yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #48039
[Bug 1557238] [NEW] mapping yield no valid identity result in HTTP 500 error
Public bug reported:
A mapping which yield no valid identity (i.e. no local user or group)
will result in HTTP 500 instead of 401. There are two issues.
1. We automatically return a default ephemeral user mapped_properties when mapping yield no valid local identity or groups.
2. In the mapped auth plugin, we assume the mapped_properties contains a valid local identity or group.
To reproduce the problem:
1. Set up WebSSO or K2K.
2. Create a mapping rule for the given IdP and protocol which yield neither local identity or group. For example,
[
{
"local": [
{
"user": {
"type": "local",
"name": "{0}",
"domain": {
"name": "{1}"
},
"type": "local"
}
}
],
"remote": [
{
"type": "openstack_user"
},
{
"type": "openstack_user_domain"
},
{
"type": "openstack_roles",
"any_one_of": [
"bogus"
]
}
]
}
]
3. do the federation dance and you'll get a HTTP 500 and a traceback as
pretty as this one.
2016-03-14 17:16:05.536 12497 DEBUG keystone.federation.utils [req-159bde9f-8a2d-4885-af31-304be9af8db7 - - - - -] updating a direct mapping: [u'Unset'] 2016-03-14 17:16:05.536 _verify_all_requirements /opt/stack/keystone/keystone/federation/utils.py:796
2016-03-14 17:16:05.536 12497 DEBUG keystone.federation.utils [req-159bde9f-8a2d-4885-af31-304be9af8db7 - - - - -] identity_values: [] 2016-03-14 17:16:05.536 process /opt/stack/keystone/keystone/federation/utils.py:534
2016-03-14 17:16:05.536 12497 DEBUG keystone.federation.utils [req-159bde9f-8a2d-4885-af31-304be9af8db7 - - - - -] mapped_properties: {'group_ids': [], 'user': {'domain': {'id': 'Federated'}, 'type': 'ephemeral'}, 'group_names': []} 2016-03-14 17:16:05.536 process /opt/stack/keystone/keystone/federation/utils.py:536
2016-03-14 17:16:05.620 12497 ERROR keystone.common.wsgi [req-159bde9f-8a2d-4885-af31-304be9af8db7 - - - - -] 'name'
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi Traceback (most recent call last):
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 249, in __call__
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi result = method(context, **params)
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/controllers.py", line 302, in federated_authentication
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi return self.authenticate_for_token(context, auth=auth)
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/controllers.py", line 396, in authenticate_for_token
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi self.authenticate(context, auth_info, auth_context)
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/controllers.py", line 520, in authenticate
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi auth_context)
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/plugins/mapped.py", line 65, in authenticate
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi self.identity_api)
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/plugins/mapped.py", line 144, in handle_unscoped_token
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi get_user_unique_id_and_display_name(context, mapped_properties)
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/plugins/mapped.py", line 253, in get_user_unique_id_and_display_name
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi return (user['id'], user['name'])
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi KeyError: 'name'
** Affects: keystone
Importance: High
Status: New
** Changed in: keystone
Importance: Undecided => High
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1557238
Title:
mapping yield no valid identity result in HTTP 500 error
Status in OpenStack Identity (keystone):
New
Bug description:
A mapping which yield no valid identity (i.e. no local user or group)
will result in HTTP 500 instead of 401. There are two issues.
1. We automatically return a default ephemeral user mapped_properties when mapping yield no valid local identity or groups.
2. In the mapped auth plugin, we assume the mapped_properties contains a valid local identity or group.
To reproduce the problem:
1. Set up WebSSO or K2K.
2. Create a mapping rule for the given IdP and protocol which yield neither local identity or group. For example,
[
{
"local": [
{
"user": {
"type": "local",
"name": "{0}",
"domain": {
"name": "{1}"
},
"type": "local"
}
}
],
"remote": [
{
"type": "openstack_user"
},
{
"type": "openstack_user_domain"
},
{
"type": "openstack_roles",
"any_one_of": [
"bogus"
]
}
]
}
]
3. do the federation dance and you'll get a HTTP 500 and a traceback
as pretty as this one.
2016-03-14 17:16:05.536 12497 DEBUG keystone.federation.utils [req-159bde9f-8a2d-4885-af31-304be9af8db7 - - - - -] updating a direct mapping: [u'Unset'] 2016-03-14 17:16:05.536 _verify_all_requirements /opt/stack/keystone/keystone/federation/utils.py:796
2016-03-14 17:16:05.536 12497 DEBUG keystone.federation.utils [req-159bde9f-8a2d-4885-af31-304be9af8db7 - - - - -] identity_values: [] 2016-03-14 17:16:05.536 process /opt/stack/keystone/keystone/federation/utils.py:534
2016-03-14 17:16:05.536 12497 DEBUG keystone.federation.utils [req-159bde9f-8a2d-4885-af31-304be9af8db7 - - - - -] mapped_properties: {'group_ids': [], 'user': {'domain': {'id': 'Federated'}, 'type': 'ephemeral'}, 'group_names': []} 2016-03-14 17:16:05.536 process /opt/stack/keystone/keystone/federation/utils.py:536
2016-03-14 17:16:05.620 12497 ERROR keystone.common.wsgi [req-159bde9f-8a2d-4885-af31-304be9af8db7 - - - - -] 'name'
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi Traceback (most recent call last):
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 249, in __call__
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi result = method(context, **params)
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/controllers.py", line 302, in federated_authentication
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi return self.authenticate_for_token(context, auth=auth)
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/controllers.py", line 396, in authenticate_for_token
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi self.authenticate(context, auth_info, auth_context)
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/controllers.py", line 520, in authenticate
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi auth_context)
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/plugins/mapped.py", line 65, in authenticate
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi self.identity_api)
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/plugins/mapped.py", line 144, in handle_unscoped_token
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi get_user_unique_id_and_display_name(context, mapped_properties)
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/plugins/mapped.py", line 253, in get_user_unique_id_and_display_name
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi return (user['id'], user['name'])
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi KeyError: 'name'
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1557238/+subscriptions
Follow ups
