signing_cert.pem', '--id-attr:ID', 'Assertion', '/tmp/tmpfXz0D4']' returned non-zero exit status 1
    2015-06-24 21:54:46.482 13569 WARNING keystone.common.wsgi [-] An unexpected error prevented the server from fulfilling your request.

So this was not very useful. Running the xmlsec1 command from the
terminal worked fine, so it was not immediately clear what was the
problem.

I would like to suggest that the stderr output from xmlsec1 is added to
the log when the command fails, to help in troubleshooting this type of
problem. I did not see a way to get that output without editing the
Keystone source code.

Once I added the stderr to the log it was easy to figure out what the
problem was, the permissions on the private key directory were not
compatible with the account under which the xmlsec1 process was
executed.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1468544

Title:
  xmlsec1 error output is not logged

Status in OpenStack Identity (Keystone):
  New

Bug description:
  While trying to implement federation, I was getting code 500 errors
  when trying to get a SAML assertion from a Keystone instance
  configured as identity provider. This is what the Keystone log showed:

      2015-06-24 21:54:46.454 13569 INFO keystone.common.wsgi [-] POST http://172.29.236.100:5000/v3/auth/OS-FEDERATION/saml2/ecp
      2015-06-24 21:54:46.482 13569 ERROR keystone.contrib.federation.idp [-] Error when signing assertion, reason: Command '['xmlsec1', '--sign', '--privkey-pem', '/etc/ssl/private/signing_key.pem,/etc/ssl/
  certs/signing_cert.pem', '--id-attr:ID', 'Assertion', '/tmp/tmpfXz0D4']' returned non-zero exit status 1
      2015-06-24 21:54:46.482 13569 WARNING keystone.common.wsgi [-] An unexpected error prevented the server from fulfilling your request.

  So this was not very useful. Running the xmlsec1 command from the
  terminal worked fine, so it was not immediately clear what was the
  problem.

  I would like to suggest that the stderr output from xmlsec1 is added
  to the log when the command fails, to help in troubleshooting this
  type of problem. I did not see a way to get that output without
  editing the Keystone source code.

  Once I added the stderr to the log it was easy to figure out what the
  problem was, the permissions on the private key directory were not
  compatible with the account under which the xmlsec1 process was
  executed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1468544/+subscriptions