yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #49978
[Bug 1575368] [NEW] Federation Unable to handle multiple groups
Public bug reported:
I'm using OIDC federated authentication, I'm able to use the mapping json to do ephemeral user authentication.
Following is my mapping json:
[
{
"local": [
{
"user": {
"name": "{0}"
},
"group": {
"id": "{1}"
},
"domain": {
"name": "default"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_EMAIL"
},
{
"type": "HTTP_OIDC_GROUP"
},
{
"type" : "HTTP_OIDC_ISS",
"any_one_of": [
"https://myidp.cisco.com/oauth2";
]
}
]
}
]
and when tested with the keystone-mange mapping, I'm able to see multiple groups properly.
output of Keystone-mapping verification.
{
"group_ids": [
"5207b97776914a6b9f99e1c985533863,23a70aa1af5f4439afb628a10f53ade3"
],
"user": {
"domain": {
"id": "Federated"
},
"type": "ephemeral",
"name": "kathurko@xxxxxxxxx"
},
"group_names": []
}
However, when the same flow is executed thru the OIDC I get the
following error message
{"error": {"message": "Group ['5207b97776914a6b9f99e1c985533863',
'23a70aa1af5f4439afb628a10f53ade3'] returned by mapping fed_mapping was
not found in the backend. (Disable debug mode to suppress these
details.)", "code": 500, "title": "Internal Server Error"}}
I looked into the util.py code and printed the groups that were coming
into the validate_groups_in_backend function.
validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:258
2016-04-26 12:38:46.750572 25124 DEBUG keystone.contrib.federation.utils [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] printing group_ids list [u"['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3']"] validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:259
2016-04-26 12:38:46.750704 25124 DEBUG keystone.contrib.federation.utils [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] printing group_id ['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3'] validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:260
2016-04-26 12:38:47.092780 25124 WARNING keystone.common.wsgi [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] Group ['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3'] returned by mapping openam_mapping was not found in the backend. (Disable debug mode to suppress these details.)
(END)
it looks like the list is formed incorrectly
[u"['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3']"]
it should have been
[u'5207b97776914a6b9f99e1c985533863', u'23a70aa1af5f4439afb628a10f53ade3']
Thanks,
Krishna
** Affects: keystone
Importance: Undecided
Status: New
** Also affects: centos
Importance: Undecided
Status: New
** Package changed: centos => ubuntu
** No longer affects: ubuntu
** Description changed:
I'm using OIDC federated authentication, I'm able to use the mapping json to do ephemeral user authentication.
Following is my mapping json:
[
- {
- "local": [
- {
- "user": {
- "name": "{0}"
- },
-
- "group": {
- "id": "{1}"
- },
- "domain": {
- "name": "default"
- }
+ {
+ "local": [
+ {
+ "user": {
+ "name": "{0}"
+ },
+ "group": {
+ "id": "{1}"
+ },
+ "domain": {
+ "name": "default"
+ }
- }
- ],
- "remote": [
- {
- "type": "HTTP_OIDC_EMAIL"
- },
- {
- "type": "HTTP_OIDC_GROUP"
- },
- {
- "type" : "HTTP_OIDC_ISS",
- "any_one_of": [
- "https://myidp.cisco.com/oauth2";
- ]
- }
+ }
+ ],
+ "remote": [
+ {
+ "type": "HTTP_OIDC_EMAIL"
+ },
+ {
+ "type": "HTTP_OIDC_GROUP"
+ },
+ {
+ "type" : "HTTP_OIDC_ISS",
+ "any_one_of": [
+ "https://myidp.cisco.com/oauth2";
+ ]
+ }
-
- ]
- }
- ]
+ ]
+ }
+ ]
and when tested with the keystone-mange mapping, I'm able to see multiple groups properly.
output of Keystone-mapping verification.
{
- "group_ids": [
- "5207b97776914a6b9f99e1c985533863,23a70aa1af5f4439afb628a10f53ade3"
- ],
- "user": {
- "domain": {
- "id": "Federated"
- },
- "type": "ephemeral",
- "name": "kathurko@xxxxxxxxx"
- },
- "group_names": []
+ "group_ids": [
+ "5207b97776914a6b9f99e1c985533863,23a70aa1af5f4439afb628a10f53ade3"
+ ],
+ "user": {
+ "domain": {
+ "id": "Federated"
+ },
+ "type": "ephemeral",
+ "name": "kathurko@xxxxxxxxx"
+ },
+ "group_names": []
}
-
- However, when the same flow is executed thru the OIDC I get the following error message
+ However, when the same flow is executed thru the OIDC I get the
+ following error message
{"error": {"message": "Group ['5207b97776914a6b9f99e1c985533863',
'23a70aa1af5f4439afb628a10f53ade3'] returned by mapping fed_mapping was
not found in the backend. (Disable debug mode to suppress these
details.)", "code": 500, "title": "Internal Server Error"}}
I looked into the util.py code and printed the groups that were coming
into the validate_groups_in_backend function.
- validatete_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:258
+ validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:258
2016-04-26 12:38:46.750572 25124 DEBUG keystone.contrib.federation.utils [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] printing group_ids list [u"['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3']"] validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:259
2016-04-26 12:38:46.750704 25124 DEBUG keystone.contrib.federation.utils [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] printing group_id ['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3'] validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:260
2016-04-26 12:38:47.092780 25124 WARNING keystone.common.wsgi [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] Group ['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3'] returned by mapping openam_mapping was not found in the backend. (Disable debug mode to suppress these details.)
(END)
-
it looks like the list is formed incorrectly
[u"['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3']"]
it should have been
[u'5207b97776914a6b9f99e1c985533863', u'23a70aa1af5f4439afb628a10f53ade3']
Thanks,
Krishna
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1575368
Title:
Federation Unable to handle multiple groups
Status in OpenStack Identity (keystone):
New
Bug description:
I'm using OIDC federated authentication, I'm able to use the mapping json to do ephemeral user authentication.
Following is my mapping json:
[
{
"local": [
{
"user": {
"name": "{0}"
},
"group": {
"id": "{1}"
},
"domain": {
"name": "default"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_EMAIL"
},
{
"type": "HTTP_OIDC_GROUP"
},
{
"type" : "HTTP_OIDC_ISS",
"any_one_of": [
"https://myidp.cisco.com/oauth2";
]
}
]
}
]
and when tested with the keystone-mange mapping, I'm able to see multiple groups properly.
output of Keystone-mapping verification.
{
"group_ids": [
"5207b97776914a6b9f99e1c985533863,23a70aa1af5f4439afb628a10f53ade3"
],
"user": {
"domain": {
"id": "Federated"
},
"type": "ephemeral",
"name": "kathurko@xxxxxxxxx"
},
"group_names": []
}
However, when the same flow is executed thru the OIDC I get the
following error message
{"error": {"message": "Group ['5207b97776914a6b9f99e1c985533863',
'23a70aa1af5f4439afb628a10f53ade3'] returned by mapping fed_mapping
was not found in the backend. (Disable debug mode to suppress these
details.)", "code": 500, "title": "Internal Server Error"}}
I looked into the util.py code and printed the groups that were coming
into the validate_groups_in_backend function.
validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:258
2016-04-26 12:38:46.750572 25124 DEBUG keystone.contrib.federation.utils [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] printing group_ids list [u"['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3']"] validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:259
2016-04-26 12:38:46.750704 25124 DEBUG keystone.contrib.federation.utils [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] printing group_id ['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3'] validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:260
2016-04-26 12:38:47.092780 25124 WARNING keystone.common.wsgi [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] Group ['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3'] returned by mapping openam_mapping was not found in the backend. (Disable debug mode to suppress these details.)
(END)
it looks like the list is formed incorrectly
[u"['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3']"]
it should have been
[u'5207b97776914a6b9f99e1c985533863', u'23a70aa1af5f4439afb628a10f53ade3']
Thanks,
Krishna
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1575368/+subscriptions
Follow ups
