yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1662762] [NEW] Authentication for LDAP user fails at MFA rule check

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Divya K Konoor <dikonoor@xxxxxxxxxx>
Date: Wed, 08 Feb 2017 05:15:09 -0000
Reply-to: Bug 1662762 <1662762@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

I have a openstack master with LDAP server configured (fernet token
provider). With the new changes around MFA rules
(https://blueprints.launchpad.net/keystone/+spec/per-user-auth-plugin-
reqs), I see that the authentication (POST /token) call fails at
https://github.com/openstack/keystone/blob/master/keystone/auth/core.py#L377

    def check_auth_methods_against_rules(self, user_id, auth_methods):       
        user_ref = self.identity_api.get_user(user_id)
        mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])

In the last line the code flow expects user_Ref to always have an
options attribute and this is not present for LDAP users due to which we
get the below and authentication fails

INFO keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] POST https://ip9-114-192-140.pok.stglabs.ibm.com:5000/v3/auth/tokens
ERROR keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] 'options'
ERROR keystone.common.wsgi Traceback (most recent call last):
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
ERROR keystone.common.wsgi result = method(req, **params)
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 132, in authenticate_for_token
ERROR keystone.common.wsgi auth_context['user_id'], method_names_set):
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/core.py", line 377, in check_auth_methods_against_rules
ERROR keystone.common.wsgi mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
ERROR keystone.common.wsgi KeyError: 'options'


dikonoor> dstanek:I am trying to understand if 'options' is a mandatory attribute in user_ref.
<dikonoor> dstanek: and how it gets populated
<dstanek> dikonoor: it appears that it is mandatory and that we only added it to the SQL model
<dstanek> i think maybe the LDAP model should always have an empty options dictionary as an attribute
<dstanek> morgan: ^ does that sound correct?
<dikonoor> dstanek:morgan: either an empty options attribute should be added or the MFA rule check code above must be modified to make it user_ref.get('options') ..Let me go ahead and open a defect for this
<dstanek> dikonoor: i prefer empty to the models look the same

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1662762

Title:
  Authentication for LDAP user fails at MFA rule check

Status in OpenStack Identity (keystone):
  New

Bug description:
  I have a openstack master with LDAP server configured (fernet token
  provider). With the new changes around MFA rules
  (https://blueprints.launchpad.net/keystone/+spec/per-user-auth-plugin-
  reqs), I see that the authentication (POST /token) call fails at
  https://github.com/openstack/keystone/blob/master/keystone/auth/core.py#L377

      def check_auth_methods_against_rules(self, user_id, auth_methods):       
          user_ref = self.identity_api.get_user(user_id)
          mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])

  In the last line the code flow expects user_Ref to always have an
  options attribute and this is not present for LDAP users due to which
  we get the below and authentication fails

  INFO keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] POST https://ip9-114-192-140.pok.stglabs.ibm.com:5000/v3/auth/tokens
  ERROR keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] 'options'
  ERROR keystone.common.wsgi Traceback (most recent call last):
  ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
  ERROR keystone.common.wsgi result = method(req, **params)
  ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 132, in authenticate_for_token
  ERROR keystone.common.wsgi auth_context['user_id'], method_names_set):
  ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/core.py", line 377, in check_auth_methods_against_rules
  ERROR keystone.common.wsgi mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
  ERROR keystone.common.wsgi KeyError: 'options'

  
  dikonoor> dstanek:I am trying to understand if 'options' is a mandatory attribute in user_ref.
  <dikonoor> dstanek: and how it gets populated
  <dstanek> dikonoor: it appears that it is mandatory and that we only added it to the SQL model
  <dstanek> i think maybe the LDAP model should always have an empty options dictionary as an attribute
  <dstanek> morgan: ^ does that sound correct?
  <dikonoor> dstanek:morgan: either an empty options attribute should be added or the MFA rule check code above must be modified to make it user_ref.get('options') ..Let me go ahead and open a defect for this
  <dstanek> dikonoor: i prefer empty to the models look the same

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1662762/+subscriptions

Follow ups

[Bug 1662762] Re: Authentication for LDAP user fails at MFA rule check
From: Lance Bragstad, 2017-05-16
[Bug 1662762] Re: Authentication for LDAP user fails at MFA rule check
From: OpenStack Infra, 2017-02-24
[Bug 1662762] Re: Authentication for LDAP user fails at MFA rule check
From: Lance Bragstad, 2017-02-08