yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #76602
[Bug 1811605] [NEW] Tokenless authentication is broken
Public bug reported:
When trying to use tokenless authentication, authentication fails with
the following traceback:
http://paste.openstack.org/show/742271/
git bisect shows this is the commit that introduced the bug:
0dc5c4edabd5cb0455ffe1c4f8cf8369f64b2197
Steps to reproduce:
(Can start out with configuring devstack with the tls-proxy service to
have devstack generate a root CA but then you need to remove the default
proxy configuration in /etc/apache2/sites-available/http-services-tls-
proxy.conf it generates)
Configure keystone behind Apache with mod_ssl and the following mod_ssl
options:
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /opt/stack/data/devstack-cert.pem
SSLCACertificateFile /opt/stack/data/CA/root-ca/cacert.pem
SSLOptions +StdEnvVars
SSLVerifyClient optional
SSLUserName SSL_CLIENT_S_DN_CN
SetEnv REMOTE_DOMAIN openstack
</Virtualhost>
In keystone.conf set up external authentication and tokenless auth:
[tokenless_auth]
trusted_issuer = CN=Root CA,OU=DevStack Certificate Authority,O=OpenStack
[auth]
methods = password,token,external
external = Domain
Create a client certificate with the example user values from the
tokenless auth docs, signed by the root CA:
$ openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
$ openssl x509 -req -in CSR.csr -CA /opt/stack/data/CA/root-ca/cacert.pem -CAkey /opt/stack/data/CA/root-ca/private/cacert.key -days 365 -out john.pem -CAcreateserial
Create the IdP, mapping and protocol:
$ openstack identity provider create ad9b5af1ba36ffc36e1fbf7af5e83e25aebf66bbfefc12eed0313a875e6f9663
$ openstack mapping create x509map --rules rules.json
$ openstack federation protocol create x509 --mapping x509map --identity-provider ad9b5af1ba36ffc36e1fbf7af5e83e25aebf66bbfefc12eed0313a875e6f9663
Create a local user with role assignments:
$ openstack domain create openstack
$ openstack user create john --domain openstack
$ openstack role add --user john --user-domain openstack --project demo member
Get a token for the user:
$ curl -v -k -s -X POST --cert john.pem --key privateKey.key -H "x
-project-name: demo" -H "x-project-domain-id: default"
https://192.168.122.248/identity/v3/auth/tokens -d '{"auth":
{"identity": { "methods": [ "external" ], "external": { "user": {
"name": "john", "domain": { "name": "openstack" } } } } } }' -H
'content-type: application/json'
Try to validate the token with tokenless auth (as in the documented
example):
$ curl -v -k -s -X GET --cert /home/devuser/john.pem --key
/home/devuser/privateKey.key -H "x-project-name: demo" -H "x-project-
domain-id: default" https://192.168.122.248/identity/v3/auth/tokens -H
"x-subject-token: <token>"
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1811605
Title:
Tokenless authentication is broken
Status in OpenStack Identity (keystone):
New
Bug description:
When trying to use tokenless authentication, authentication fails with
the following traceback:
http://paste.openstack.org/show/742271/
git bisect shows this is the commit that introduced the bug:
0dc5c4edabd5cb0455ffe1c4f8cf8369f64b2197
Steps to reproduce:
(Can start out with configuring devstack with the tls-proxy service to
have devstack generate a root CA but then you need to remove the
default proxy configuration in /etc/apache2/sites-available/http-
services-tls-proxy.conf it generates)
Configure keystone behind Apache with mod_ssl and the following
mod_ssl options:
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /opt/stack/data/devstack-cert.pem
SSLCACertificateFile /opt/stack/data/CA/root-ca/cacert.pem
SSLOptions +StdEnvVars
SSLVerifyClient optional
SSLUserName SSL_CLIENT_S_DN_CN
SetEnv REMOTE_DOMAIN openstack
</Virtualhost>
In keystone.conf set up external authentication and tokenless auth:
[tokenless_auth]
trusted_issuer = CN=Root CA,OU=DevStack Certificate Authority,O=OpenStack
[auth]
methods = password,token,external
external = Domain
Create a client certificate with the example user values from the
tokenless auth docs, signed by the root CA:
$ openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
$ openssl x509 -req -in CSR.csr -CA /opt/stack/data/CA/root-ca/cacert.pem -CAkey /opt/stack/data/CA/root-ca/private/cacert.key -days 365 -out john.pem -CAcreateserial
Create the IdP, mapping and protocol:
$ openstack identity provider create ad9b5af1ba36ffc36e1fbf7af5e83e25aebf66bbfefc12eed0313a875e6f9663
$ openstack mapping create x509map --rules rules.json
$ openstack federation protocol create x509 --mapping x509map --identity-provider ad9b5af1ba36ffc36e1fbf7af5e83e25aebf66bbfefc12eed0313a875e6f9663
Create a local user with role assignments:
$ openstack domain create openstack
$ openstack user create john --domain openstack
$ openstack role add --user john --user-domain openstack --project demo member
Get a token for the user:
$ curl -v -k -s -X POST --cert john.pem --key privateKey.key -H "x
-project-name: demo" -H "x-project-domain-id: default"
https://192.168.122.248/identity/v3/auth/tokens -d '{"auth":
{"identity": { "methods": [ "external" ], "external": { "user": {
"name": "john", "domain": { "name": "openstack" } } } } } }' -H
'content-type: application/json'
Try to validate the token with tokenless auth (as in the documented
example):
$ curl -v -k -s -X GET --cert /home/devuser/john.pem --key
/home/devuser/privateKey.key -H "x-project-name: demo" -H "x-project-
domain-id: default" https://192.168.122.248/identity/v3/auth/tokens -H
"x-subject-token: <token>"
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1811605/+subscriptions
Follow ups
