← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #74836

[Bug 1789450] Re: Groups mapped to projects that do not exist in OpenStack breaks WebSSO

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/597992
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ee46f735359cb5381024a7dfa3f2b297badc6247
Submitter: Zuul
Branch:    master

commit ee46f735359cb5381024a7dfa3f2b297badc6247
Author: Vishakha Agarwal <agarwalvishakha18@xxxxxxxxx>
Date:   Thu Aug 30 11:14:32 2018 +0530

    Mapped Groups don't exist breaks WebSSO
    
    The issue occurs if a user has a group that
    does not map to a project in OpenStack. At
    which point an exception is raised and the
    websso login blows up with a 500 message.
    This is because of the exception being raised
    when the group name not matches thus replacing
    that with a log.
    
    Change-Id: Ia7321705db118af28f3dc6e01d5b18e8650aa633
    Closes-Bug: #1789450


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1789450

Title:
  Groups mapped to projects that do not exist in OpenStack breaks WebSSO

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  I have come across an issue when using webSSO/Federation.

  We are using keycloak as an SP, in which our users exist. These users
  have multiple groups some of which are open stack specific and some
  which are not.

  These users and groups are being mapped as ephemeral users, and im
  using groups to match to projects.

  The issue occurs if a user has a group that does not map to a project
  in OpenStack. at which point an exception is raised and the websso
  login blows up with a 500 message.

  The offending line is line 347 in keystone/federation/utils.py

  A quick fix would be to remove the exception from being raised, and
  just log to file.

  Or filter the projects based on the groups passed in.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1789450/+subscriptions

References

  Thread PreviousDate PreviousThread Next