yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #62239
[Bug 1672425] [NEW] No 'options' attribute in user_ref when using LDAP identity backend
Public bug reported:
While testing the ocata codebase, it seems that the addition of the
multifactor auth in core, breaks our LDAP identity backend.
We are getting an exception while loading the user to check if it has
MFA enabled or not. The LDAP identity driver does not provide a options
attribute for the user and then it throws an exception in this specific
line
(https://github.com/openstack/keystone/blob/master/keystone/auth/core.py#L377)
For giving some context, these are the 2 lines concerned
(keystone/auth/core.py)
376: user_ref = self.identity_api.get_user(user_id)
377: mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
The first one loads the user from the identity driver and the 2nd one
uses an attribute that does not exist in LDAP implementation, so it
throws an exception
** Affects: keystone
Importance: Undecided
Status: New
** Description changed:
While testing the ocata codebase, it seems that the addition of the
multifactor auth in core, breaks our LDAP identity backend.
We are getting an exception while loading the user to check if it has
MFA enabled or not. The LDAP identity driver does not provide a options
attribute for the user and then it throws an exception in this specific
line
(https://github.com/openstack/keystone/blob/master/keystone/auth/core.py#L377)
- For giving some context, I am adding the whole function
+ For giving some context, in keystone/auth/core.py
- 366: def check_auth_methods_against_rules(self, user_id, auth_methods):
- 367: """Validate the MFA rules against the successful auth methods.
- 368:
- 369: :param user_id: The user's ID (uuid).
- 370: :type user_id: str
- 371: :param auth_methods: List of methods that were used for auth
- 372: :type auth_methods: set
- 373: :returns: Boolean, ``True`` means rules match and auth may proceed,
- 374: ``False`` means rules do not match.
- 375: """
376: user_ref = self.identity_api.get_user(user_id)
377: mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
The first one loads the user from the identity driver and the 2nd one
uses an attribute that does not exist in LDAP implementation, so it
throws an exception
** Description changed:
While testing the ocata codebase, it seems that the addition of the
multifactor auth in core, breaks our LDAP identity backend.
We are getting an exception while loading the user to check if it has
MFA enabled or not. The LDAP identity driver does not provide a options
attribute for the user and then it throws an exception in this specific
line
(https://github.com/openstack/keystone/blob/master/keystone/auth/core.py#L377)
- For giving some context, in keystone/auth/core.py
-
+ For giving some context, I am adding the whole function
+ :::python
+ 366: def check_auth_methods_against_rules(self, user_id, auth_methods):
+ 367: """Validate the MFA rules against the successful auth methods.
+ 368:
+ 369: :param user_id: The user's ID (uuid).
+ 370: :type user_id: str
+ 371: :param auth_methods: List of methods that were used for auth
+ 372: :type auth_methods: set
+ 373: :returns: Boolean, ``True`` means rules match and auth may proceed,
+ 374: ``False`` means rules do not match.
+ 375: """
376: user_ref = self.identity_api.get_user(user_id)
377: mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
The first one loads the user from the identity driver and the 2nd one
uses an attribute that does not exist in LDAP implementation, so it
throws an exception
** Description changed:
While testing the ocata codebase, it seems that the addition of the
multifactor auth in core, breaks our LDAP identity backend.
We are getting an exception while loading the user to check if it has
MFA enabled or not. The LDAP identity driver does not provide a options
attribute for the user and then it throws an exception in this specific
line
(https://github.com/openstack/keystone/blob/master/keystone/auth/core.py#L377)
For giving some context, I am adding the whole function
- :::python
+ (keystone/auth/core.py)
+
+
366: def check_auth_methods_against_rules(self, user_id, auth_methods):
367: """Validate the MFA rules against the successful auth methods.
368:
369: :param user_id: The user's ID (uuid).
370: :type user_id: str
371: :param auth_methods: List of methods that were used for auth
372: :type auth_methods: set
373: :returns: Boolean, ``True`` means rules match and auth may proceed,
374: ``False`` means rules do not match.
375: """
376: user_ref = self.identity_api.get_user(user_id)
377: mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
The first one loads the user from the identity driver and the 2nd one
uses an attribute that does not exist in LDAP implementation, so it
throws an exception
** Description changed:
While testing the ocata codebase, it seems that the addition of the
multifactor auth in core, breaks our LDAP identity backend.
We are getting an exception while loading the user to check if it has
MFA enabled or not. The LDAP identity driver does not provide a options
attribute for the user and then it throws an exception in this specific
line
(https://github.com/openstack/keystone/blob/master/keystone/auth/core.py#L377)
- For giving some context, I am adding the whole function
+ For giving some context, these are the 2 lines concerned
(keystone/auth/core.py)
-
- 366: def check_auth_methods_against_rules(self, user_id, auth_methods):
- 367: """Validate the MFA rules against the successful auth methods.
- 368:
- 369: :param user_id: The user's ID (uuid).
- 370: :type user_id: str
- 371: :param auth_methods: List of methods that were used for auth
- 372: :type auth_methods: set
- 373: :returns: Boolean, ``True`` means rules match and auth may proceed,
- 374: ``False`` means rules do not match.
- 375: """
376: user_ref = self.identity_api.get_user(user_id)
377: mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
The first one loads the user from the identity driver and the 2nd one
uses an attribute that does not exist in LDAP implementation, so it
throws an exception
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1672425
Title:
No 'options' attribute in user_ref when using LDAP identity backend
Status in OpenStack Identity (keystone):
New
Bug description:
While testing the ocata codebase, it seems that the addition of the
multifactor auth in core, breaks our LDAP identity backend.
We are getting an exception while loading the user to check if it has
MFA enabled or not. The LDAP identity driver does not provide a
options attribute for the user and then it throws an exception in this
specific line
(https://github.com/openstack/keystone/blob/master/keystone/auth/core.py#L377)
For giving some context, these are the 2 lines concerned
(keystone/auth/core.py)
376: user_ref = self.identity_api.get_user(user_id)
377: mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
The first one loads the user from the identity driver and the 2nd one
uses an attribute that does not exist in LDAP implementation, so it
throws an exception
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1672425/+subscriptions
Follow ups