yahoo-eng-team team mailing list archive

[Doug Hellmann <doug@xxxxxxxxxxxxxxxx>]

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => liberty-2

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1468544

Title:
  xmlsec1 error output is not logged

Status in Keystone:
  Fix Released

Bug description:
  While trying to implement federation, I was getting code 500 errors
  when trying to get a SAML assertion from a Keystone instance
  configured as identity provider. This is what the Keystone log showed:

      2015-06-24 21:54:46.454 13569 INFO keystone.common.wsgi [-] POST http://172.29.236.100:5000/v3/auth/OS-FEDERATION/saml2/ecp
      2015-06-24 21:54:46.482 13569 ERROR keystone.contrib.federation.idp [-] Error when signing assertion, reason: Command '['xmlsec1', '--sign', '--privkey-pem', '/etc/ssl/private/signing_key.pem,/etc/ssl/
  certs/signing_cert.pem', '--id-attr:ID', 'Assertion', '/tmp/tmpfXz0D4']' returned non-zero exit status 1
      2015-06-24 21:54:46.482 13569 WARNING keystone.common.wsgi [-] An unexpected error prevented the server from fulfilling your request.

  So this was not very useful. Running the xmlsec1 command from the
  terminal worked fine, so it was not immediately clear what was the
  problem.

  I would like to suggest that the stderr output from xmlsec1 is added
  to the log when the command fails, to help in troubleshooting this
  type of problem. I did not see a way to get that output without
  editing the Keystone source code.

  Once I added the stderr to the log it was easy to figure out what the
  problem was, the permissions on the private key directory were not
  compatible with the account under which the xmlsec1 process was
  executed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1468544/+subscriptions