yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #70786
[Bug 1746599] [NEW] User email not being set for federated shadow users
Public bug reported:
keystone version: openstack-keystone-12.0.0-1.el7.noarch (RPM installed
in a kolla container)
We are using OpenID Connect federation with the following mapping rules:
$ openstack mapping show map_rules -f json
{
"rules": [
{
"local": [
{
"user": {
"name": "{0}",
"email": "{4}"
}
},
{
"projects": [
{
"name": "{1}",
"roles": [
{
"name": "_member_"
}
]
}
]
}
],
"remote": [
{
"type": "OIDC-upn"
},
{
"type": "OIDC-name"
},
{
"type": "OIDC-given_name"
},
{
"type": "OIDC-family_name"
},
{
"type": "OIDC-unique_name"
}
]
}
],
"id": "map_rules"
}
Identity provider:
$ openstack identity provider show openid-lab
+-------------+---------------------------------------------------------------+
| Field | Value |
+-------------+---------------------------------------------------------------+
| description | None |
| domain_id | 98401b16aa754830aa7e3eab92e7603b |
| enabled | True |
| id | openid-lab |
| remote_ids | https://sts.windows.net/xxx-xxx-xxx-xxx/ |
+-------------+---------------------------------------------------------------+
Federation protocol:
$ openstack federation protocol show --identity-provider openid-lab openid
+---------+-----------+
| Field | Value |
+---------+-----------+
| id | openid |
| mapping | map_rules |
+---------+-----------+
What should happen:
I would expect the user to get created with the email set like this:
$ openstack user show dbe5470baecb47fa95f3e0512b0f5744
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 98401b16aa754830aa7e3eab92e7603b |
| email | martin.chlumsky@xxxxxxxxxx |
| enabled | True |
| id | dbe5470baecb47fa95f3e0512b0f5744 |
| name | martin.chlumsky@xxxxxxxxxx |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
What happens:
The user email doesn't get added to the user:
$ openstack user show dbe5470baecb47fa95f3e0512b0f5744
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 98401b16aa754830aa7e3eab92e7603b |
| enabled | True |
| id | dbe5470baecb47fa95f3e0512b0f5744 |
| name | martin.chlumsky@xxxxxxxxxx |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
I can see the email property getting mapped correctly in the logs:
2018-01-31 20:51:05.118 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] rules: [{u'remote': [{u'type': u'OIDC-upn'}, {u'type': u'OIDC-name'}, {u'type': u'OIDC-given_name'}, {u'type': u'OIDC-family_n
ame'}, {u'type': u'OIDC-unique_name'}], u'local': [{u'user': {u'name': u'{0}', u'email': u'{4}'}}, {u'projects': [{u'name': u'{1}', u'roles': [{u'name': u'_member_'}]}]}]}] process /usr/lib/python2.7/site-packages/keystone/federation/util
s.py:518
2018-01-31 20:51:05.118 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'martin.chlumsky@xxxxxxxxxx'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone
/federation/utils.py:816
2018-01-31 20:51:05.119 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'Martin Chlumsky'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone/federation/
utils.py:816
2018-01-31 20:51:05.119 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'Martin'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone/federation/utils.py:
816
2018-01-31 20:51:05.120 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'Chlumsky'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone/federation/utils.p
y:816
2018-01-31 20:51:05.120 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'martin.chlumsky@xxxxxxxxxx'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone
/federation/utils.py:816
2018-01-31 20:51:05.121 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac
kages/keystone/federation/utils.py:698
2018-01-31 20:51:05.121 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'user': {u'name': u'{0}', u'email': u'{4}'}} _update_local_mapping /usr/lib/python2.7/site-packages/keystone/federati
on/utils.py:699
2018-01-31 20:51:05.121 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac
kages/keystone/federation/utils.py:698
2018-01-31 20:51:05.122 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'name': u'{0}', u'email': u'{4}'} _update_local_mapping /usr/lib/python2.7/site-packages/keystone/federation/utils.py
:699
2018-01-31 20:51:05.122 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac
kages/keystone/federation/utils.py:698
2018-01-31 20:51:05.123 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'projects': [{u'name': u'{1}', u'roles': [{u'name': u'_member_'}]}]} _update_local_mapping /usr/lib/python2.7/site-pa
ckages/keystone/federation/utils.py:699
2018-01-31 20:51:05.123 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac
kages/keystone/federation/utils.py:698
2018-01-31 20:51:05.124 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'name': u'{1}', u'roles': [{u'name': u'_member_'}]} _update_local_mapping /usr/lib/python2.7/site-packages/keystone/f
ederation/utils.py:699
2018-01-31 20:51:05.124 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac
kages/keystone/federation/utils.py:698
2018-01-31 20:51:05.125 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'name': u'_member_'} _update_local_mapping /usr/lib/python2.7/site-packages/keystone/federation/utils.py:699
2018-01-31 20:51:05.125 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] identity_values: [{u'user': {u'name': u'martin.chlumsky@xxxxxxxxxx', u'email': u'martin.chlumsky@xxxxxxxxxx'}}, {u'projects'
: [{u'name': u'Martin Chlumsky', u'roles': [{u'name': u'_member_'}]}]}] process /usr/lib/python2.7/site-packages/keystone/federation/utils.py:538
2018-01-31 20:51:05.126 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] mapped_properties: {'group_ids': [], 'user': {'domain': {'id': 'Federated'}, 'type': 'ephemeral', u'name': u'martin.chlumsky@xxxxxxxxxx', u'email': u'martin.chlumsky@xxxxxxxxxx'}, 'projects': [{u'name': u'Martin Chlumsky', u'roles': [{u'name': u'_member_'}]}], 'group_names': []} process /usr/lib/python2.7/site-packages/keystone/federation/utils.py:540
2018-01-31 20:51:05.126 19 INFO keystone.auth.plugins.mapped [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] bifbaz: {'group_ids': [], 'user': {'domain': {'id': 'Federated'}, 'type': 'ephemeral', u'name': u'martin.chlumsky@xxxxxxxxxx', u'email': u'martin.chlumsky@xxxxxxxxxx'}, 'projects': [{u'name': u'Martin Chlumsky', u'roles': [{u'name': u'_member_'}]}], 'group_names': []}
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1746599
Title:
User email not being set for federated shadow users
Status in OpenStack Identity (keystone):
New
Bug description:
keystone version: openstack-keystone-12.0.0-1.el7.noarch (RPM
installed in a kolla container)
We are using OpenID Connect federation with the following mapping rules:
$ openstack mapping show map_rules -f json
{
"rules": [
{
"local": [
{
"user": {
"name": "{0}",
"email": "{4}"
}
},
{
"projects": [
{
"name": "{1}",
"roles": [
{
"name": "_member_"
}
]
}
]
}
],
"remote": [
{
"type": "OIDC-upn"
},
{
"type": "OIDC-name"
},
{
"type": "OIDC-given_name"
},
{
"type": "OIDC-family_name"
},
{
"type": "OIDC-unique_name"
}
]
}
],
"id": "map_rules"
}
Identity provider:
$ openstack identity provider show openid-lab
+-------------+---------------------------------------------------------------+
| Field | Value |
+-------------+---------------------------------------------------------------+
| description | None |
| domain_id | 98401b16aa754830aa7e3eab92e7603b |
| enabled | True |
| id | openid-lab |
| remote_ids | https://sts.windows.net/xxx-xxx-xxx-xxx/ |
+-------------+---------------------------------------------------------------+
Federation protocol:
$ openstack federation protocol show --identity-provider openid-lab openid
+---------+-----------+
| Field | Value |
+---------+-----------+
| id | openid |
| mapping | map_rules |
+---------+-----------+
What should happen:
I would expect the user to get created with the email set like this:
$ openstack user show dbe5470baecb47fa95f3e0512b0f5744
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 98401b16aa754830aa7e3eab92e7603b |
| email | martin.chlumsky@xxxxxxxxxx |
| enabled | True |
| id | dbe5470baecb47fa95f3e0512b0f5744 |
| name | martin.chlumsky@xxxxxxxxxx |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
What happens:
The user email doesn't get added to the user:
$ openstack user show dbe5470baecb47fa95f3e0512b0f5744
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 98401b16aa754830aa7e3eab92e7603b |
| enabled | True |
| id | dbe5470baecb47fa95f3e0512b0f5744 |
| name | martin.chlumsky@xxxxxxxxxx |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
I can see the email property getting mapped correctly in the logs:
2018-01-31 20:51:05.118 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] rules: [{u'remote': [{u'type': u'OIDC-upn'}, {u'type': u'OIDC-name'}, {u'type': u'OIDC-given_name'}, {u'type': u'OIDC-family_n
ame'}, {u'type': u'OIDC-unique_name'}], u'local': [{u'user': {u'name': u'{0}', u'email': u'{4}'}}, {u'projects': [{u'name': u'{1}', u'roles': [{u'name': u'_member_'}]}]}]}] process /usr/lib/python2.7/site-packages/keystone/federation/util
s.py:518
2018-01-31 20:51:05.118 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'martin.chlumsky@xxxxxxxxxx'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone
/federation/utils.py:816
2018-01-31 20:51:05.119 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'Martin Chlumsky'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone/federation/
utils.py:816
2018-01-31 20:51:05.119 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'Martin'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone/federation/utils.py:
816
2018-01-31 20:51:05.120 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'Chlumsky'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone/federation/utils.p
y:816
2018-01-31 20:51:05.120 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'martin.chlumsky@xxxxxxxxxx'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone
/federation/utils.py:816
2018-01-31 20:51:05.121 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac
kages/keystone/federation/utils.py:698
2018-01-31 20:51:05.121 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'user': {u'name': u'{0}', u'email': u'{4}'}} _update_local_mapping /usr/lib/python2.7/site-packages/keystone/federati
on/utils.py:699
2018-01-31 20:51:05.121 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac
kages/keystone/federation/utils.py:698
2018-01-31 20:51:05.122 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'name': u'{0}', u'email': u'{4}'} _update_local_mapping /usr/lib/python2.7/site-packages/keystone/federation/utils.py
:699
2018-01-31 20:51:05.122 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac
kages/keystone/federation/utils.py:698
2018-01-31 20:51:05.123 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'projects': [{u'name': u'{1}', u'roles': [{u'name': u'_member_'}]}]} _update_local_mapping /usr/lib/python2.7/site-pa
ckages/keystone/federation/utils.py:699
2018-01-31 20:51:05.123 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac
kages/keystone/federation/utils.py:698
2018-01-31 20:51:05.124 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'name': u'{1}', u'roles': [{u'name': u'_member_'}]} _update_local_mapping /usr/lib/python2.7/site-packages/keystone/f
ederation/utils.py:699
2018-01-31 20:51:05.124 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac
kages/keystone/federation/utils.py:698
2018-01-31 20:51:05.125 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'name': u'_member_'} _update_local_mapping /usr/lib/python2.7/site-packages/keystone/federation/utils.py:699
2018-01-31 20:51:05.125 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] identity_values: [{u'user': {u'name': u'martin.chlumsky@xxxxxxxxxx', u'email': u'martin.chlumsky@xxxxxxxxxx'}}, {u'projects'
: [{u'name': u'Martin Chlumsky', u'roles': [{u'name': u'_member_'}]}]}] process /usr/lib/python2.7/site-packages/keystone/federation/utils.py:538
2018-01-31 20:51:05.126 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] mapped_properties: {'group_ids': [], 'user': {'domain': {'id': 'Federated'}, 'type': 'ephemeral', u'name': u'martin.chlumsky@xxxxxxxxxx', u'email': u'martin.chlumsky@xxxxxxxxxx'}, 'projects': [{u'name': u'Martin Chlumsky', u'roles': [{u'name': u'_member_'}]}], 'group_names': []} process /usr/lib/python2.7/site-packages/keystone/federation/utils.py:540
2018-01-31 20:51:05.126 19 INFO keystone.auth.plugins.mapped [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] bifbaz: {'group_ids': [], 'user': {'domain': {'id': 'Federated'}, 'type': 'ephemeral', u'name': u'martin.chlumsky@xxxxxxxxxx', u'email': u'martin.chlumsky@xxxxxxxxxx'}, 'projects': [{u'name': u'Martin Chlumsky', u'roles': [{u'name': u'_member_'}]}], 'group_names': []}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1746599/+subscriptions
Follow ups
