← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #71948

[Bug 1758460] [NEW] UUID (or any persistent) token providers unable to validate federation token

  Thread PreviousDate PreviousThread Next 
Public bug reported:

With the UUID token provider and WebSSO enabled. A token obtain via
WebSSO will not be able to validate in Keystone. In the Keystone log,
you'll see something similar to these.

46386 (keystone.token.providers.common): 2018-03-23 20:24:09,581 DEBUG common _populate_roles User 7e93953eda38423f919d83da2544c683 has no access to project 8d344d1178964026b20be32438b484be
46386 (keystone.token.provider): 2018-03-23 20:24:09,581 DEBUG provider validate_token Unable to validate token: The request you have made requires authentication.
46386 (keystone.common.wsgi): 2018-03-23 20:24:09,583 WARNING wsgi __call__ Could not find token: {u'tenant': {u'domain': {u'id': u'6c30c2dba285403e8aa70de9ecb47d0d', u'name': u'websso-domain1'}, u'id': u'8d344d1178964026b20be32438b484be', u'name': u'websso-project1'}, u'is_domain': None, 'user_id': u'7e93953eda38423f919d83da2544c683', 'expires': datetime.datetime(2018, 3, 24, 0, 24, 8), u'token_data': {u'token': {u'is_domain': False, u'service_providers': [{u'sp_url': u'https://mytest:5000/Shibboleth.sso/SAML2/ECP', u'auth_url': u'https://mytest:5000/v3', u'id': u'ks-sp-server'}], u'methods': [u'token', u'saml2'], u'roles': [{u'domain_id': None, u'id': u'9fe2ff9ee4384b1894a90878d3e92bab', u'name': u'_member_'}], u'is_admin_project': False, u'project': {u'domain': {u'id': u'6c30c2dba285403e8aa70de9ecb47d0d', u'name': u'websso-domain1'}, u'id': u'8d344d1178964026b20be32438b484be', u'name': u'websso-project1'},
...


Looking at the code, it appears we never rebuild federated token roles for UUID (persistence) tokens.

https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L610

We only do that for Fernet (non-persistence) tokens.

https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L635

Consequently, when we try to glue the token data together, the roles are
being rebuilt as if the token is a regular token which result in role
assignment not found.

https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L649
https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L418
https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L344


Step to reproduce:

1. Follow the Keystone Doc to setup WebSSO and use UUID token provider.
2. Login from Horizon
3. After successfully logged in, you'll see all kinds of "Unable to retrieve ..." messages from
Horizon. Basically, Horizon is unable to use the federated token to retrieve users resources (i.e. compute, network, etc)

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1758460

Title:
  UUID (or any persistent) token providers unable to validate federation
  token

Status in OpenStack Identity (keystone):
  New

Bug description:
  With the UUID token provider and WebSSO enabled. A token obtain via
  WebSSO will not be able to validate in Keystone. In the Keystone log,
  you'll see something similar to these.

  46386 (keystone.token.providers.common): 2018-03-23 20:24:09,581 DEBUG common _populate_roles User 7e93953eda38423f919d83da2544c683 has no access to project 8d344d1178964026b20be32438b484be
  46386 (keystone.token.provider): 2018-03-23 20:24:09,581 DEBUG provider validate_token Unable to validate token: The request you have made requires authentication.
  46386 (keystone.common.wsgi): 2018-03-23 20:24:09,583 WARNING wsgi __call__ Could not find token: {u'tenant': {u'domain': {u'id': u'6c30c2dba285403e8aa70de9ecb47d0d', u'name': u'websso-domain1'}, u'id': u'8d344d1178964026b20be32438b484be', u'name': u'websso-project1'}, u'is_domain': None, 'user_id': u'7e93953eda38423f919d83da2544c683', 'expires': datetime.datetime(2018, 3, 24, 0, 24, 8), u'token_data': {u'token': {u'is_domain': False, u'service_providers': [{u'sp_url': u'https://mytest:5000/Shibboleth.sso/SAML2/ECP', u'auth_url': u'https://mytest:5000/v3', u'id': u'ks-sp-server'}], u'methods': [u'token', u'saml2'], u'roles': [{u'domain_id': None, u'id': u'9fe2ff9ee4384b1894a90878d3e92bab', u'name': u'_member_'}], u'is_admin_project': False, u'project': {u'domain': {u'id': u'6c30c2dba285403e8aa70de9ecb47d0d', u'name': u'websso-domain1'}, u'id': u'8d344d1178964026b20be32438b484be', u'name': u'websso-project1'},
  ...

  
  Looking at the code, it appears we never rebuild federated token roles for UUID (persistence) tokens.

  https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L610

  We only do that for Fernet (non-persistence) tokens.

  https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L635

  Consequently, when we try to glue the token data together, the roles
  are being rebuilt as if the token is a regular token which result in
  role assignment not found.

  https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L649
  https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L418
  https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L344

  
  Step to reproduce:

  1. Follow the Keystone Doc to setup WebSSO and use UUID token provider.
  2. Login from Horizon
  3. After successfully logged in, you'll see all kinds of "Unable to retrieve ..." messages from
  Horizon. Basically, Horizon is unable to use the federated token to retrieve users resources (i.e. compute, network, etc)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1758460/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next