yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1648798] [NEW] mapping yield no valid identity result in HTTP 500 error

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sylvain Benner <sylvain.benner@xxxxxxxxx>
Date: Fri, 09 Dec 2016 12:34:51 -0000
Reply-to: Bug 1648798 <1648798@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

New entry for the Fix Released bug
https://bugs.launchpad.net/keystone/+bug/1557238 in the hope it will get
more attention.

I got a meaningful 401 in M release.

In N release with same config (ADFS federation with saml2) I get this
generic error message with code 500, it forced me to dig into Keystone
code to trace the origin from the error and found this change [1] which
is responsible.

If I revert the change to just write to the log then an unscoped token
with no group is returned. From my point of view this is the correct
behavior right? I just found out that federation is not limited to group
membership anymore which is great, so why raising an exception if no
group can be mapped ? Is it because the mappings try to map remote
properties to local group ? I find pretty handy that a rule trying to
map both user and groups can still yield a token even if there is no
group matching in Keystone.

As an aside, I would be immensely grateful for anyone telling me how to
get the stack trace directly when such exception appears in the browser
agent, tracing it manually was painfull ;-( (OTOH I learnt a bit more
about the code).

The exception is thrown even when there are matching groups defined in
Keystone.

Here is my mapping rule:

[
  {
    "local": [
      {
        "user": {
          "name": "{0}"
        },
        "domain": {
          "name": "our_default_domain"
        }
      },
      {
        "groups": "{1}",
        "domain": {
          "name": "our_default_domain"
        }
      }
    ],
    "remote": [
      {
        "type": "UPN"
      },
      {
        "type": "GROUPS"
      }
    ]
  }
]

Result if I let the exception to be raised:

{"error": {"message": "An unexpected error prevented the server from
fulfilling your request.", "code": 500, "title": "Internal Server
Error"}}

Result if I comment it:

{"token": {"issued_at": "2016-11-12T17:33:46.000000Z", "audit_ids":
["uwj6lVPqS2e0vgs4wCtcuQ"], "methods": ["saml2"], "expires_at":
"2016-11-12T18:33:46.000000Z", "user": {"OS-FEDERATION":
{"identity_provider": {"id": "xxxx-adfs"}, "protocol": {"id": "saml2"},
"groups": [{"id": "fe3f975be4da43c698ea3e7cf9e40b00"}]}, "domain":
{"id": "Federated", "name": "Federated"}, "id":
"0827722a5ebe4ef1af6c3d66b9ab55ec", "name": "sylvain.benner@xxxxxxxx"}}}


[1] https://github.com/openstack/keystone/commit/7ba53701989490667d220a3faecae2b484a007c5#diff-123d55255e45e44f9baa492e882762b5R386

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: federation mappings

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1648798

Title:
  mapping yield no valid identity result in HTTP 500 error

Status in OpenStack Identity (keystone):
  New

Bug description:
  New entry for the Fix Released bug
  https://bugs.launchpad.net/keystone/+bug/1557238 in the hope it will
  get more attention.

  I got a meaningful 401 in M release.

  In N release with same config (ADFS federation with saml2) I get this
  generic error message with code 500, it forced me to dig into Keystone
  code to trace the origin from the error and found this change [1]
  which is responsible.

  If I revert the change to just write to the log then an unscoped token
  with no group is returned. From my point of view this is the correct
  behavior right? I just found out that federation is not limited to
  group membership anymore which is great, so why raising an exception
  if no group can be mapped ? Is it because the mappings try to map
  remote properties to local group ? I find pretty handy that a rule
  trying to map both user and groups can still yield a token even if
  there is no group matching in Keystone.

  As an aside, I would be immensely grateful for anyone telling me how
  to get the stack trace directly when such exception appears in the
  browser agent, tracing it manually was painfull ;-( (OTOH I learnt a
  bit more about the code).

  The exception is thrown even when there are matching groups defined in
  Keystone.

  Here is my mapping rule:

  [
    {
      "local": [
        {
          "user": {
            "name": "{0}"
          },
          "domain": {
            "name": "our_default_domain"
          }
        },
        {
          "groups": "{1}",
          "domain": {
            "name": "our_default_domain"
          }
        }
      ],
      "remote": [
        {
          "type": "UPN"
        },
        {
          "type": "GROUPS"
        }
      ]
    }
  ]

  Result if I let the exception to be raised:

  {"error": {"message": "An unexpected error prevented the server from
  fulfilling your request.", "code": 500, "title": "Internal Server
  Error"}}

  Result if I comment it:

  {"token": {"issued_at": "2016-11-12T17:33:46.000000Z", "audit_ids":
  ["uwj6lVPqS2e0vgs4wCtcuQ"], "methods": ["saml2"], "expires_at":
  "2016-11-12T18:33:46.000000Z", "user": {"OS-FEDERATION":
  {"identity_provider": {"id": "xxxx-adfs"}, "protocol": {"id":
  "saml2"}, "groups": [{"id": "fe3f975be4da43c698ea3e7cf9e40b00"}]},
  "domain": {"id": "Federated", "name": "Federated"}, "id":
  "0827722a5ebe4ef1af6c3d66b9ab55ec", "name":
  "sylvain.benner@xxxxxxxx"}}}

  
  [1] https://github.com/openstack/keystone/commit/7ba53701989490667d220a3faecae2b484a007c5#diff-123d55255e45e44f9baa492e882762b5R386

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1648798/+subscriptions
Follow ups

[Bug 1648798] Re: mapping yield no valid identity result in HTTP 500 error
From: Lance Bragstad, 2018-01-08