yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #46657
[Bug 1541657] Re: Scoped OS-FEDERATION token not working
** Changed in: keystone
Status: In Progress => Invalid
** Changed in: keystone/kilo
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1541657
Title:
Scoped OS-FEDERATION token not working
Status in OpenStack Identity (keystone):
Invalid
Status in OpenStack Identity (keystone) kilo series:
In Progress
Bug description:
I have implemented Keystone Federation scenario with Kilo against a
non-Keystone IdP.
Following the flow described at https://specs.openstack.org/openstack
/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html I
successfully went through SAML2 authentication and I ended up with an
unscoped token which is working just fine.
When I then request a scoped token out of the unscoped token I get a token which differs from the documentation:
docs says that user will have groups:
"user": {
"domain": {
"id": "Federated"
},
"id": "username%40example.com",
"name": "username@xxxxxxxxxxx",
"OS-FEDERATION": {
"identity_provider": "ACME",
"protocol": "SAML",
"groups": [
{"id": "abc123"},
{"id": "bcd234"}
]
}
}
while in my implementation I get user with no groups (in contrast my unscoped token has the groups in user) :
"user": {
"domain": {
"id": "Federated",
"name": "Federated"
},
"id": "myUser",
"name": "myUser"
"OS-FEDERATION": {
"identity_provider": {
"id": "myIdP"
},
"protocol": {"id": "saml2"}
}
}
If I try to use the scoped token I get the error message:
# openstack --os-token 3e68789050944e9296f1e366f63a31a8 --os-auth-url https://host:5000/v3 --os-identity-api-version 3 --os-cacert /etc/pki/trust/anchors/ca.pem --os-project-name Project1 server list
ERROR: openstack Unable to find valid groups while using mapping saml_mapping (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-eb23e61c-6f1f-4259-8ff0-92063f60b5f0)
And this is no surprise if we debug the code for token creation and
see that **_handle_mapped_tokens** in /usr/lib/python2.7/site-
packages/keystone/token/providers/common.py says:
if project_id or domain_id:
roles = self.v3_token_data_helper._populate_roles_for_groups(
group_ids, project_id, domain_id, user_id)
token_data.update({'roles': roles})
else:
token_data['user'][federation.FEDERATION].update({
'groups': [{'id': x} for x in group_ids]
})
return token_data
So, the only way to get our groups added to the scoped token is to NOT
use domain or project scoping, but if we do not scope the token for
domain or project then we will simply get yet another unscoped token
;).
What am I missing? How am I supposed to create a scoped token which works?
Thanks in advance!
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1541657/+subscriptions
References