yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1750917] Re: Insufficient logging when xmlsec binary is missing

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1750917@xxxxxxxxxxxxxxxxxx>
Date: Wed, 21 Mar 2018 23:58:32 -0000
Reply-to: Bug 1750917 <1750917@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/553592
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ccdf2d976f4d26df4f6a2a915da6ff0f643757ac
Submitter: Zuul
Branch:    master

commit ccdf2d976f4d26df4f6a2a915da6ff0f643757ac
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date:   Thu Mar 15 19:39:43 2018 +0000

    Add logging for xmlsec1 installation
    
    Keystone uses a library called xmlsec1 to create SAML assertions when
    acting as an identity provider. If this library isn't present and
    someone attempts to authenticate, keystone will throw an HTTP 500.
    The only thing the error says is that a file or directory doesn't
    exist.
    
    This patch uses subprocess to check if the provided binary actually
    exists on the system and handles cases when it isn't and logs a
    useful message for operators.
    
    Change-Id: I41cf87702df5389c1424d35f0abcef9c16301450
    Closes-Bug: 1750917


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1750917

Title:
  Insufficient logging when xmlsec binary is missing

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Keystone log is also unhelpful. All we got is

  "ERROR idp _sign_assertion Error when signing assertion, reason:
  [Errno 2] No such file or directory"

  When the xmlsec1 package is absent.

  We may need to add a check here

  https://github.com/openstack/keystone/blob/master/keystone/federation/idp.py#L421

  to see if CONF.saml.xmlsec1_binary exist. If absent, we just to
  provide a more helpful log entry.

  Steps to reproduce:

  1. Install devstack and enable federation.
  2. Uninstall the xmlsec1 package
  3. Try to authenticate via federation and you'll get a HTTP 500 error and the corresponding log entry in keystone.log

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1750917/+subscriptions

References

[Bug 1750917] [NEW] Keystone returns a HTTP 500 error if xmlsec CLI is missing
From: Guang Yee, 2018-02-21