yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1645910] [NEW] Trust creation for SSO users fails in assert_user_enabled

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Pooja Ghumre <poojaghumre@xxxxxxxxx>
Date: Tue, 29 Nov 2016 23:27:23 -0000
Reply-to: Bug 1645910 <1645910@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Openstack version: Mitaka
Operation: Heat stack/trust creation for SSO users

For SSO users, keystone trust creation workflow fails while asserting
that the user is enabled.

The assert_user_enabled() function in keystone/identity/core.py fails at the below line:
    self.resource_api.assert_domain_enabled(user['domain_id'])

Since user['domain_id'] throws a KeyError for federated users, this
function raises an exception. To avoid this failure, we should invoke
assert_domain_enabled() check conditionally only for local users.

Proposing to add a 'is_local' user flag to distinguish between local and
federated users so that we can conditionally assert the user domain and
do other such things.

** Affects: keystone
     Importance: Undecided
         Status: New

** Project changed: nova => keystone

** Description changed:

- Openstack version: Liberty
+ Openstack version: Mitaka
  Operation: Heat stack/trust creation for SSO users
  
  For SSO users, keystone trust creation workflow fails while asserting
  that the user is enabled.
  
  The assert_user_enabled() function in keystone/identity/core.py fails at the below line:
-     self.resource_api.assert_domain_enabled(user['domain_id'])
+     self.resource_api.assert_domain_enabled(user['domain_id'])
  
  Since user['domain_id'] throws a KeyError for federated users, this
  function raises an exception. To avoid this failure, we should invoke
  assert_domain_enabled() check conditionally only for local users.
  
  Proposing to add a 'is_local' user flag to distinguish between local and
  federated users so that we can conditionally assert the user domain and
  do other such things.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1645910

Title:
  Trust creation for SSO users fails in assert_user_enabled

Status in OpenStack Identity (keystone):
  New

Bug description:
  Openstack version: Mitaka
  Operation: Heat stack/trust creation for SSO users

  For SSO users, keystone trust creation workflow fails while asserting
  that the user is enabled.

  The assert_user_enabled() function in keystone/identity/core.py fails at the below line:
      self.resource_api.assert_domain_enabled(user['domain_id'])

  Since user['domain_id'] throws a KeyError for federated users, this
  function raises an exception. To avoid this failure, we should invoke
  assert_domain_enabled() check conditionally only for local users.

  Proposing to add a 'is_local' user flag to distinguish between local
  and federated users so that we can conditionally assert the user
  domain and do other such things.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1645910/+subscriptions

Follow ups

[Bug 1645910] Re: Trust creation for SSO users fails in assert_user_enabled
From: Lance Bragstad, 2017-03-07