yahoo-eng-team team mailing list archive

[Dolph Mathews <1575368@xxxxxxxxxxxxxxxxxx>]

Our stable branch policy dictates that we don't backport features, and
an API-impacting one would be the first to be denied in review.

Sadly, it looks like a significant oversight in the original
implementation, though.

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1575368

Title:
  Federation Unable to handle multiple groups

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  I'm using OIDC federated authentication, I'm able to use the mapping json to do ephemeral user authentication.
  Following is my mapping json:

  [
      {
          "local": [
              {
                        "user": {
                          "name": "{0}"
                      },

                          "group": {
                              "id": "{1}"
                  },
     "domain": {
                                  "name": "default"
                              }

              }
          ],
          "remote": [
    {
                  "type": "HTTP_OIDC_EMAIL"
                  },
    {
                  "type": "HTTP_OIDC_GROUP"
                  },
                  {
                  "type" : "HTTP_OIDC_ISS",
                  "any_one_of": [
                          "https://myidp.cisco.com/oauth2";
                  ]
                  }

          ]
      }
   ]

  and when tested with the keystone-mange mapping, I'm able to see multiple groups properly.
  output of Keystone-mapping verification.

  {
    "group_ids": [
      "5207b97776914a6b9f99e1c985533863,23a70aa1af5f4439afb628a10f53ade3"
    ],
    "user": {
      "domain": {
        "id": "Federated"
      },
      "type": "ephemeral",
      "name": "kathurko@xxxxxxxxx"
    },
    "group_names": []
  }

  However, when the same flow is executed thru the OIDC I get the
  following error message

  {"error": {"message": "Group ['5207b97776914a6b9f99e1c985533863',
  '23a70aa1af5f4439afb628a10f53ade3'] returned by mapping fed_mapping
  was not found in the backend. (Disable debug mode to suppress these
  details.)", "code": 500, "title": "Internal Server Error"}}

  I looked into the util.py code and printed the groups that were coming
  into the validate_groups_in_backend function.

  validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:258
  2016-04-26 12:38:46.750572 25124 DEBUG keystone.contrib.federation.utils [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] printing group_ids list [u"['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3']"] validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:259
  2016-04-26 12:38:46.750704 25124 DEBUG keystone.contrib.federation.utils [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] printing group_id  ['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3'] validate_groups_in_backend /opt/stack/keystone/keystone/contrib/federation/utils.py:260
  2016-04-26 12:38:47.092780 25124 WARNING keystone.common.wsgi [req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] Group ['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3'] returned by mapping openam_mapping was not found in the backend. (Disable debug mode to suppress these details.)
  (END)

  it looks like the list is formed incorrectly
  [u"['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3']"]

  it should have been
  [u'5207b97776914a6b9f99e1c985533863', u'23a70aa1af5f4439afb628a10f53ade3']

  Thanks,
  Krishna

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1575368/+subscriptions