← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1758460] Re: UUID (or any persistent) token providers unable to validate federation token

 

Marking this as invalid since there isn't anything we can do in master
short of revert the removal of UUID, issue a fix, backport it, then
remove the UUID token provider again. We also can't issue a fix directly
to stable branches according to stable policy.

I think the work-around is the best option given the fact a fix would
only be used for a short period of time before needing to switch anyway
since Rocky won't include UUID tokens regardless.

** Changed in: keystone
       Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1758460

Title:
  UUID (or any persistent) token providers unable to validate federation
  token

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  With the UUID token provider and WebSSO enabled. A token obtain via
  WebSSO will not be able to validate in Keystone. In the Keystone log,
  you'll see something similar to these.

  46386 (keystone.token.providers.common): 2018-03-23 20:24:09,581 DEBUG common _populate_roles User 7e93953eda38423f919d83da2544c683 has no access to project 8d344d1178964026b20be32438b484be
  46386 (keystone.token.provider): 2018-03-23 20:24:09,581 DEBUG provider validate_token Unable to validate token: The request you have made requires authentication.
  46386 (keystone.common.wsgi): 2018-03-23 20:24:09,583 WARNING wsgi __call__ Could not find token: {u'tenant': {u'domain': {u'id': u'6c30c2dba285403e8aa70de9ecb47d0d', u'name': u'websso-domain1'}, u'id': u'8d344d1178964026b20be32438b484be', u'name': u'websso-project1'}, u'is_domain': None, 'user_id': u'7e93953eda38423f919d83da2544c683', 'expires': datetime.datetime(2018, 3, 24, 0, 24, 8), u'token_data': {u'token': {u'is_domain': False, u'service_providers': [{u'sp_url': u'https://mytest:5000/Shibboleth.sso/SAML2/ECP', u'auth_url': u'https://mytest:5000/v3', u'id': u'ks-sp-server'}], u'methods': [u'token', u'saml2'], u'roles': [{u'domain_id': None, u'id': u'9fe2ff9ee4384b1894a90878d3e92bab', u'name': u'_member_'}], u'is_admin_project': False, u'project': {u'domain': {u'id': u'6c30c2dba285403e8aa70de9ecb47d0d', u'name': u'websso-domain1'}, u'id': u'8d344d1178964026b20be32438b484be', u'name': u'websso-project1'},
  ...

  
  Looking at the code, it appears we never rebuild federated token roles for UUID (persistence) tokens.

  https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L610

  We only do that for Fernet (non-persistence) tokens.

  https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L635

  Consequently, when we try to glue the token data together, the roles
  are being rebuilt as if the token is a regular token which result in
  role assignment not found.

  https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L649
  https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L418
  https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L344

  
  Step to reproduce:

  1. Follow the Keystone Doc to setup WebSSO and use UUID token provider.
  2. Login from Horizon
  3. After successfully logged in, you'll see all kinds of "Unable to retrieve ..." messages from
  Horizon. Basically, Horizon is unable to use the federated token to retrieve users resources (i.e. compute, network, etc)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1758460/+subscriptions


References