← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1575368] [NEW] Federation Unable to handle multiple groups

 

Public bug reported:

I'm using OIDC federated authentication, I'm able to use the mapping json to do ephemeral user authentication.
Following is my mapping json:

[
    {
        "local": [
            {
                      "user": {
                        "name": "{0}"
                    },

                        "group": {
                            "id": "{1}"
                },
   "domain": {
                                "name": "default"
                            }

            }
        ],
        "remote": [
  {
                "type": "HTTP_OIDC_EMAIL"
                },
  {
                "type": "HTTP_OIDC_GROUP"
                },
                {
                "type" : "HTTP_OIDC_ISS",
                "any_one_of": [
                        "https://myidp.cisco.com/oauth2";
                ]
                }

        ]
    }
 ]

and when tested with the keystone-mange mapping, I'm able to see multiple groups properly.
output of Keystone-mapping verification.

{
  "group_ids": [
    "5207b97776914a6b9f99e1c985533863,23a70aa1af5f4439afb628a10f53ade3"
  ],
  "user": {
    "domain": {
      "id": "Federated"
    },
    "type": "ephemeral",
    "name": "kathurko@xxxxxxxxx"
  },
  "group_names": []
}

However, when the same flow is executed thru the OIDC I get the
following error message

{"error": {"message": "Group ['5207b97776914a6b9f99e1c985533863',
'23a70aa1af5f4439afb628a10f53ade3'] returned by mapping fed_mapping was
not found in the backend. (Disable debug mode to suppress these
details.)", "code": 500, "title": "Internal Server Error"}}

I looked into the util.py code and printed the groups that were coming
into the validate_groups_in_backend function.

validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:258
2016-04-26 12:38:46.750572 25124 DEBUG keystone.contrib.federation.utils [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] printing group_ids list [u"['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3']"] validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:259
2016-04-26 12:38:46.750704 25124 DEBUG keystone.contrib.federation.utils [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] printing group_id  ['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3'] validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:260
2016-04-26 12:38:47.092780 25124 WARNING keystone.common.wsgi [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] Group ['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3'] returned by mapping openam_mapping was not found in the backend. (Disable debug mode to suppress these details.)
(END)

it looks like the list is formed incorrectly
[u"['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3']"]

it should have been
[u'5207b97776914a6b9f99e1c985533863', u'23a70aa1af5f4439afb628a10f53ade3']

Thanks,
Krishna

** Affects: keystone
     Importance: Undecided
         Status: New

** Also affects: centos
   Importance: Undecided
       Status: New

** Package changed: centos => ubuntu

** No longer affects: ubuntu

** Description changed:

  I'm using OIDC federated authentication, I'm able to use the mapping json to do ephemeral user authentication.
  Following is my mapping json:
  
  [
-     {
-         "local": [
-             {
-                       "user": {
-                         "name": "{0}"
-                     },
-  
-                         "group": {
-                             "id": "{1}"
-                 },
- 			"domain": {
-                                 "name": "default"
-                             }
+     {
+         "local": [
+             {
+                       "user": {
+                         "name": "{0}"
+                     },
  
+                         "group": {
+                             "id": "{1}"
+                 },
+    "domain": {
+                                 "name": "default"
+                             }
  
-             }
-         ],
-         "remote": [
- 		{
-                 "type": "HTTP_OIDC_EMAIL"
-                 },
- 		{
-                 "type": "HTTP_OIDC_GROUP"
-                 },
-                 {
-                 "type" : "HTTP_OIDC_ISS",
-                 "any_one_of": [
-                         "https://myidp.cisco.com/oauth2";
-                 ]
-                 }
+             }
+         ],
+         "remote": [
+   {
+                 "type": "HTTP_OIDC_EMAIL"
+                 },
+   {
+                 "type": "HTTP_OIDC_GROUP"
+                 },
+                 {
+                 "type" : "HTTP_OIDC_ISS",
+                 "any_one_of": [
+                         "https://myidp.cisco.com/oauth2";
+                 ]
+                 }
  
- 
-         ]
-     }
-  ]
+         ]
+     }
+  ]
  
  and when tested with the keystone-mange mapping, I'm able to see multiple groups properly.
  output of Keystone-mapping verification.
  
  {
-   "group_ids": [
-     "5207b97776914a6b9f99e1c985533863,23a70aa1af5f4439afb628a10f53ade3"
-   ], 
-   "user": {
-     "domain": {
-       "id": "Federated"
-     }, 
-     "type": "ephemeral", 
-     "name": "kathurko@xxxxxxxxx"
-   }, 
-   "group_names": []
+   "group_ids": [
+     "5207b97776914a6b9f99e1c985533863,23a70aa1af5f4439afb628a10f53ade3"
+   ],
+   "user": {
+     "domain": {
+       "id": "Federated"
+     },
+     "type": "ephemeral",
+     "name": "kathurko@xxxxxxxxx"
+   },
+   "group_names": []
  }
  
- 
- However, when the same flow is executed thru the OIDC I get the following error message
+ However, when the same flow is executed thru the OIDC I get the
+ following error message
  
  {"error": {"message": "Group ['5207b97776914a6b9f99e1c985533863',
  '23a70aa1af5f4439afb628a10f53ade3'] returned by mapping fed_mapping was
  not found in the backend. (Disable debug mode to suppress these
  details.)", "code": 500, "title": "Internal Server Error"}}
  
  I looked into the util.py code and printed the groups that were coming
  into the validate_groups_in_backend function.
  
- validatete_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:258
+ validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:258
  2016-04-26 12:38:46.750572 25124 DEBUG keystone.contrib.federation.utils [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] printing group_ids list [u"['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3']"] validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:259
  2016-04-26 12:38:46.750704 25124 DEBUG keystone.contrib.federation.utils [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] printing group_id  ['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3'] validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:260
  2016-04-26 12:38:47.092780 25124 WARNING keystone.common.wsgi [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] Group ['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3'] returned by mapping openam_mapping was not found in the backend. (Disable debug mode to suppress these details.)
  (END)
- 
  
  it looks like the list is formed incorrectly
  [u"['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3']"]
  
  it should have been
  [u'5207b97776914a6b9f99e1c985533863', u'23a70aa1af5f4439afb628a10f53ade3']
  
  Thanks,
  Krishna

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1575368

Title:
  Federation Unable to handle multiple groups

Status in OpenStack Identity (keystone):
  New

Bug description:
  I'm using OIDC federated authentication, I'm able to use the mapping json to do ephemeral user authentication.
  Following is my mapping json:

  [
      {
          "local": [
              {
                        "user": {
                          "name": "{0}"
                      },

                          "group": {
                              "id": "{1}"
                  },
     "domain": {
                                  "name": "default"
                              }

              }
          ],
          "remote": [
    {
                  "type": "HTTP_OIDC_EMAIL"
                  },
    {
                  "type": "HTTP_OIDC_GROUP"
                  },
                  {
                  "type" : "HTTP_OIDC_ISS",
                  "any_one_of": [
                          "https://myidp.cisco.com/oauth2";
                  ]
                  }

          ]
      }
   ]

  and when tested with the keystone-mange mapping, I'm able to see multiple groups properly.
  output of Keystone-mapping verification.

  {
    "group_ids": [
      "5207b97776914a6b9f99e1c985533863,23a70aa1af5f4439afb628a10f53ade3"
    ],
    "user": {
      "domain": {
        "id": "Federated"
      },
      "type": "ephemeral",
      "name": "kathurko@xxxxxxxxx"
    },
    "group_names": []
  }

  However, when the same flow is executed thru the OIDC I get the
  following error message

  {"error": {"message": "Group ['5207b97776914a6b9f99e1c985533863',
  '23a70aa1af5f4439afb628a10f53ade3'] returned by mapping fed_mapping
  was not found in the backend. (Disable debug mode to suppress these
  details.)", "code": 500, "title": "Internal Server Error"}}

  I looked into the util.py code and printed the groups that were coming
  into the validate_groups_in_backend function.

  validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:258
  2016-04-26 12:38:46.750572 25124 DEBUG keystone.contrib.federation.utils [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] printing group_ids list [u"['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3']"] validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:259
  2016-04-26 12:38:46.750704 25124 DEBUG keystone.contrib.federation.utils [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] printing group_id  ['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3'] validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:260
  2016-04-26 12:38:47.092780 25124 WARNING keystone.common.wsgi [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] Group ['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3'] returned by mapping openam_mapping was not found in the backend. (Disable debug mode to suppress these details.)
  (END)

  it looks like the list is formed incorrectly
  [u"['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3']"]

  it should have been
  [u'5207b97776914a6b9f99e1c985533863', u'23a70aa1af5f4439afb628a10f53ade3']

  Thanks,
  Krishna

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1575368/+subscriptions


Follow ups