yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #48174
[Bug 1557238] Re: mapping yield no valid identity result in HTTP 500 error
Reviewed: https://review.openstack.org/293184
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e5dcb3b4b6bdecd0947cba32cb3732ca52ed07c3
Submitter: Jenkins
Branch: master
commit e5dcb3b4b6bdecd0947cba32cb3732ca52ed07c3
Author: guang-yee <guang.yee@xxxxxxx>
Date: Tue Mar 15 17:29:42 2016 -0700
Mapping which yield no identities should result in ValidationError
Currently mapping produce a bogus "blind" default identity when no
rules match the incoming attributes. This is unnecessary and downright
dangerous. There's absolutely no use case for the "blind" identity.
Furthermore, consumers of mapped properties assumed that the "blind"
identity is legit. This lead to expected failures such as KeyError when they
try to reference the required identity attributes such as user['name'].
We should raise ValidationError if the rules yield no valid identity.
This patch also removed the tests where the bogus "blind" identity is
expected.
Change-Id: I117621673ffc0b4f8e2c48721329daa3b6090327
Closes-Bug: 1557238
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1557238
Title:
mapping yield no valid identity result in HTTP 500 error
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
A mapping which yield no valid identity (i.e. no local user or group)
will result in HTTP 500 instead of 401. There are two issues.
1. We automatically return a default ephemeral user mapped_properties when mapping yield no valid local identity or groups.
2. In the mapped auth plugin, we assume the mapped_properties contains a valid local identity or group.
To reproduce the problem:
1. Set up WebSSO or K2K.
2. Create a mapping rule for the given IdP and protocol which yield neither local identity or group. For example,
[
{
"local": [
{
"user": {
"type": "local",
"name": "{0}",
"domain": {
"name": "{1}"
},
"type": "local"
}
}
],
"remote": [
{
"type": "openstack_user"
},
{
"type": "openstack_user_domain"
},
{
"type": "openstack_roles",
"any_one_of": [
"bogus"
]
}
]
}
]
3. do the federation dance and you'll get a HTTP 500 and a traceback
as pretty as this one.
2016-03-14 17:16:05.536 12497 DEBUG keystone.federation.utils [req-159bde9f-8a2d-4885-af31-304be9af8db7 - - - - -] updating a direct mapping: [u'Unset'] 2016-03-14 17:16:05.536 _verify_all_requirements /opt/stack/keystone/keystone/federation/utils.py:796
2016-03-14 17:16:05.536 12497 DEBUG keystone.federation.utils [req-159bde9f-8a2d-4885-af31-304be9af8db7 - - - - -] identity_values: [] 2016-03-14 17:16:05.536 process /opt/stack/keystone/keystone/federation/utils.py:534
2016-03-14 17:16:05.536 12497 DEBUG keystone.federation.utils [req-159bde9f-8a2d-4885-af31-304be9af8db7 - - - - -] mapped_properties: {'group_ids': [], 'user': {'domain': {'id': 'Federated'}, 'type': 'ephemeral'}, 'group_names': []} 2016-03-14 17:16:05.536 process /opt/stack/keystone/keystone/federation/utils.py:536
2016-03-14 17:16:05.620 12497 ERROR keystone.common.wsgi [req-159bde9f-8a2d-4885-af31-304be9af8db7 - - - - -] 'name'
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi Traceback (most recent call last):
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 249, in __call__
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi result = method(context, **params)
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/controllers.py", line 302, in federated_authentication
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi return self.authenticate_for_token(context, auth=auth)
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/controllers.py", line 396, in authenticate_for_token
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi self.authenticate(context, auth_info, auth_context)
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/controllers.py", line 520, in authenticate
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi auth_context)
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/plugins/mapped.py", line 65, in authenticate
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi self.identity_api)
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/plugins/mapped.py", line 144, in handle_unscoped_token
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi get_user_unique_id_and_display_name(context, mapped_properties)
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/plugins/mapped.py", line 253, in get_user_unique_id_and_display_name
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi return (user['id'], user['name'])
2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi KeyError: 'name'
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1557238/+subscriptions
References
