yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1590426] [NEW] Keystone Federated Identity assertion name not included in token

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Alessandro Pilotti <1590426@xxxxxxxxxxxxxxxxxx>
Date: Wed, 08 Jun 2016 13:07:40 -0000
Reply-to: Bug 1590426 <1590426@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

When using keystone Federated Identitity, the user name, based on the
assertion mapping, is replaced in Keystone tokens by the autogenerated
ID, resulting in e.g. Horizon showing the user's ID instead of the name
(see attachment).

Running "openstack user list" shows the correct data:

+----------------------------------+----------------------------------+
| ID                               | Name                             |
+----------------------------------+----------------------------------+
| 1835f12340674587b8e9b55ac1b43a3c | test1@xxxxxxxx                   |
+----------------------------------+----------------------------------+

The issue is clearly visible in the logs:

016-05-26 10:08:02.809220 DEBUG:keystoneauth.identity.v3.base:{"token":
{"issued_at": "2016-05-26T10:08:02.804697Z", "user": {"OS-FEDERATION":
{"identity_provider": {"id": "idp_1"}, "protocol": {"id": "saml2"},
"groups": [{"id": "b07974d2891f4d939b91a288ea933b1e"}]}, "domain":
{"id": "Federated", "name": "Federated"}, "id":
"1835f12340674587b8e9b55ac1b43a3c", "name":
"1835f12340674587b8e9b55ac1b43a3c"}, "methods": ["token"], "expires_at":
"2016-05-26T11:08:02.804676Z", "audit_ids": ["4O86fwqsSd6LSge4123sdx"]}}

** Affects: keystone
     Importance: Undecided
         Status: New

** Attachment added: "Horizon showing the data coming"
   https://bugs.launchpad.net/bugs/1590426/+attachment/4679819/+files/keystone_federated_horizon_issue.png

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1590426

Title:
  Keystone Federated Identity assertion name not included in token

Status in OpenStack Identity (keystone):
  New

Bug description:
  When using keystone Federated Identitity, the user name, based on the
  assertion mapping, is replaced in Keystone tokens by the autogenerated
  ID, resulting in e.g. Horizon showing the user's ID instead of the
  name (see attachment).

  Running "openstack user list" shows the correct data:

  +----------------------------------+----------------------------------+
  | ID                               | Name                             |
  +----------------------------------+----------------------------------+
  | 1835f12340674587b8e9b55ac1b43a3c | test1@xxxxxxxx                   |
  +----------------------------------+----------------------------------+

  The issue is clearly visible in the logs:

  016-05-26 10:08:02.809220
  DEBUG:keystoneauth.identity.v3.base:{"token": {"issued_at":
  "2016-05-26T10:08:02.804697Z", "user": {"OS-FEDERATION":
  {"identity_provider": {"id": "idp_1"}, "protocol": {"id": "saml2"},
  "groups": [{"id": "b07974d2891f4d939b91a288ea933b1e"}]}, "domain":
  {"id": "Federated", "name": "Federated"}, "id":
  "1835f12340674587b8e9b55ac1b43a3c", "name":
  "1835f12340674587b8e9b55ac1b43a3c"}, "methods": ["token"],
  "expires_at": "2016-05-26T11:08:02.804676Z", "audit_ids":
  ["4O86fwqsSd6LSge4123sdx"]}}

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1590426/+subscriptions

Follow ups

[Bug 1590426] Re: Keystone Federated Identity assertion name not included in token
From: Steve Martinelli, 2016-08-02