yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1648798] Re: mapping yield no valid identity result in HTTP 500 error

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Mon, 08 Jan 2018 20:32:11 -0000
Reply-to: Bug 1648798 <1648798@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 1557238 ***
    https://bugs.launchpad.net/bugs/1557238

** This bug has been marked a duplicate of bug 1557238
   mapping yield no valid identity result in HTTP 500 error

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1648798

Title:
  mapping yield no valid identity result in HTTP 500 error

Status in OpenStack Identity (keystone):
  New

Bug description:
  New entry for the Fix Released bug
  https://bugs.launchpad.net/keystone/+bug/1557238 in the hope it will
  get more attention.

  I got a meaningful 401 in M release.

  In N release with same config (ADFS federation with saml2) I get this
  generic error message with code 500, it forced me to dig into Keystone
  code to trace the origin from the error and found this change [1]
  which is responsible.

  If I revert the change to just write to the log then an unscoped token
  with no group is returned. From my point of view this is the correct
  behavior right? I just found out that federation is not limited to
  group membership anymore which is great, so why raising an exception
  if no group can be mapped ? Is it because the mappings try to map
  remote properties to local group ? I find pretty handy that a rule
  trying to map both user and groups can still yield a token even if
  there is no group matching in Keystone.

  As an aside, I would be immensely grateful for anyone telling me how
  to get the stack trace directly when such exception appears in the
  browser agent, tracing it manually was painfull ;-( (OTOH I learnt a
  bit more about the code).

  The exception is thrown even when there are matching groups defined in
  Keystone.

  Here is my mapping rule:

  [
    {
      "local": [
        {
          "user": {
            "name": "{0}"
          },
          "domain": {
            "name": "our_default_domain"
          }
        },
        {
          "groups": "{1}",
          "domain": {
            "name": "our_default_domain"
          }
        }
      ],
      "remote": [
        {
          "type": "UPN"
        },
        {
          "type": "GROUPS"
        }
      ]
    }
  ]

  Result if I let the exception to be raised:

  {"error": {"message": "An unexpected error prevented the server from
  fulfilling your request.", "code": 500, "title": "Internal Server
  Error"}}

  Result if I comment it:

  {"token": {"issued_at": "2016-11-12T17:33:46.000000Z", "audit_ids":
  ["uwj6lVPqS2e0vgs4wCtcuQ"], "methods": ["saml2"], "expires_at":
  "2016-11-12T18:33:46.000000Z", "user": {"OS-FEDERATION":
  {"identity_provider": {"id": "xxxx-adfs"}, "protocol": {"id":
  "saml2"}, "groups": [{"id": "fe3f975be4da43c698ea3e7cf9e40b00"}]},
  "domain": {"id": "Federated", "name": "Federated"}, "id":
  "0827722a5ebe4ef1af6c3d66b9ab55ec", "name":
  "sylvain.benner@xxxxxxxx"}}}

  
  [1] https://github.com/openstack/keystone/commit/7ba53701989490667d220a3faecae2b484a007c5#diff-123d55255e45e44f9baa492e882762b5R386

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1648798/+subscriptions

References

[Bug 1648798] [NEW] mapping yield no valid identity result in HTTP 500 error
From: Sylvain Benner, 2016-12-09