yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #61810
[Bug 1662762] Re: Authentication for LDAP user fails at MFA rule check
Reviewed: https://review.openstack.org/437402
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4e0029455ab45e3b9a15fe9fc151c14c502b7bdd
Submitter: Jenkins
Branch: master
commit 4e0029455ab45e3b9a15fe9fc151c14c502b7bdd
Author: Matthew Edmonds <edmondsw@xxxxxxxxxx>
Date: Fri Feb 24 00:41:11 2017 -0500
Fix MFA rule checks for LDAP auth
LDAP authentication was broken by the addition of MFA rule checking.
This patch fixes that.
Change-Id: I4efe4b1b90c93110509cd599f9dd047c313dade3
Closes-Bug: #1662762
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1662762
Title:
Authentication for LDAP user fails at MFA rule check
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Identity (keystone) ocata series:
Triaged
Bug description:
I have a openstack master with LDAP server configured (fernet token
provider). With the new changes around MFA rules
(https://blueprints.launchpad.net/keystone/+spec/per-user-auth-plugin-
reqs), I see that the authentication (POST /token) call fails at
https://github.com/openstack/keystone/blob/029476272fb869c6413aa4e70f4cae6f890e598f/keystone/auth/core.py#L377
def check_auth_methods_against_rules(self, user_id, auth_methods):
user_ref = self.identity_api.get_user(user_id)
mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
In the last line the code flow expects user_Ref to always have an
options attribute and this is not present for LDAP users due to which
we get the below and authentication fails
INFO keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] POST https://ip9-114-192-140.pok.stglabs.ibm.com:5000/v3/auth/tokens
ERROR keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - -] 'options'
ERROR keystone.common.wsgi Traceback (most recent call last):
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
ERROR keystone.common.wsgi result = method(req, **params)
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 132, in authenticate_for_token
ERROR keystone.common.wsgi auth_context['user_id'], method_names_set):
ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/core.py", line 377, in check_auth_methods_against_rules
ERROR keystone.common.wsgi mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
ERROR keystone.common.wsgi KeyError: 'options'
Conversation from #openstack-keystone on Freenode:
http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-02-07.log.html#t2017-02-07T14:01:09
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1662762/+subscriptions
References