yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1629446] Re: federated login fails after user is removed from group

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Steve Martinelli <1629446@xxxxxxxxxxxxxxxxxx>
Date: Wed, 18 Jan 2017 04:42:13 -0000
Reply-to: Bug 1629446 <1629446@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Also affects: keystone/newton
   Importance: Undecided
       Status: New

** Also affects: keystone/mitaka
   Importance: Undecided
       Status: New

** Changed in: keystone
   Importance: Undecided => Medium

** Changed in: keystone/mitaka
   Importance: Undecided => Medium

** Changed in: keystone/newton
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1629446

Title:
  federated login fails after user is removed from group

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) mitaka series:
  New
Status in OpenStack Identity (keystone) newton series:
  New

Bug description:
  A user part of a group in auth0 tries to login in using the mapping
  below just fine

  [
      {
          "local": [
              {
                  "user": {
                      "name": "{1}::{0}"
                  }
              },
              {
                  "domain": {
                      "id": "default"
                  },
                  "groups": "{1}"
              }
          ],
          "remote": [
              {
                  "type": "HTTP_OIDC_CLAIM_EMAIL"
              },
              {
                  "type": "HTTP_OIDC_CLAIM_GROUPS"
              }
          ]
      }
  ]

  
  Once the user is removed from the group in auth0 and tries to login :

  Expected Result:
  Failed to log on to horizon as federation user using OpenID Connect protocol and got 401 code:

  {"error": {"message": "The request you have made requires
  authentication.", "code": 401, "title": "Unauthorized"}}

  Actual Result:
  Got 500 instead of 401

  {"error": {"message": "An unexpected error prevented the server from
  fulfilling your request.", "code": 500, "title": "Internal Server
  Error"}}

  error in keystone-all.logs:

  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi [req-f5f27f59-788b-494b-9719-bcdbb6b628c0 - - - - -] unexpected EOF while parsing (<unknown>, line 0)
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi Traceback (most recent call last):
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi   File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/common/wsgi.py", line 249, in __call__
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi     result = method(context, **params)
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi   File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/federation/controllers.py", line 329, in federated_idp_specific_sso_auth
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi     res = self.federated_authentication(context, idp_id, protocol_id)
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi   File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/federation/controllers.py", line 302, in federated_authentication
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi     return self.authenticate_for_token(context, auth=auth)
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi   File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/auth/controllers.py", line 396, in authenticate_for_token
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi     self.authenticate(context, auth_info, auth_context)
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi   File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/auth/controllers.py", line 520, in authenticate
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi     auth_context)
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi   File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 65, in authenticate
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi     self.identity_api)
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi   File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 141, in handle_unscoped_token
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi     federation_api, identity_api)
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi   File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 194, in apply_mapping_filter
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi     identity_provider, protocol, assertion)
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi   File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/common/manager.py", line 124, in wrapped
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi     __ret_val = __f(*args, **kwargs)
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi   File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/federation/core.py", line 98, in evaluate
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi     mapped_properties = rule_processor.process(assertion_data)
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi   File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/federation/utils.py", line 544, in process
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi     mapped_properties = self._transform(identity_values)
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi   File "/opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/federation/utils.py", line 647, in _transform
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi     identity_value['groups'])
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/ast.py", line 49, in literal_eval
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi     node_or_string = parse(node_or_string, mode='eval')
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/ast.py", line 37, in parse
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi     return compile(source, filename, mode, PyCF_ONLY_AST)
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi   File "<unknown>", line 0
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi     ^
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi SyntaxError: unexpected EOF while parsing
  2016-09-30 19:32:25.549 23311 ERROR keystone.common.wsgi

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1629446/+subscriptions
References

[Bug 1629446] [NEW] 500 when a user logins in using federation
From: Nithya Renganathan, 2016-09-30