← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #74472

[Bug 1789450] [NEW] Groups mapped to projects that do not exist in OpenStack breaks WebSSO

  Thread PreviousDate PreviousThread Next 
Public bug reported:

I have come across an issue when using webSSO/Federation.

We are using keycloak as an SP, in which our users exist. These users
have multiple groups some of which are open stack specific and some
which are not.

These users and groups are being mapped as ephemeral users, and im using
groups to match to projects.

The issue occurs if a user has a group that does not map to a project in
OpenStack. at which point an exception is raised and the websso login
blows up with a 500 message.

The offending line is line 347 in keystone/federation/utils.py

A quick fix would be to remove the exception from being raised, and just
log to file.

Or filter the projects based on the groups passed in.

** Affects: keystone
     Importance: Undecided
         Status: New

** Summary changed:

- Groups that do not exist in the backend break webSSO
+ Groups mapped to projects that do not exist in OpenStack breaks WebSSO

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1789450

Title:
  Groups mapped to projects that do not exist in OpenStack breaks WebSSO

Status in OpenStack Identity (keystone):
  New

Bug description:
  I have come across an issue when using webSSO/Federation.

  We are using keycloak as an SP, in which our users exist. These users
  have multiple groups some of which are open stack specific and some
  which are not.

  These users and groups are being mapped as ephemeral users, and im
  using groups to match to projects.

  The issue occurs if a user has a group that does not map to a project
  in OpenStack. at which point an exception is raised and the websso
  login blows up with a 500 message.

  The offending line is line 347 in keystone/federation/utils.py

  A quick fix would be to remove the exception from being raised, and
  just log to file.

  Or filter the projects based on the groups passed in.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1789450/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next