yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #36065
[Bug 1468544] Re: xmlsec1 error output is not logged
** Changed in: keystone
Status: Fix Committed => Fix Released
** Changed in: keystone
Milestone: None => liberty-2
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1468544
Title:
xmlsec1 error output is not logged
Status in Keystone:
Fix Released
Bug description:
While trying to implement federation, I was getting code 500 errors
when trying to get a SAML assertion from a Keystone instance
configured as identity provider. This is what the Keystone log showed:
2015-06-24 21:54:46.454 13569 INFO keystone.common.wsgi [-] POST http://172.29.236.100:5000/v3/auth/OS-FEDERATION/saml2/ecp
2015-06-24 21:54:46.482 13569 ERROR keystone.contrib.federation.idp [-] Error when signing assertion, reason: Command '['xmlsec1', '--sign', '--privkey-pem', '/etc/ssl/private/signing_key.pem,/etc/ssl/
certs/signing_cert.pem', '--id-attr:ID', 'Assertion', '/tmp/tmpfXz0D4']' returned non-zero exit status 1
2015-06-24 21:54:46.482 13569 WARNING keystone.common.wsgi [-] An unexpected error prevented the server from fulfilling your request.
So this was not very useful. Running the xmlsec1 command from the
terminal worked fine, so it was not immediately clear what was the
problem.
I would like to suggest that the stderr output from xmlsec1 is added
to the log when the command fails, to help in troubleshooting this
type of problem. I did not see a way to get that output without
editing the Keystone source code.
Once I added the stderr to the log it was easy to figure out what the
problem was, the permissions on the private key directory were not
compatible with the account under which the xmlsec1 process was
executed.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1468544/+subscriptions
References